While it is pretty difficult to answer what a piece of code written by a government would look like, a useful piece of information is also that the code targeted 4 different 0-day bugs [1]. If we consider previous reports on 0-day pricing [2], this alone could put the cost fo the worm at over $200000 making it more likely to be built by a well funded adversary.

[1] http://en.wikipedia.org/wiki/Zero-day_attack [2] http://weis2007.econinfosec.org/papers/29.pdf

A talented individual or small team, government funded or not, is going to be able to research vulnerabilities on their own.

It really doesn't matter if they bought the 0days or researched them themselves - either way they either spent the cash or gave up the opportunity to earn the cash from them, which is equivalent. They still put ~$200,000 worth of resources into the worm.

Agreed, but I think the best evidence of large sponsorship is in that factory system recognition and parameter modification code. We don't really understand the sophistication until it actually chooses to execute, but access to those kind of specifications would require some fairly extensive research resources, someone that an individual or small team would have trouble getting alone.

yes, but a talented individual would probably sell those vulnerabilities since they worth so much, rather then use them for some obscure, probably not money earning, goal.

That's just moving one layer of indirection. If vulnerabilities are worth money, presumably so they can be exploited, then why isn't it possible for someone to be motivated to use vulnerabilities and also having the talent to discover them?

You're making the assumption that a government would not pay for the development and exploitation of those vulnerabilities, which is de facto false considering the current "cyberdefense" capabilities of developed countries.

If it's indeed created by Israeli Intelligence, then at least R&D costs will be close to nothing. Israeli military has mandatory service. 18-21 years old programmers/hackers work day and night almost for free.

I think there's some very experienced, very talented people working on this. Security is one area where I believe that the older you are and the more hours you've clocked and exploits you've thoroughly understood, the better you are.

Our defense budget is 7% of our GDP, which is the 5th highest rate in the world (according to wiki). I would hardly call that free. Also, there is a shortage of tech talent here and the salaries are quite high. So there are also hidden costs with the military getting people to work for "free".

First it's 8.5% of GDP in 2009, but in absolute numbers it's only $14.3B (including US aid, which has to be spent in US). This peanuts for being a regional superpower. About half of the budget goes to salaries of officers, permanent servicemen and civilian contractors.

The danger there is the "common thinking" that this puts it squarely in the realm of governments.

However, at such a price point you're still well within the remit of organised gangs; they, for example, will spend a fortune on viruses and other malware - it's big big business.

Isn't the question better posed as was it funded by a government? And how did they choose whom to hire? Maybe the private armies are getting into cyberwarfare...

What's the difference between a govt writing it and funding it. Writing is a subset of funding.

Wait, since when have governments been better at writing code than small groups of talented amateurs? Have I fallen through a portal into mirror-universe HN?

One of the arguments for it being a government is the unusual size and complexity of the code. A large piece of code speaks against a small group. It also speaks against a group with an ethos of producing something simple and elegant, which talented amateurs would be likely to feel.

This is the stuff of movies, but do you think its very wise to write this kind of software for a government? Perhaps if you can somehow stay anonymous..

Eh? The implication/speculation is that a government wanted to create and spread a worm.

Yes but would you like to be the programmer that wrote it? You would also be a witness. Again, movie stuff.. :)

You're assuming that a bunch of suits pulled some hackers out of their parent's basement and told them to write a virus.

I can only comment on the US Government's NSA, which has thousands of highly trained and highly intellectual programmers already under their employ. These are people that do their job to protect and assist in the affairs of the government. Probably already under highly classified labels. For some, it is just another job assignment.

However, I am also speculating. The truth: No one capable of telling the truth knows.