Myrtus and Guava, Episode 3

The geographical distribution of Stuxnet infections is just as interesting as the Trojan itself. We detect the rootkit component (the signed drivers) as Rootkit.Win32.Stuxnet, and the other files as Trojan-Dropper.Win32.Stuxnet.

Over the last four days, KSN has identified Trojan components (although the program should really be thought of as a worm, as it spreads via removable storage media) on more than 16,000 computers around the world. A map with infection statistics shows three countries (all starting with the letter I!) are at the centre of the epidemic – Iran, India and Indonesia.

KSN identified more than 5,000 incidents in each of the three countries – in comparison, there were around 150 cases of infection in Russia, and only 5 in China.

There’s no simple explanation for the distribution, but any explanation has to take into account the way Stuxnet spreads – via removable storage media. This isn’t the quickest way to spread malware, but on the other hand, it can ensure that the malware will have a longer life-cycle (one example of this is Sality, which also spread on USB devices). What is quite clear is that the epidemic hasn’t yet reached beyond Asia.

Could the geography help us work out how the rootkit component came to be digitally signed?

Of course, coming up with conspiracy theories isn’t the nicest thing to do, but paranoia is inherent in IT security professionals. So I’ll give myself the freedom to hypothesize:

Realtek is a “hardware” company; writing the software is a subsidiary process which can be optimized by using outsourcers. Which country is the world leader when it comes to outsourcing programming? You’re right – India.

Could an outsourcer creating software for a company have the means to sign programs with that company’s certificate? It’s certainly possible.

So one theory would be that the malware was created in India (just look at the map) and, possibly, without an “insider” amongst the Realtek application developers.

However, if we’re going with that theory, then I wouldn’t throw out the possibility that the driver files are actually legitimate drivers created by Realtek. Yes, they have rootkit functionality, and hide lnk and ~WTRxxxx.tmp files in the root of the storage device. But that doesn’t mean the driver files aren’t legitimate – remember the Sony rootkit incident? And the malware that used the rootkit technology?

Now that we’re nearing the end of episode 3’s, I’ve just realized that I’ve forgotten one important point – the title of my last three posts.

“Myrtus (myrtle) is a genus of one or two species of flowering plants in the family Myrtaceae,” and “The Myrtaceae or Myrtle family are a family of dicotyledon plants, placed within the order Myrtales. Myrtle, clove, guava, feijoa, allspice, and eucalyptus belong here.”

Why the sudden foray into botany? Because the rootkit driver code contains the following string:

b:myrtussrcobjfre_w2k_x86i386guava.pdb

Project “Myrtus”. Module “Guava”.

To be continued?