Stuxnet Variant Origins May Stretch Back to 2005, Symantec Says

The notorious malware at the center of the cyber-sabotage campaign that targeted Iran's nuclear program is several years older than researchers once thought.

Researchers at Symantec have uncovered another phase in the evolution of Stuxnet, an early variant of the malware that may have been developed as early as 2005.

In the more than two years that has passed since Stuxnet was discovered during the summer of 2010, the malware's complexity and goal of causing damage in the physical world has led to multiple efforts to peel back all of the layers of Stuxnet's existence. But while it was previously believed to have first appeared in 2009, Symantec researchers have uncovered an older variant that they have traced back to years before.

Dubbed Stuxnet version 0.5, the variant was submitted to a public malware scanning service during 2007, but may have been in operation as early as 2005, according to Symantec. This particular version is designed to stop compromising computers on July 4, 2009, and to stop communicating with its command and control (C&C) servers on Jan. 11, 2009. It replicates through the infection of Siemens Step 7 project files and does not exploit any Microsoft vulnerabilities as later versions did.

"When Symantec first disclosed details about how Stuxnet affected the programmable logic controllers (PLCs) used for uranium enrichment in Natanz, Iran, we documented two attack strategies," according to Symantec's Security Response Team. "We also noted that the one targeting 417 PLC devices was disabled. We have now obtained an earlier version of Stuxnet that contains the fully operational 417 PLC device attack code."

"After painstaking analysis, we can now confirm that the 417 PLC device attack code modifies the state of the valves used to feed UF6 (uranium hexafluoride gas) into the uranium enrichment centrifuges," according to Symantec. "The attack essentially closes the valves causing disruption to the flow and possibly destruction of the centrifuges and related systems."

The code also takes snapshots of the normal running state of the system and replays normal operating values during an attack to hide what is going on. It also prevents modification to the valve states in case the operator tries to make any changes to the settings during an attack.

"By closing almost all valves except the initial feed stage valves, UF6 will continue to flow into the system," Symantec found. "This act alone may cause damage to the centrifuges themselves. However, the attack expects the pressure to reach five times the normal operating pressure. At this pressure, significant damage to the uranium enrichment system could occur and the UF6 gas could even revert to a solid."

According to Vikram Thakur, security response manager at Symantec, researchers have now seen four variants of Stuxnet, which is widely believed to have been created by the United States and Israel in a secret project code-named "Olympic Games."

Unlike other versions, Stuxnet 0.5 is partly based on the Flamer (Flame) platform. The other known versions were based primarily on the Tilded platform, and the developers actually re-implemented the Flamer platform components using Tilded.

"There are at least a couple of theories about why the platform was changed from Flamer to Tilded," Thakur said. "First, the Stuxnet project may have been assigned to a different set of developers prompting the change. Alternatively, it may be that the team decided to revamp the code completely after some attack instances in order to reduce the longevity of malcode for fear of it being detected."

"Until recently we only knew that the Stuxnet developers had access to the resources of Flamer," Thakur said. "However, the recent developments we released this week confirmed our suspicions that the Stuxnet and Flamer developers are indeed related. They're either part of the same team of developers, or they're part of separate teams, but operating within the same organization."