Daily Israel Report

Coding of Virus Attacking Iran May Refer to Queen Esther

An Iranian minister admits his country is under cyber attack as new clues suggest reference to biblical Queen Esther in malware coding.
By Maayana Miskin
First Publish: 10/3/2010, 8:45 PM / Last Update: 10/3/2010, 9:26 PM

Iranian Intelligence Minister Heider Moslehi said Sunday that his country is under cyber attack, and blamed the United States and Israel. Iranian officials initially admitted that their country had been hit by the Stuxnet computer worm, but insisted that the damage was minimal.

Iran has been forced to push back the opening of the nuclear plant in Bushehr. Senior Information and Technology official Hamid Alipour admitted that while Iranian officials had hoped to clean up the worm's infiltration in under two months, that hope had been proven unrealistic. “The worm is not stable, and since we started the cleanup process, three new versions have been spreading,” he said.

Stuxnet hit Iran much harder than any other nation, affecting an estimated 62,000 systems. A total of 100,000 computers are thought to have been hit with the worm worldwide. The worm was designed to target software created by the German company Siemens; Iran relies heavily on Siemens systems.

Israel has been among the top suspects in the creation of the Stuxnet worm, due both to Israeli opposition to Iran's unsupervised nuclear program, and to the complexity of the attacker, which experts say could only have been created by a team with significant funding, resources and expertise.

Stuxnet is uniquely dangerous in that it can not only cause damage to a system, but can take control of facilities, producing physical, real-world results to an attack. The worm also studies its targets, determining which type of system it has entered before deciding whether or not to attack. To date, it has entered primarily systems that control critical infrastructure.

Even the worm's discovery has not stopped its destructive power. Attackers remain able to communicate with infected machines using peer-to-peer networking.

A detailed analysis released by security firm Symantec revealed two clues that, according to Wired.com, may indicate Israeli involvement in the attack – or may indicate that another country is trying to implicate Israel in the attack. Two file directory names, “myrtus” and “guava,” could be an allusion to the biblical Queen Esther, who intervened to save the Jewish people from destruction at the hands of a Persian king. Persia is now known as Iran.

Esther was also known as Hadassah, a name which means “myrtle” in Hebrew. Guavas are in the myrtle family of fruit.

A second possible hint at Israeli involvement is the halt marker 19790509, a possible reference to the date May 9, 1979, when Iran executed Persian Jew Habib Elghanian, prompting the mass exodus of Iranian Jews from the newly Islamic state.

The Symantec analysis was released in an attempt to get information on what, exactly, Stuxnet is targeting.

Queen Esther seems to be a ubiquitous symbol, imagined or otherwise. Two years ago, an Egyptian cleric called for a boycott of Starbucks' Coffee after he claimed to have identified the image of Queen Esther in its logo.