Symantec Research – Stuxnet was dated 2005
By Pierluigi Paganini, Editor-in-Chief
This is the news of the day … authors of Stuxnet virus that was used to sabotage Iranian nuclear program in 2010, according a study conducted by Symantec firm, started in 2005 and not in 2009 as believed until now. Stuxnet, differently from to successive versions, was designed to manipulate the nuclear facility’s gas valves causing explosion in the targeted nuclear plants, the attackers strategy was to hit the Iranian facilities physical destructing the targets, due this reason the international security community considered Stuxnet as first cyber weapon of the history.
Francis deSouza, Symantec’s president of products and services, revealed that the version detected was a prototype version of the final malicious agent that authors tested in the period between 2005 and 2009.
“It looks like now the weapon tried a few things before it hit on what would actually work,”‘ “It is clear that this has been a sophisticated effort for longer than people thought.” Said deSouza.
Symantec experts have found in the source ode the new version of Stuxnet detected express reference to 0.5 version number, meanwhile analyze date of website domain registration discovered that Stuxnet 0.5 stopped to infect machines on July 4th, 2009, few days before the version 1.001 was created.
Symantec report reveals the differences of version 0.5 with subsequent ones of Stuxnet, later versions significantly increased their spreading capability exploiting an increased number of software flaws.
- Later versions significantly increased their spreading capability and use of vulnerabilities.
- Replacement of Flamer platform code with Tilded platform code.
- Later versions adopted an alternative attack strategy from uranium enrichment valve disruption to centrifuge speed modification.
Most important change is related to the strategy pursued by the attackers that concentrated their effort from sabotage of gas valve to centrifuge speed modification.
Symantec also provided further info on the link between Flame and Stuxnet malware, until now security community believed that Stuxnet authors have had access to Flame components but not to whole Flame Platform source code. The discovery of Stuxnet 0.5 demonstrates that its authors had access to the complete Flamer platform source code.
Following the statements proposed on the topic in the report:
“Stuxnet 0.5 is partly based on the Flamer platform whereas 1.x versions were based primarily on the Tilded platform. Over time, the developers appear to have migrated more towards the Tilded platform. The developers actually re-implemented Flamer platform components using the Tilded platform in later versions.
Both the Flamer and Tilded platform code bases are different enough to suggest different developers were involved.”
Sources: CDM and Symantec