Stuxnet nuclear sabotage malware's evolution revealed

An earlier version of malware designed to sabotage Iran's nuclear program has been discovered, revealing new information about the development of the sophisticated cyber-weapon.

Stuxnet 0.5 was already active in 2007, suggesting that it was developed as early as 2005, security researchers at internet security firm Symantec reported Tuesday at the RSA information security conference in San Francisco.

"They were working on these types of cyber-sabotage well before anyone gave any credence to this sort of thing," said Eric Chien, Symantec's technical director of security technology and response, in an interview Tuesday.

"The guys behind this were well ahead of their time …. It's kind of mind-blowing."

The older version of Stuxnet also contained code that had been disabled and was noticeably missing in the newer version. That code was designed to implement a completely different type of attack on Iran's nuclear facilities.

The discovery of Stuxnet 1.x in July 2010 alarmed and astonished the world. The highly sophisticated malware appeared to have been developed as a military-grade cyber-weapon to damage real-world facilities — centrifuges in Iran used to produce enriched uranium fuel for the country's nuclear reactors.

The New York Times reported that Stuxnet may have shut down a fifth of the Iran's nuclear centrifuges at one point by causing them to spin out of control.

A book by New York Times chief Washington correspondent David E. Sanger published last July, based on interviews with unnamed U.S. cyberweapons officials, confirmed the U.S. and Israeli military were behind the attack, that they first started testing Stuxnet in 2003, and that the plan to attack Iran's Nantaz nuclear enrichment facility was first hatched in 2006.

Symantec discovered Stuxnet 0.5 in a sample submitted by a malware scanning service in November 2007. The company collects samples from internet security services around the world and regularly combs through its archives, looking for both new and familiar threats.

In this case, Chien said, the malware showed some familiar patterns.

"Pretty quickly, we realized it was an early version of Stuxnet."

The team spent the next couple of months studying it and comparing it with the later version of Stuxnet.

Missing code found

They discovered that the code missing in the newer version was designed to open and close the valves that manage the flow of uranium hexafluoride gas into the uranium enrichment centrifuges. That would have caused pressure to build up inside the centrifuge system, causing damage.

Chien said the fact that the later version used a different strategy suggests that the first strategy was not as successful as Stuxnet's creators had hoped.

The other major difference between the early and later version of Stuxnet is its method of spreading. The later version used seven different methods, including some that exploited vulnerabilities in the Windows operating system, which would have let it spread to a variety of machines, including laptops and PCs.

However, Stuxnet 0.5 used only one of the seven methods — one that restricted it a specific type of file used mainly by developers to add source code to a text file, Chien said.

The discovery of Stuxnet 0.5 still leaves some unanswered question. There are still missing pieces that suggest there are other versions of the malware out there, Chien said.

However, it does highlight the usefulness of going back and searching through malware archives, he added.

"It's something we do because we find stuff like this."

The RSA conference runs until March 1.