New Clues Point to Israel as Possible Author of Blockbuster Worm

By Kim Zetter



New clues released this week show a possible link between Israel and sophisticated malware targeting industrial control systems in critical infrastructure systems, such as nuclear plants and oil pipelines.

Late Thursday, security firm Symantec released a detailed paper with analysis of the headline-making code (.pdf), which reveals two clues in the Stuxnet malware that adds to speculation that Israel may have authored the code to target Iran.

Or, they could simply be red herrings planted in the code by programmers to point suspicion at Israel and away from other possible suspects.

The malware, called Stuxnet, appears to be the first to effectively attack critical infrastructure and in a manner that produces physical results, although there’s no proof yet any real-world damage has been done by it. The malware’s sophistication and infection of thousands of machines in Iran has led some to speculate that the U.S. or Israeli government built the code to take out Iran’s nuclear program.



Read More http://www.wired.com/threatlevel/2010/10/stuxnet-deconstructed/

...both the most dangerous piece of malware ever (it specifically targets control systems for industrial machines) and the most expensive to design...and while there are just a few countries on Earth right now that could possibly, or would possibly, spend the millions in R&D and commit the criminal acts to breach secret signing keys from two major companies....and all the other incredibly exotic criminal acts...including being in possession of no less than 4 unheard-of Microsoft Windows exploits which were used to propagate this thing from PC to PC until it could reach it's real target...

All of those things and half a dozen more, admittedly, point fingers at Israel. Israel has acquired, encouraged a certain type of reputation over the decades for being extremely vengeful in retaliation and not caring about collateral damage. Everything...all of it...has so many things "typical" of an Israeli operation...

But I am still not sold Israel had anything to do with it. And here's why:

It starts with a little side-note about brilliant people, who are usually the ones who can do forensics on these sorts of malware: They have exceptional pattern-finding abilities. Pattern finding abilities are an essential element of intelligence. Think about every IQ test you ever took. Remember all those "Which of these comes next in the sequence?" questions. That's all about how well you can find the pattern given precious little information.

But the problem is, there is a fine line between being blessed with an uncommonly-keen pattern matching ability and having a brain which pattern matches too much. Paranoid schizophrenics are a great example of brains which play this particular game too well. For some people, like the famous John Forbes Nash, Jr. (on whom the movie "A Beautiful Mind" is based) the brilliance dances just on the line between sanity and madness.

And because the level of expertise and access to information and money and hardware and flat-out diabolical brilliance was so great in the creation of this malware, and because the creators knew this thing would be analyzed more than any piece of malware ever created...and what type of minds would be analyzing it, at the lowest level...The clues in the malware (more of which I'm sure will come out over weeks and months to come) were intentionally left there. And I am convinced the clues were no less well-tailored than any other part of this thing.

IMO, there is a high probability that an entire basket of extremely obscure "clues" were enmeshed with the malware, all designed to be seized upon by minds who feed off of, thrive off of mysteries like this...and to lead them to a conclusion which they will have felt they have unraveled themselves but which was intentionally planted for their finding.

That would be on par with the rest of the design of this thing, which is a piece of software so uniquely devastating that the security community patted themselves on the back years ago when they cogitated that such a thing as this could hypothetically exist in the first place.

So, if a week from now you see a news report that if looking at the binary code of this malware in base-1948 a Star of David resolves itself out of ones and zeros, or that the malware contains an encrypted jpg of Alan Dershowitz's moustache- taken during a 1985 trip...to ISRAEL...just remember those things did not wind up in there by accident any more than the "myrtus/guavva" pair or the "19790509" marker.

Could they be signs of bravado from Israeli computer warfare specialists? Absolutely. But there are other explanations and only time will tell, if ever.

This infection is world-wide and PC's and industrial systems all over the world are infected. Every government which runs Siemens PLC's in their infrastructure (which is a LOT) are under the gun here, not just Iran. Whomever created this does not want the heat and it would make sense to try as hard as possible to transfer the blame to somebody else for its creation.

PB

From a thread posted earlier on this same topic.

A piece of expertly crafted malware, targeting Iranian nuclear facilities, based on multiple as yet unheard of exploits, and signed using two major security keys that no one has access to? Yeah, I'm sure it's something any coder could knock together in order to frame the Israelis.

If it walks like a duck, quacks like a duck, has feathers, and eats fish and bugs...

This malware has infected computers and industrial control systems worldwide at this point and different security vendors are using different methods to calculate how many computers are infected. I've seen two blogs from non-Symantec vendors which indicate that Iran is actually number 3 on the list of most-infected-machines, preceded by India and...I think...Pakistan.

And these numbers are changing all the time. While the numbers are going down for Iran and India, in places like Russia they're going up.

This numbers thing can be a bit misleading: The actual malware has been floating around and infecting computers and then, when it could, industrial control systems for at least six months now. Symantec's basing their numbers (mostly) off of check-ins from infected software to Malaysian phone-home locations. However, the malware can be reprogrammed via Peer-To-Peer connections and I'm not sure how easily Symantec is able to track those statistics.

Compounding this is the fact that at least once since the time it was created, when it is believed the creators sensed the malware had not infected their target system(s), the malware was updated (old modules discarded or changed, new ones added) by its creators. I believe it was after this modification that the malware was finally spotted for the first time.

So, I guess my point is most of what we're seeing that leads us to believe Iran was the target is just a convenient hypothesis based on a snapshot taken long after the fact and the completeness of the snapshot is in doubt. And if you read the actual security notes from the experts (Symantec is doing an excellent job along with some high-profile individuals in the security field) there is still more than enough reasonable doubt at what this was/is trying to do in the first place.

The papers run with a very easy-to-digest, uncontroversial story and one that "makes sense". But the reality is much foggier.

Would I be surprised if Israeli government elements would do something this outlandishly dangerous to the entire world's industrial control systems just to get at Iran, and intentionally leave cutesy little tidbits to identify their hand in it?

No, it is so their style.

But with the information available so far, it just seems awfully convenient that an act of worldwide industrial espionage would also come with its own playbill.

PB

:beer: