A Computer Worm, a Biblical Code, the Unseen Hand?

This first blipped up on my radar a few days ago. With my background in security, I thought it was interesting and a little spooky. Not a DOS attack, but something different… targeting specific machinery and computers related to the Iranian nuclear development projects.

A computer virus that attacks an industrial system widely used by Iran could be the first real instance of “cyberwar”, western experts have revealed.

Kevin Hogan, senior director of security response at computer security giant Symantec, said 60 per cent of computers worldwide infected by the Stuxnet worm were in Iran, suggesting its industry was the target.”

Details began to trickle out on Stuxnet. No call-backs (its creator didn’t want to see the results? See UPDATE below. There was returned information for a time.) … hmmm. Seems the code itself has some interesting naming conventions, with allusions to Queen Esther and Persia. Now remember Iran now was Persia then. And they hated Jews just as much then as now.

Yid with Lid gives us our Sunday School lesson refresher:

Deep inside the computer worm that some specialists suspect is aimed at slowing Iran’s race for a nuclear weapon lies what could be a fleeting reference to the Book of Esther, the Old Testament narrative in which the Jews pre-empt a Persian plot to destroy them.

That use of the word “Myrtus” — which can be read as an allusion to Esther — to name a file inside the code is one of several murky clues that have emerged as computer experts try to trace the origin and purpose of the rogue Stuxnet program, which seeks out a specific kind of command module for industrial equipment. [NYT]

In the Biblical Story of Esther, the vizier to the Persian king tries to destroy the Jewish people, in the end he is defeated by a Jewess named Esther who becomes queen of Persia and her uncle Mordecai. Since Iran is the modern day Persia, and the computer virus is meant to stop the destruction of the Jewish People, could this be a message from God, from Israel, something put in just to confuse or maybe something put in the virus just to make the paranoid Iranians even more nervous.


God’s hand is everywhere, even when we can’t see what is unfolding around us. He can use the tiniest computer bug just as mightily as a brave young woman to defeat the darkest evil on Earth.

Here, do your homework. Look for more clues and be vigilante.

UPDATE: There’s more

A reference (uncovered by Symantec) to May 9, 1979, the date of the execution of a prominant Iranian Jew by the new Iranian regime.

Jonathan Last’s excellent outline of the worm at Weekly Standard. RTWT to be prepared as more information becomes available in the weeks to come.

Zero-day parameters? Wait, four zero-day parms? Trojanized rootkit? Stolen digital signatures?

Correction to above – there was call-back reporting for a time.

Stuxnet was not designed to spread over the Internet at large. (We think.) It was, however, able to spread over local networks—primarily by using the print spooler that runs printers shared by a group of computers. And once it reached a computer with access to the Internet it began communicating with a command-and-control server—the Stuxnet mothership. The C&C servers were located in Denmark and Malaysia and were taken off-line after they were discovered. But while they were operational, Stuxnet would contact them to deliver information it had gathered about the system it had invaded and to request updated versions of itself. You see, the worm’s programmers had also devised a peer-to-peer sharing system by which a Stuxnet machine in contact with C&C would download newer versions of itself and then use it to update the older worms on the network.

And during it’s travels, instead of causing general mayhem, the worm is looking for something specific.

“It’s looking for specific things in specific places in these PLC devices,” Digital Bond CEO Dale Peterson told PC World. “And that would really mean that it’s designed to look for a specific plant.” Tofino Security Chief Technology Officer Eric Byres was even more ominous, saying, “The only thing I can say is that it is something designed to go bang.” Even the worm’s code suggests calamity. Ralph Langner is the most prominent Stuxnet sleuth and he notes that one of the last bits of code in the worm is the line “DEADF007.” (Presumably a dark joke about “deadf*ckers” and the James Bond call-sign “007.”) “After the original code is no longer executed, we can expect that something will blow up soon,” Langner says somewhat dramatically. “Something big.”

Things go boom?

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: