Stuxnet Pinned on Israeli Unit 8200

I still am not convinced that it has to be the US or Israel. Just because geo-politically these two are the most adamant about shutting down Iran’s nuclear capability does not mean they are the Stuxnet authors. There is likely to be a more complex relationship of agents at work, such as Iranian dissidents, insiders and then perhaps support from the US and Israel.

Never mind me, however, the Telegraph says Israeli cyber unit responsible for Iran computer worm

Computer experts have discovered a biblical reference embedded in the code of the computer worm that has pointed to Israel as the origin of the cyber attack.

The code contains the word “myrtus”, which is the Latin biological term for the myrtle tree. The Hebrew word for myrtle, Hadassah, was the birth name of Esther, the Jewish queen of Persia.

Well, more to the point (pun not intended) Jewish mysticism associates myrtle with masculinity; specifically the penis. Are the computer experts saying this word “myrtle” is sufficient proof because they see Israel as the most likely nation to want to penetrate (for lack of a better word) Iran?

That interpretation is the opposite of the more traditional Jewish practices during harvest celebrations — myrtle is associated with with doing good deeds.

It seems the myrtle could be taken to mean many things.

Moreover, myrtle is also found in northern Africa. The Greeks link it to Aphrodite, Romans say it is dear to Venus. Code is shared. Teams are diverse. Thus, myrtle not only has many meanings but also appears to be important for many nations. I recently went to a Myrtle Beach in South Carolina. Come to think of it there was a suspicious looking person with a laptop there…

Those two reasons (interpretation and geographic distribution) make it difficult for me to automatically think of Israel when I hear of myrtle. If the official symbol for Israeli Unit 8200 was a branch of (flaming?) myrtle I would be more open to believe there is a clear and simple association.

Perhaps a little history can shed more perspective on the Stuxnet references and investigation; take, for example, the CIA document “Clandestine Service History — Overthrow of Premier Mosaddegh of Iran — November 1952-August 1953

The demise of Prime Minister Mossadegh in 1953 came as a result of a coup that was backed by the US CIA to protect British oil companies operating in Iran. The CIA not only convinced Iranians that the democratically elected leader was too dictatorial, but they managed to pressure Mossadegh into defending his ability to stay in power. The US paid “fake” mobs (both against and for a coup) to destabilize the country, stage terrorist activities and eventually arrest the prime minister. Was foreign money the only motivator of these mobs?

Even with the advantage of time past the tangled relationship between US and British intelligence and their roles, not to mention collaboration by internal groups and organizations, are still debated. Some say the coup was clearly a US operation but it can not be denied that there were many facets to the threat that Iran faced.

At this point it seems the word myrtle makes Stuxnet an Israeli operation as much as one swallow makes it spring.

Edited to add: Another reference to Israel has been cited by Threatpost in “Stuxnet Analysis Supports Iran-Israel Connections

Though most of the conversation about Stuxnet is still based on conjecture, [Symantec analyst Liam] O’Murchu said that Symantec’s analysis of Stuxnet’s code for manipulating PLCs on industrial control systems by Siems backs up both the speculation that Iran was the intended target and that Israel was the possible source of the virus. As for Iran, O Murch merely pointed to Symantec data that show the country was the source of the most Stuxnet infections. Iran has since blocked communications to Stuxnet’s command and control infrastructure, he said.

As for suggestions that Israeli intelligence may have authored the virus, O’Murchu noted that researchers had uncovered the reference to an obscure date in the worm’s code, May 9, 1979, which, he noted, was the date on which a prominent Iranian Jew, Habib Elghanian, who was executed by the new Islamic government shortly after the revolution.

Are you convinced? Attribution is virtually impossible on the network. This sounds more like wishful thinking than proof. Note the “shortly after the revolution” end to their analysis. That date could also be significant to Iranian insiders. Iranian Jews may not be Israeli, even if they have left Iran. Back to my point above, others were executed at the same time. Speaking of Time, an issue from May 21, 1979 makes my point rather darkly:

Last week’s execution of 38 men brought to 204 the number of those condemned to death before firing squads. Among the latest victims were two former Ministers of Information, the last speaker of the lower house of parliament under the Shah, and a number of members of the notorious antiterrorist committee of SAVAK, the disbanded secret police, including a physician charged with specializing in torture techniques.

The two businessmen, both multimillionaires, were Habib Elghanian, a plastics manufacturer and the first Jew to be condemned, and Rahim Ali Khorram, a Muslim who owned a string of gambling casinos and bordellos.

It could be a date significant to others; 204 men of different faiths, backgrounds, beliefs and families were executed at that time. This is not to downplay the importance of one man’s death, of course, but to try and paint a more realistic picture of who might want to now threaten Iran’s nuclear program (assuming Iran is the target).

It is not as easy as A versus B. My studies in International History, as well as travel, has pushed me towards threat models that are more like this:

Impressionable talent in country X, Y and Z end up in country B where they receive information and training from country C, which believes they must act upon information from country D, E and F, funded by countries D, G and H.

It is more like a social network effect, with hard and soft acquaintances, than the two sides of a boxing ring distinguished by their bright colors. The gray area has to remain in focus not only to keep a more accurate record of attribution but also to make it possible to understand the threats and hopefully detect or even prevent attack. It seems we like to think in polar terms because it brings comfort, but in reality we live in a complex world.

Or I could be totally wrong and the next thing revealed about the Stuxnet code is someone’s phone number and address in downtown Jerusalem, which is obviously located in (wait for it…) Arkansas, USA. Thought I was going to say Israel, didn’t you?

Edited again to add: F-Secure has a hilarious Q&A page on Stuxnet. Well worth reading for a balanced view from a security vendor. I suspect Stuxnet soon will be fodder for best joke of the year. Here is just a brief example:

Q: Is it true that there’s are biblical references inside Stuxnet?
A: There is a reference to Myrtus (myrtle plant). However, this is not “hidden” in the code. It’s an artifact left inside the program when it was compiled. Basically this tells us where the author stored the source code in his system. The specific path in Stuxnet is: \myrtus\src\objfre_w2k_x86\i386\guava.pdb. The authors probably did not want us to know they called their project “Myrtus”, but thanks to this artifact we do. We have seen such artifacts in other malware as well. The Operation Aurora attack against Google was named Aurora after this path was found inside one of the binaries: \Aurora_Src\AuroraVNC\Avc\Release\AVC.pdb.

Q: So how exactly is “Myrtle” a biblical reference?
A: Uhh…we don’t know, really.

Q: How does Stuxnet know it has already infected a machine?
A: It sets a Registry key with a value “19790509” as an infection marker.

Q: What’s the signifigance of “19790509”?
A: It’s a date. 9th of May, 1979.

Q: What happened on 9th of May, 1979?
A: Maybe it’s the birthday of the author? Then again, on that date a Jewish-Iranian businessman called Habib Elghanian was executed in Iran. He was accused to be spying for Israel.

Q: Oh.
A: Yeah.

Guava? What about 5th of September, 1979? Grateful Dead concert, dude, in Madison Square Garden! It also is the date that the Iranian army occupied Piranshahr on the border with Iraq. That seems more like an “infection marker” if you know what I mean.

Funny stuff.

Ok, so now I wonder how best to dress like Stuxnet for Halloween.

Zeus Crime Ring Busted

The US Attorney’s Office announced they were able to shut down an international crime ring that used the Zeus malware to steal money from US bank accounts.

…charges against 37 defendants, in 21 separate cases, for their roles in global bank fraud schemes that allegedly used hundreds of false-name bank accounts to steal over $3 million from dozens of U.S. accounts that were compromised by malware attacks. […] The defendants charged in Manhattan federal court include managers of and recruiters for the money mule organization, an individual who obtained the false foreign passports for the mules, and money mules.

CNN calls it Trojan malware blamed for $3 million bank fraud

I am not a fan of calling things Trojan horse malware because the horse is so often removed, leaving just Trojan malware. That doesn’t sound right. Anyway, back to CNN:

According to complaints unsealed in Manhattan federal court, defendants used the Zeus Trojan program to surreptitiously obtain personal information and then hack into victims’ bank accounts.

The hackers then allegedly made unauthorized transfers of “thousands of dollars” to the bank accounts belonging to co-conspirators. Prosecutors said the malware was typically sent as an “apparently-benign e-mail” that embedded itself in the victims’ computers once it was opened.

The program, officials said, recorded keystrokes and allowed hackers to steal private account information, passwords and other “vital security codes.”

The alleged cybercriminals, based in Eastern Europe, used “money mules” to transport the stolen money overseas. Some of the mules had entered the United States on student visas or by using fake passports, according to the federal complaint. The FBI has already arrested 10 alleged money mules and 17 remain at large.

The attack path, in other words, starts with an email message that has malware attached. The email message is not filtered as spam and the Zeus malware is not filtered as, er, malware.

There are security control failures on many levels. The underlying story here, however, is one familiar in the physical security space — more secure banks means attacks shift towards more vulnerable users.

Thus, online banking security is good enough that attackers find it much easier to get passwords from users and then they use impersonation to get past bank security. Two-factor authentication, imperfect like the other security controls in question here, was the last standing defense that should have stopped this attack path.

Details of the cases are on the New York FBI site:

  • United States v. Artem Tsygankov, et al.
  • United States v. Artem Semenov, et al.
  • United States v. Maxim Miroshnichenko, et al.
  • United States v. Marina Oprea, et al.
  • United States v. Kristina Svechinskaya, et al.
  • United States v. Ilya Karasev
  • United States v. Marina Misyura
  • United States v. Dorin Codreanu
  • United States v. Victoria Opinca, et al.
  • United States v. Alexander Kireev
  • United States v. Kasum Adigyuzelov
  • United States v. Sabina Rafikova
  • United States v. Konstantin Akobirov
  • United States v. Adel Gataullin
  • United States v. Ruslan Kovtanyuk
  • United States v. Yulia Klepikova, et al.
  • United States v. Alexandr Sorokin
  • United States v. Alexander Fedorov
  • United States v. Anton Yuferitsyn
  • United States v. Jamal Beyrouti, et al.

The DoJ said 21 cases, but I see only 20. Perhaps one is still being prepared.

The wanted poster for the remaining fugitives is also online.

Ask me about how to better protect against this breach, or just attend my presentation on the Top Ten Breaches, October 13th at the RSA Conference in London.

Microsoft Security Birthday Party

Congratulations to Microsoft. They just announced their one-year birthday for security.

Yes, you read that right. One year of security.

I will try to refrain from any snarky commentary and just join in the celebration. Ok, just one nit: Windows was released in 1985, twenty-five years ago. That sounds like 24 years without security. Even if you go with a “modern” history of Windows you have to start with 95, which was released in…oh, I forget. Must have been around 1996. Seriously, though, I am reminded of a meeting I had with Microsoft around 2004 where the security team said they considered themselves only three years old with less than a dozen staff. That would put them in the XP release generation. They were not essential, however, and that brings me back to the party today.

Happy one-year!

Microsoft Security Essentials Celebrates First Birthday with 30 Million Customers!

According to the Microsoft Malware Protection Center (MMPC), in addition to providing a no-cost security solution to tens of millions of customers that may not have been actively protected before, Microsoft Security Essentials detected nearly 400 million threats over the past year, with customers choosing to remove more than 366 million of those threats. For more information about the specific threat breakdown, please visit the MMPC Blog.

Whoa, 34 million threats sounds like a lot. That’s almost a 10% failure rate, or 10 threats not removed per customer. Why were they not removed?

Sorry, this is a time to celebrate, not worry…but I still wonder so I went to the MMPC Blog for more information, as suggested.

No detail on the failures is provided. Instead I found data that shows Russia and China have far fewer copies of Security Essentials installed than the other “non-US countries” (that’s an official Microsoft designation, I didn’t make it up).

Quick birthday quiz: how many “non-US countries” are there in the world? 195 – 1 (US country) = 194.

With fewer copies installed the MMPC Blog says China and Russia have many more machines attacked than other “non-US countries”.

Security Essentials is installed all over, but the threats it’s protecting PCs against are far from globally uniform. For example, if you compare the graph of installations above to the chart of machines where Security Essentials detected exploit attacks below, you can see that while China is relatively low on the install base list and Russia came in at number 10 by install base, users are relatively more likely to be attacked via exploits.

Interesting point, except for the fact that I see another possible outcome.

Brazil has the highest level of Security Essentials installed (nearly a million more than the next highest) and yet is only slightly behind China in machines attacked. Same for the United Kingdom.

So if you add Brazil and the UK together you get about the same number of machines attacked (799,763) as China and Russia (841,159) despite having many more systems running Security Essentials. Which tells us what exactly? Will the percentage of attacks go down if more systems have Security Essentials? And back to my original point, why aren’t some infections removed; what does “machine attacked” really mean?

The MMPC blog says attacks are different by region, which could be a big clue.

The Autorun threat family has pulled away from Conficker in Brazil, and the widespread Bancos threat, which is unique to Brazil, entered the top 5. In China, exploit families like ShellCode and CVE-2010-0806 continue to dominate. In the United States, Renos has taken over the top spot from Wimad, the new top rogue threat is FakeSpyPro, and the Java runtime exploits of CVE-2008-5353 are a major problem.

I also wonder if the high rate of deployment in Brazil reflects the giant new Microsoft data-center, or are they talking only about end-user systems.

Happy Birthday!