Tuesday, October 5, 2010

Stuxnet code hints at possible Israeli origin, researchers say

Security researchers today offered another tantalizing clue about the 
possible origins of the notorious Stuxnet worm, but cautioned against 
reading too much from the obscure tea leaves.

In a paper released today and presented at a Vancouver, British Columbia 
security conference, a trio of Symantec researchers noted that Stuxnet 
includes references in its code to the 1979 execution of a prominent 
Jewish Iranian businessman.

Buried in Stuxnet's code is a marker with the digits "19790509" that the 
researchers believe is a "do-not infect" indicator. If the marker equals 
that value, Stuxnet stops in its tracks, and does not infect the 
targeted PC.

The researchers -- Nicolas Falliere, Liam O Murchu and Eric Chen -- 
speculated that the marker represents a date: May 9, 1979.

"While on May 9, 1979, a variety of historical events occurred, 
according to Wikipedia "Habib Elghanian was executed by a firing squad 
in Tehran sending shock waves through the closely knit Iranian Jewish 
community," the researchers wrote.