Malware

RSA 2013: Symantec shows proof that Stuxnet has been striking since at least 2007

Security firm Symantec has released new findings that show the super worm Stuxnet, which was used to attack Iran's nuclear enrichment facilities, has been alive for much longer than researchers originally thought.

According to evidence released in conjunction with the RSA Conference in San Francisco, Symantec has discovered an earlier, less-potent version of the malware, which it has dubbed "Stuxnet 0.5." This strain turned up in the wild as early as November 2007, close to three years before the main version, "Stuxnet 1.0," which is believed to be a joint Israel-United States cyber sabotage project, was discovered.

In addition, Symantec has concluded that Stuxnet's command-and-control servers were alive since at least 2005, indication that Stuxnet 0.5 may have been in development since then.

The version of Stuxnet with which most people are familiar attacked the centrifuge motors at a nuclear facility in Natanz, Iran, which caused the motors to rapidly accelerate, Francis deSouza, Symantec's group president of products and services, said during a morning keynote at the RSA Conference. 

In particular, it went after the Window-based programmable logic controllers (PLCs) made by SCADA software and hardware provider Siemens.

Stuxnet 0.5, however, was different in that it sought to take over the valves which controlled the uranium gas produced by the centrifuges, deSouza said.

"Stuxnet 0.5 contains an alternative attack strategy, closing valves within the uranium enrichment facility at Natanz, Iran, which would have caused serious damage to the centrifuges and uranium enrichment system as a whole," according to a white paper (PDF) released Tuesday. 

Symantec has deemed Stuxnet 0.5 "the missing link." However, it was considered less vicious then Stuxnet 1.0 because it relies of far fewer vectors to spread, and did not leverage any zero-day vulnerabilities.

"The only method of replication in Stuxnet 0.5 is through infection of Siemens Step 7 project files," the white paper said. "Stuxnet 0.5 does not exploit any Microsoft vulnerabilities, unlike versions 1.x which came later."

Symantec also has conclusively linked Stuxnet 0.5 with the Flamer platform, which also produced the Flame espionage virus, another U.S. creation.

The Stuxnet infection stopped spreading in June 2012, according to Symantec.

"The other thing this finding points out is that we are approaching the end of the first decade of weaponized malware," deSouza said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.