19790509: The mysterious number inside the Stuxnet worm

Filed Under: Malware

USB stick
The infamous Stuxnet worm continues to capture the imagination of the general public, with theories that it was written to target nuclear plants inside Iran.

One of the so-called clues that is frequently rolled out in articles about Stuxnet is the mysterious string of characters that the worm leaves inside the Registry on infected Windows computers:

19790509

Most commentators have decided to read this as a date - namely, 9th of May, 1979.

Clearly the date isn't being used by the worm as a trigger for a payload, as it's over thirty years ago in the past. Instead, it's used by the Stuxnet malware to tell whether it has already infected a computer.

It feels like everyone is focusing on the fact that a Jewish Iranian businessman, Habib Elghanian, was executed by a firing squad in Tehran on May 9 1979, and like to link it with the marker inside the Stuxnet worm.

But should we be a little more cautious and look for something more than circumstantial evidence before treating the characters 19790509 like that?

Rosario Dawson
After all, 9th May 1979 is also the birthday of actress Rosario Dawson.

Come on, you must know her - she was in Kids, Men in Black II and the recent Percy Jackson & The Lightning Thief movie.

She even speaks a little Klingon.

With a pedigree like that surely she's a prime candidate for some geek lust, and an obsessed fan might be tempted to embed her date of birth into a piece of malware?

Or maybe Stuxnet's author is a huge fan of "The Grateful Dead"? Perhaps his favourite record is a bootleg of their 9th May 1979 concert at Broome County Arena, Binghamton, NY, where they sang "China Cat Sunflower", "Friend of the Devil" and "Wharf Rat" amongst others?

Or could it be that the mysterious creator of Stuxnet is not commemorating the death of Habib Elghanian, but instead the passing of multi-millionaire Cyrus S Eaton, composer Lan Adomian, jazz vocalist Eddie Jefferson, and Australian politician Sir Charles Adermann? All of whom also died on 9th May 1979.

All this is assuming, of course, that 19790509 is a date in the form "yyyymmdd".

It could equally have been the coder's preferred Bingo numbers (19, 79, 05, 09).

Or, it could be that whoever wrote Stuxnet liked to use the date format "yyyyddmm" which would mean that we're all focusing on the wrong date entirely.

(By the way, although rare, there are programs which appear to use the 'yyyyddmm' date format - just Google it)

If the coder had adopted the 'yyyyddmm' date format then that would mean we should be considering 5th September 1979 instead.

Scrabble keyboard
Which just happens to be the birthday of footballers John Carew (Norwegian), George O'Callaghan (Irish) and Salvatore Mastronunzio (Italian). Additionally, according to Wikipedia, it's the date of birth of Stacey Dales (a Canadian basketball player and sportscaster) and English scrabble player Stewart Holden.

Hmm..

I imagine there are thousands of different interpretations we could give to the number 19790509, and maybe we should be a little more cautious of jumping to conclusions. After all, it could just as easily be the creator's own date of birth, or his parent's wedding day, or an entirely randomly chosen number.

Unless we find whoever is responsible for Stuxnet, my guess is that no-one will ever know for sure.

Got a theory about 19790509? Why not tell us by leaving a comment below.

, ,

You might like

16 Responses to 19790509: The mysterious number inside the Stuxnet worm

  1. Its a crossword clue in HEX converted to decimal - 12D FAAD ( 12 down - free app a day ) for iPhone users.

  2. David Harley · 1438 days ago

    I still blame Finnish eco-terrorists ;-)

  3. Chris · 1438 days ago

    9th May 1979 is the date that the US & USSR signed the Salt 2 treaty, limiting nuclear weapons

  4. Casey Jones · 1438 days ago

    Dude! That Broome County show ROCKED!!!!!

  5. Pudding · 1438 days ago

    Could also be a UNIX time stamp - August 18th 1970, 2:21 am.

    Might not even be a date at all.

  6. I just found another possibility.

    Mr F R Lovell, from the village of Underwood in Nottinghamshire, applied to get an extension on his kitchen and bathroom in 1979.

    His reference number? V/1979/0509
    http://www.ashfield-dc.gov.uk/cfusion/planning/pl...

    Clearly a conspiracy... has anyone asked him about Stuxnet?

  7. 1/9/79, 0509 hours. IF it is indeed a time and/or datestamp...that would be another possibility.

    i for one am not a big subscriber to conspiracy theories. it most likely was chosen as a string of numbers that is not found (or rarely found) in other, legitimate, lines of code or registry entries, hence the reason it's used as an identifier for Stuxnet to determine if a computer was already infected or not.

  8. Speaking as the English Scrabble player in question, I'm not sure whether to be worried or flattered. Nothing to do with me, guv, just came across this article in via an egosurfing Google Alert :)

  9. Name Withheld · 1437 days ago

    It is exactly one month before the wedding day of my first marraige. Since I was married to a really nice girl whom was later referred to by many as "The Evil One" - a name that became increasingly applicable in my mind, as it turned out - I think it is a reference to the dreaded "666" but with a twist of obsfucation.

  10. joe · 1435 days ago

    dear hans
    not really surprising - as early as in 2006 possible Attacks against SCADA systems have been discussed at conferences (blackhat) and in forum´s - so if an investigativ author will hear/read about this topics and he is clever enough to ask people with technical / security background - he can compress this informations to a succesful story as daniel silva has done - or - michael crichton does ..and a lot of others..

  11. anon · 1385 days ago

    If you read the date the non US (english) way, its reversed.

    So is this just a coincedence ?
    http://www.historyorb.com/date/1979/september/5

    - Iran army occupies Piranshahr

    Piranshahr used to belong to Iraq.

    Also.

    There is a reference to "Myrtus" (which is a myrtle plant). However, this is not "hidden" in the code. It's an artifact left inside the program when it was compiled. Basically this tells us where the author stored the source code in his system. The specific path in Stuxnet is: myrtussrcobjfre_w2k_x86i386guava.pdb. The authors probably did not want us to know they called their project "Myrtus", but thanks to this artifact we do.

    "Several of the teams of computer security researchers who have been dissecting the software found a text string that suggests that the attackers named their project Myrtus... an allusion to the Hebrew word for Esther. The Book of Esther tells the story of a Persian plot against the Jews, who attacked their enemies pre-emptively." http://www.nytimes.com/2010/09/30/world/middleeas...

    hmmm

  12. DanThaMan · 1381 days ago

    It happens to be the day that the US and Russia signed the Nuclear Non-Proliferation SALT treaty.... Enough said , I rest my case ;-)

  13. Harley · 1253 days ago

    Code Wars on NBC program states that was the date a prominent Iranian Jew named (SP?) Habib Al-Ganion was executed in Iran by firing squad. He was accused of being a spy for Israel. Makes sense!

  14. David Heath · 886 days ago

    remember that in the SCADA world, a common term is RTU (Remote terminal Unit) - generally some kind of a machine-side controller unit

    Thus we have my RTUs ==> "Myrtus"

  15. Randy · 486 days ago

    "After all, 9th May 1979 is also the birthday of actress Rosario Dawson..... She even speaks a little Klingon."
    Let's just blame Stuxnet on the Klingons and be done with it.

  16. novaflare · 476 days ago

    phone number - area code ?Authors birthday simple numeric for alpha replacement code

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.