Stuxnet’s earliest known version sheds light on the worm’s development
Symantec researchers have discovered an older version of the infamous Stuxnet worm that caused the disruption at Iran’s nuclear facility in Natanz: Stuxnet 0.5.
Stuxnet 0.5 is, as of now, the oldest Stuxnet version to be analyzed by security researchers, and this analysis shed some light on how the threat first came to be.
According to a whitepaper released by the researchers at RSA Conference 2013, Stuxnet 0.5 has first been detected in the wild in 2007 when someone submitted it to the VirusTotal malware scanning service, but has been in development as early as November 2005.
Unlike Stuxnet versions 1.x that disrupted the functioning of the uranium enrichment plant by making centrifuges spin too fast or too slow, this one was meant to do so by closing valves.
“Whether Stuxnet 0.5 was successful is unclear, but later versions of Stuxnet were developed using a different development framework, became more aggressive, and employed a different attack strategy that changed the speeds of the centrifuges instead instead suggesting Stuxnet 0.5 did not completely fulfill the attacker’s goals,” the researchers pointed out, adding that other versions of the worm are known to exist, but have never been recovered.
Stuxnet 0.5 was also equipped with less spreading mechanism than later version – it could propagate just through infection of Siemens Step 7 project files – but could receive peer-to-peer updates.
“Stuxnet 0.5 is partly based on the Flamer platform whereas 1.x versions were based primarily on the Tilded platform. Over time, the developers appear to have migrated more towards the Tilded platform,” the researchers noted. “The developers actually re-implemented Flamer-platform components using the Tilded platform in later versions. Both the Flamer and Tilded platform code bases are different enough to suggest different developers were involved.”
Stuxnet 0.5 has also been designed to stop communicating with its C&C servers on January 11, 2009, and to stop compromising computers on July 4 of the same year. The four C&C server it contacted have since passed in other (legitimate) hands, but it’s interesting to note that the C&C server domains were created in 2005 and all posed as an Internet advertising agency.
“While the discovery of Stuxnet 0.5 helps to deepen our overall understanding of Stuxnet and what its goals are, versions remain unrecovered. If these are located, they may expose other secrets behind this operation and more clues to its origins, but obtaining these other samples may prove to be next to impossible,” the researchers concluded.
For those interested in finding more about Stuxnet 0.5’s payload and intended modus operandi, I suggest checking out Symantec’s extensive whitepaper.