Stuxnet's earliest known version sheds light on the worm's development
Posted on 26.02.2013
Symantec researchers have discovered an older version of the infamous Stuxnet worm that caused the disruption at Iran's nuclear facility in Natanz: Stuxnet 0.5.


Stuxnet 0.5 is, as of now, the oldest Stuxnet version to be analyzed by security researchers, and this analysis shed some light on how the threat first came to be.

According to a whitepaper released by the researchers at RSA Conference 2013, Stuxnet 0.5 has first been detected in the wild in 2007 when someone submitted it to the VirusTotal malware scanning service, but has been in development as early as November 2005.

Unlike Stuxnet versions 1.x that disrupted the functioning of the uranium enrichment plant by making centrifuges spin too fast or too slow, this one was meant to do so by closing valves.

"Whether Stuxnet 0.5 was successful is unclear, but later versions of Stuxnet were developed using a different development framework, became more aggressive, and employed a different attack strategy that changed the speeds of the centrifuges instead instead suggesting Stuxnet 0.5 did not completely fulfill the attacker’s goals," the researchers pointed out, adding that other versions of the worm are known to exist, but have never been recovered.

Stuxnet 0.5 was also equipped with less spreading mechanism than later version - it could propagate just through infection of Siemens Step 7 project files - but could receive peer-to-peer updates.

"Stuxnet 0.5 is partly based on the Flamer platform whereas 1.x versions were based primarily on the Tilded platform. Over time, the developers appear to have migrated more towards the Tilded platform," the researchers noted. "The developers actually re-implemented Flamer-platform components using the Tilded platform in later versions. Both the Flamer and Tilded platform code bases are different enough to suggest different developers were involved."

Stuxnet 0.5 has also been designed to stop communicating with its C&C servers on January 11, 2009, and to stop compromising computers on July 4 of the same year. The four C&C server it contacted have since passed in other (legitimate) hands, but it's interesting to note that the C&C server domains were created in 2005 and all posed as an Internet advertising agency.

"While the discovery of Stuxnet 0.5 helps to deepen our overall understanding of Stuxnet and what its goals are, versions remain unrecovered. If these are located, they may expose other secrets behind this operation and more clues to its origins, but obtaining these other samples may prove to be next to impossible," the researchers concluded.

For those interested in finding more about Stuxnet 0.5's payload and intended modus operandi, I suggest checking out Symantec's extensive whitepaper.





Spotlight

The evolution of backup and disaster recovery

Posted on 25 July 2014.  |  Amanda Strassle, IT Senior Director of Data Center Service Delivery at Seagate Technology, talks about enterprise backup issues, illustrates how the cloud shaping an IT department's approach to backup and disaster recovery, and more.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Mon, Jul 28th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //