Wednesday, 27 February 2013
The Stuxnet Malworm Missing Link- Version 0.5 predates prior disclosures

Symantec, the computer anti-virus software system firm, has found ‘in the wild’ code for a prior version of the Stuxnet malworm that indicates launch in2005. They call it Version 0.5 that predates Version 1.0 that was reported in 2009. Stuxnet Malworm attacked the Siemens SCADA operating systems that controlled the timing of the release of hexafluoride gas to centrifuges at the Natanz enrichment facility in Iran. Further, Symantec indicated in a White Paper released this week, that elements of the Stuxnet malworm version 0.5 may be based on the Flame espionage software system.  We noted in a May 2012 post on Flame that Israeli Minister for Strategic Affairs. Moshe Ya’alon had suggested that Israel’s much vaunted Unit 8200 may have been behind Flame. We also suggested that Flame could have been the platform for Stuxnet, Duqu and other variants. The Symantec revelations about a 2005 date raises the possibility that Flame and Stuxnet might have been a cooperative US-Israeli effort that began under the Bush Administration.

Israel Hayom reported on the comments of both Symantec researchers and Dr. David Albright, former UN nuclear inspector and head of the Washington, DC-based Institute for Science and international Security:

Symantec researchers said on Tuesday they had uncovered a piece of code, which they called "Stuxnet 0.5," among the thousands of versions of the virus they recovered from infected machines.

They found evidence that Stuxnet 0.5 was in development as early as 2005, when Iran was still setting up its uranium enrichment facility, and the virus was deployed in 2007; the same year the Natanz facility went online.

"It is really mind-blowing that they were thinking about creating a project like that in 2005," Symantec researcher Liam O'Murchu told Reuters.

Security experts who reviewed Symantec's 18-page report on Stuxnet 0.5 said it showed the cyber weapon was already powerful enough to cripple output at Natanz as far back as six years ago.

"This attack could have damaged many centrifuges without destroying so many that the plant operator would have become suspicious," said a report by the Institute for Science and International Security, which is led by former U.N. weapons inspector David Albright and closely monitors Iran's nuclear program.

Although it is unclear what damage Stuxnet 0.5 might have caused, Symantec said it had been designed to attack the Natanz facility by opening and closing valves that feed uranium hexafluoride gas into centrifuges, without the knowledge of the operators of the facility.

Symantec noted in its findings how Stuxnet evolved from Flame and interacted with Siemens SCARDA operating controls software:

In July 2010, Stuxnet, one of the most sophisticated pieces of malware ever written, was discovered in the wild. This complex malware took many months to analyze and the eventual payload significantly raised the bar in terms of cyber threat capability. Stuxnet proved that malicious programs executing in the cyber world could successfully impact critical national infrastructure. The earliest known variant of Stuxnet was version 1.001 created in 2009. That is, until now.

Symantec Security Response has recently analyzed a sample of Stuxnet that predates version 1.001. Analysis of this code reveals the latest discovery to be version 0.5 and that it was in operation between 2007 and 2009 with indications that it, or even earlier variants of it, were in operation as early as 2005.

Key discoveries found while analyzing Stuxnet 0.5:

  • Oldest variant of Stuxnet ever found
  • Built using the Flamer platform
  • Spreads by infecting Step 7 projects including on USB keys
  • Stops spreading on July 4, 2009 
  • Does not contain any Microsoft exploits
  • Has a full working payload against Siemens 417 PLCs that was incomplete in Stuxnet 1.x versions

As with version 1.x, Stuxnet 0.5 is a complicated and sophisticated piece of malware requiring a similar level of skill and effort to produce.

Despite the age of the threat and kill date, Symantec sensors have still detected a small number of dormant infections (Stuxnet 0.5 files found within Step 7 project files) worldwide over the past year.

Watch this Symantec video on the discovery of Version 0.5 and chronology of the Stuxnet malworm:

Posted on 02/27/2013 10:02 AM by Jerry Gordon
No comments yet.