Interesting artifact in Stuxnet: guava.pdb

lakrispipe · Jan 21, 2020

Looking at the source code for Stuxnet you can find this interesting path: b:\myrtus\src\objfre_w2k_x86\i386\guava.pdb

I've read different theories on what this means and the most common ones are summarized on wikipedia:

Some have also cited several clues in the code such as a concealed reference to the word MYRTUS, believed to refer to the Myrtle tree, or Hadassah in Hebrew. Hadassah was the birth name of the former Jewish queen of Persia, Queen Esther.[127][128] However, it may be that the "MYRTUS" reference is simply a misinterpreted reference to SCADA components known as RTUs (Remote Terminal Units) and that this reference is actually "My RTUs"–a management feature of SCADA.[129]
Click to expand...

In the wikipedia article for guava it says:

is a small tree in the myrtle family (Myrtaceae), native to Mexico, Central America, the Caribbean and northern South America.
Click to expand...

Any alternative theories on why the malware authors chose to name it guava? Very interesting for sure

Yen · Jan 21, 2020

The relation Guava to Myrtus is botanically reasonable.
Guava (Psidium guajava) belongs to the family of Myrtaceae and the order of Myrtales.
(We once researched about Psidium leaves to develop meds against diarrhea...)....

Myrtle (Myrtus communis) belongs also to the family of Myrtaceae and the order of Myrtales.
Both plants are botanically related, means 'Myrtus and Guava' are botanically related, they have the same family.

The relation to 'Esther' is far fetched.
If you want to have a biblical relation then rather have a look what's the role of Myrtle there. (For instance the transformation of Nature).

TBH the relation to My RTUs as a hint to RemoteTerminalUnit seems to be more reasonable....

Log in or Sign up

Interesting artifact in Stuxnet: guava.pdb

lakrispipe MDL Novice

Yen Admin Staff Member