English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Myrtus and Guava: the epidemic, the trends, the numbers

Aleks
Kaspersky Lab Expert
Posted September 26, 18:28  GMT
Tags: Malware Statistics, Targeted Attacks, Stuxnet, Zero-day vulnerabilities
0.3
 

Over the last few days, Stuxnet has been covered extensively in the mass media. And it's been covered differently by different sources. "Iran", "Bushehr nuclear plant" and "cyber-weapon" are phrases which are already inexorably linked to Stuxnet. One of the main arguments behind the "Iranian" theory is that Iran is the epicentre of the epidemic, as it has the largest number of computers identified as being infected.

However, any estimates about the number of infected machines can only be based on the data which AV companies get from their clients' machines. And such data only comes from those countries where a company actually has clients. So if there aren't any clients, or the antivirus product in question isn't widely used, any estimates have to be regarded as having a serious margin of error.

You have to look at data from several companies in order to get a reasonable idea of what's going on. And in addition to this, you have to know what market share the company in question has in the relevant country.

Nearly all sources agree on one point: that Iran, India, and Indonesia lead in terms of infections. Some put Iran in first place, some India. Unfortunately, what's getting forgotten is that the Stuxnet epidemic (like any epidemic) isn't static: the worm is continuing to spread, and while some systems remain infected, many of them have been cleaned.

We've been monitoring the epidemic. A look at the data from the last three months gives us a chance to pinpoint what changes have taken place, and to maybe establish which country the worm initially spread from.

Our data set comes from the Kaspersky Security Network, our in-the-cloud service. The data throws up some interesting facts, but it should be stressed that this is data from our personal product line, and not data collected by our other products.

The table below lists the twenty most infected countries from the start of July (when detection for Stuxnet was added to our bases) until now. India, Iran, and Indonesia take the top three. But Iran isn't in first place; neither is it in second.

As I said above, these statistics are for the whole three month period. In reality, the epidemic is evolving in different ways in different countries, and at the start of the outbreak, the difference between the three leading countries was not nearly so marked.

We've divided the entire period into five day sections. Here are the five most infected countries in the first five days following Stuxnet's detection:

  • India – 8565
  • Indonesia – 5148
  • Iran – 3062
  • Afghanistan – 533
  • Azerbaijan – 454

And here are the five most infected countries for the last five days (20 – 25 September):

  • India - 8179
  • Indonesia - 3052
  • Kazakhstan - 1340
  • Russia - 1138
  • Iran– 765

The number of infected systems in India and Indonesia dropped. In contrast, Stuxnet started hitting Kazakhstan and Russia in earnest.

These graphs give a picture of how the epidemic developed in different countries:

As you can see, Iran managed to significantly cut its infection rate by cleaning many infected systems. If this trend is maintained, then Iran will stop being one of the centres of the epidemic. India, on the other hand, has stayed more or less at the same level; it is encouraging, though, the the epidemic doesn't seem to be on the rise. Indonesia, like Iran, seems to have been successful in preventing Stuxnet from spreading.

The same can't be said for Russia and Kazakhstan. These two countries currently seem to be the most vulnerabile, and the epidemic is only starting to reach a peak. Stuxnet is new to these countries, so it's clear that the worm didn't start spreading from either of these two territories.

Here's a graph similar to the one above showing data for other countries:

It's clear that in three countries – Bangladesh, Iraq and Syria – the epidemic is on the rise. The first infections in Bangladesh were only detected in August, after Stuxnet was first detected, and it may well be that the worm came to Bangladesh from India. The epidemics in Iraq and Syria indicate that the worm probably came from Iran.

Here's how the number of Stuxnet related incidents in September has changed in comparison to those in July:

  • India: -5%
  • Indonesia: -41%
  • Iran: -75%
  • Russia: +308%
  • Kazakhstan: +1711%
  • Afghanistan:-55%
  • Uzbekistan:-37%
  • Syria: +47%
  • Bangladesh: +370% (in comparison with August)
  • Pakistan: +2%
  • Azerbaijan:-73%
  • Iraq: +35%

Unfortunately, it has to be said that Stuxnet was only detected after it had reached a peak in Iran and India. At the moment, it's extremely difficult to determine exactly when it first appeared.

It's clear that AV companies only detected the worm in those countries once it was on the downswing. Looking at the stats, it seems that the worm must have started spreading 3 – 4 months prior to July 2010 – according to our data set, Stuxnet would have needed this period of time in order to infect such a large number of machines.


5 comments

Newest first
Table view
 

Costin Raiu

2010 Sep 30, 09:52
0
 

Re:

Very good point, we were thinking the same.

Reply    

Tenzo

2010 Sep 28, 23:25
0
 

Myrtles refers to the Hebrew symbol for Justice



The first reference of the Myrtle in the Bible is in Nehemiah 8:15 in regard to the celebration of the Feast of Tabernacles.
In Hebrew myrtle is called "hadas" and is one of the Four Species (arba'ah minim-ארבעת המינים) used in a special ceremony during the Jewish holiday of Sukkot (Feast of Tabernacles).
To the ancient Jews it was symbolic not only for peace, but also for justice. The name Hadassah (Esther), is very similar to the Hebrew word for myrtle and the Targums say: "They call her Hadassah, because she was just, and those that are just are compared to myrtles".

Reply    

Tyrone jackson

2010 Sep 28, 16:14
0
 

Re: How about a different angle?

Haystack, which has certainly not been "low profile" here in the US given how many new articles and radio interviews the Haystack folks have given in the last several months, seems to be alive and well. http://www.haystacknetwork.com/

We'll never know where this software came from short of the authors admitting it AND providing proof they really are the authors. The country that gets caught a lot engaging in industrial espionage is China, which is conspicuously absent from the list of infects above.

Reply    

CG

2010 Sep 27, 07:41
0
 

How about a different angle?

Lets see.....

b:\myrtus\src\objfre_w2k_x86\i386\guava.pdb

Could it refer to this?

http://www.strangewonderfulthings.com/206.htm

A perennial bush that grows in San Franciso...and so did a USB project that worked on the concept of helping Iranians bypass web filtering in their nation.

It was called Haystack...and now its gone off the air as of September 15th.....

http://en.wikipedia.org/wiki/Haystack_%28software%29
http://blogs.computerworlduk.com/simon-says/2010/09/burning-haystack/index.htm

Strange now it kind of closes up shop quietly.....It gets permission from the US government to get past the export restrictions, and ends up in the hands of Iranians with USB keys who are trying to get information....and perhaps information is being sent to them as well.....

Always look for the misdirection.....you find light at the end of the tunnel.....

Have a nice day......

Reply    

Maria Cristina

2010 Sep 27, 02:32
1
 

The worm started spreading from Iran, but does it means its author(s) is/are from Iran? I'm just thinking to myself if anyone from any part of the world who has interest to invade some "X Country" industrial plants, would this person start to spread his/her code from other country then the target one? My 10 cents: Stuxnet's author is from any country of the world, except from such countries that lead the statistics.

Reply    
If you would like to comment on this article you must first
login


Bookmark and Share
Share

Analysis

Blog