Readers take me to task over 'Myrtus' reference in Stuxnet blog

It's not, as was first reported elsewhere, a Biblical reference pointing the finger at Israel.

I should have been more careful with the way I passed along an attributed a piece of information in a blog about the Stuxnet worm and about which several readers called me out when I did a follow-up.

The infobit was the word Myrtus, which the security researcher who first dissected the virus reportedly discovered within it, and has been taken (or at least has been reported as having been taken) as an indication Israel may have been involved.

Myrtus, according to a story in the NYT and dozens of other news outlets at the time, is supposed to be a character in the Old Testament book of Miriam. Except there is no Myrtus in Myriam, as readers pointed out to me.

"Myrtus" is supposed to be another name by which Esther -- feminist hero of the Old Testament -- was known, as the English-language version of at least one Israel paper reported. I can't confirm that, either.

It could also refer to Myrtle plants, which are common in the Middle East, the Chilean Guava plant, or an abbreviation for My Remote Terminal Unit.

Here's what the blog at F-Secure Security Labs had to say about it:

Q: Is it true that there's are biblical references inside Stuxnet?

A: There is a reference to "Myrtus" (which is a myrtle plant). However, this is not "hidden" in the code. It's an artifact left inside the program when it was compiled. Basically this tells us where the author stored the source code in his system. The specific path in Stuxnet is: \myrtus\src\objfre_w2k_x86\i386\guava.pdb. The authors probably did not want us to know they called their project "Myrtus", but thanks to this artifact we do. We have seen such artifacts in other malware as well. The Operation Aurora attack against Google was named Aurora after this path was found inside one of the binaries: \Aurora_Src\AuroraVNC\Avc\Release\AVC.pdb.

Q: So how exactly is "Myrtus" a biblical reference?

A: Uhh… we don't know, really.


I can't argue with that. I should have checked where the word came from and what it supposedly meant, but I don't know if I would have gotten any clearer a picture than anyone else who published that day.

I could have asked a Torah scholar, but I've never gotten out of a conversation with one about even simple things in less time than it takes to make escaping out a window look very attractive. I don't think I'd live long enough for a conversation examining all the implications of Miriam, Esther, myrtle bushes and Iranian nuclear weapon viruses.

I didn't consider it a damning piece of evidence, anyway. At best it seemed like misdirection. If Israel and its deep well of programming talent were involved, it wouldn't be the more secret squirrel than secret agent to put in a clue like that.

I was mainly pointing out the good possibility (still not confirmed and probably never to be) that Stuxnet was either a weapon directed at Iran's nuclear program, or the threat of more powerful weapons that would be used if Iran didn't back off on nukes.

The most likely possibility, according to an expert from the Center for Strategic and International Studies the New York Times quoted in its story, was that the U.S. was the source and Iran was the target.

Other potential perps include "the Israelis, the British and the Americans are the prime suspects, then the French and Germans, and you can’t rule out the Russians and the Chinese,” according to the Times.

I mentioned Myrtus as one of the interesting infobits, but not the critical one.

The important part is that the U.S., though the National Security Agency, the Air Force cyberwar directorate and various other military and intelligence agencies, is one of many nations racing to develop cyberwar capabilities that step out of cyberspace and into the real world. In this case it affected the operation of Iran's nuclear plant; in the future it could affect systems that control water, power, traffic and other systems on which most Americans rely.

It's possible Israel was involved and possible the U.S. wasn't. It's also possible that Stuxnet, which first appeared in simplified form as a more overtly commercial attempt to steal data from infected computers, was a straight-out criminal attempt to extort or damage Iran or any of the other countries that were hit.

So far we don't know. I lay better odds on Stuxnet being politically motivated and at least one Western or West-aligned power being involved. It's an ugly suggestion, and one I questioned even as I made it then, and as I make it now.

Deciding who to blame shouldn't come down to a single word in a folder in a piece of software, however, especially when it's at least as likely to be a red herring as to be a real clue.

Kevin Fogarty writes about enterprise IT for ITworld. Follow him on Twitter @KevinFogarty.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon