By Gregg Keizer
September 30, 2010
Security researchers today offered another tantalizing clue about the
possible origins of the notorious Stuxnet worm, but cautioned against
reading too much from the obscure tea leaves.
In a paper released today and presented at a Vancouver, British Columbia
security conference, a trio of Symantec researchers noted that Stuxnet
includes references in its code to the 1979 execution of a prominent
Jewish Iranian businessman.
Buried in Stuxnet's code is a marker with the digits "19790509" that the
researchers believe is a "do-not infect" indicator. If the marker equals
that value, Stuxnet stops in its tracks, and does not infect the
The researchers -- Nicolas Falliere, Liam O Murchu and Eric Chen --
speculated that the marker represents a date: May 9, 1979.
"While on May 9, 1979, a variety of historical events occurred,
according to Wikipedia "Habib Elghanian was executed by a firing squad
in Tehran sending shock waves through the closely knit Iranian Jewish
community," the researchers wrote.
Subscribe to InfoSec News - www.infosecnews.org