Stuxnet Myrtus or MyRTUs?
John Markoff in the New York Times has written an article which intimates that the Stuxnet worm may be the work of Israel’s Unit 8200.
According to Markoff,
“Several of the teams of computer security researchers who have been dissecting the software found a text string that suggests that the attackers named their project Myrtus… an allusion to the Hebrew word for Esther. The Book of Esther tells the story of a Persian plot against the Jews, who attacked their enemies pre-emptively.”
Really?
Personally I’d be surprised if a crack team of Israeli software engineers were so sloppy that they relied on outdated rootkit technology (e.g. hooking the Nt*() calls used by Kernel32.LoadLibrary() and using UPX to pack code).
Most of the Israeli developers I’ve met are pretty sharp. Just ask Erez Metula.
blackhat.com
PAPER.pdf
It may be that the “myrtus” string from the recovered Stuxnet file path
“b:myrtussrcobjfre_w2k_x86i386guava.pdb” stands for “My-RTUs”
as in Remote Terminal Unit.
See the following white paper from Motorola, it examines RTUs and PICs in SCADA systems. Who knows?
The guava-myrtus connection may actually hold water.
motorola.com
Sys_Wht_Ppr-2a_New.pdf
As you can see, the media’s propaganda machine is alive and well.