Donate $25 for two DVDs of the Cryptome collection of files from June 1996 to the present

Natsios Young Architects

1 October 2010

Stuxnet Myrtus or MyRTUs?

A sends:

John Markoff in the New York Times has written an article which intimates that the Stuxnet worm may be the work of Israel's Unit 8200.

According to Markoff,

"Several of the teams of computer security researchers who have been dissecting the software found a text string that suggests that the attackers named their project Myrtus... an allusion to the Hebrew word for Esther. The Book of Esther tells the story of a Persian plot against the Jews, who attacked their enemies pre-emptively."

Really? Personally I'd be surprised if a crack team of Israeli software engineers were so sloppy that they relied on outdated rootkit technology (e.g. hooking the Nt*() calls used by Kernel32.LoadLibrary() and using UPX to pack code). Most of the Israeli developers I've met are pretty sharp. Just ask Erez Metula.

It may be that the "myrtus" string from the recovered Stuxnet file path

"b:\myrtus\src\objfre_w2k_x86\i386\guava.pdb" stands for "My-RTUs"

as in Remote Terminal Unit. See the following white paper from Motorola, it examines RTUs and PICs in SCADA systems. Who knows? The guava-myrtus connection may actually hold water.

As you can see, the media's propaganda machine is alive and well.