New beta Stuxnet also attacked Iran nuke program

By

Stuxnet '0.5' was designed to shut off gas valves.

Security firm Symantec has released new findings that show Stuxnet has been alive for much longer than researchers originally thought.

New beta Stuxnet also attacked Iran nuke program

According to evidence released in conjunction with the RSA Conference in San Francisco, Symantec has discovered an earlier, less-potent version of the malware, which it has dubbed Stuxnet 0.5.

This strain turned up in the wild as early as November 2007, close to three years before the main version, "Stuxnet 1.0," which is believed to be a joint Israel-United States cyber sabotage project, was discovered.

In addition, Symantec has concluded that Stuxnet's command-and-control servers were alive since at least 2005, indication that Stuxnet 0.5 may have been in development since then.

RSA 2013

RSA 2013 coverage

The version of Stuxnet with which most people are familiar attacked the centrifuge motors at a nuclear facility in Natanz, Iran, which caused the motors to rapidly accelerate, Francis deSouza, Symantec's group president of products and services, said during a morning keynote at the RSA Conference. 

In particular, it went after the Window-based programmable logic controllers (PLCs) made by SCADA software and hardware provider Siemens.

Stuxnet 0.5, however, was different in that it sought to take over the valves which controlled the uranium gas produced by the centrifuges, deSouza said.

"Stuxnet 0.5 contains an alternative attack strategy, closing valves within the uranium enrichment facility at Natanz, Iran, which would have caused serious damage to the centrifuges and uranium enrichment system as a whole," according to a white paper (PDF) released Tuesday. 

Symantec has deemed Stuxnet 0.5 "the missing link." However, it was considered less vicious then Stuxnet 1.0 because it relies of far fewer vectors to spread, and did not leverage any zero-day vulnerabilities.

"The only method of replication in Stuxnet 0.5 is through infection of Siemens Step 7 project files," the white paper said. "Stuxnet 0.5 does not exploit any Microsoft vulnerabilities, unlike versions 1.x which came later."

Symantec also has conclusively linked Stuxnet 0.5 with the Flamer platform, which also produced the Flame espionage virus, another U.S. creation.

The Stuxnet infection stopped spreading in June 2012, according to Symantec.

"The other thing this finding points out is that we are approaching the end of the first decade of weaponized malware," deSouza said.

This article originally appeared at scmagazineus.com

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition
Tags:

Most Read Articles

India's alarm over Chinese spying rocks CCTV makers

India's alarm over Chinese spying rocks CCTV makers

Hackers abuse modified Salesforce app to steal data, extort companies

Hackers abuse modified Salesforce app to steal data, extort companies

Cyber companies hope to untangle weird hacker codenames

Cyber companies hope to untangle weird hacker codenames

Woolworths' CSO is Optus-bound

Woolworths' CSO is Optus-bound

Log In

  |  Forgot your password?