SAN FRANCISCO — Symantec uncovered a new, earlier version of Stuxnet today, the malware that attacked Iran’s nuclear systems in 2010. This version, Stuxnet 0.5, predated the Stuxnet we all know, and it was created four years earlier than we expected.
Stuxnet 0.5 was active between 2007 and 2009, though Symantec researchers were able to trace its origins back to 2005. The Stuxnet we are familiar with was first created in 2009.
“We are now entering close to the end of the first decade of weaponized malware,” said Francis deSouza, Symantec’s president of products and services, who spoke at the RSA conference in San Francisco today.
The malware that later attacked Siemens SCADA systems controlling the motors in the Natanz nuclear facility originally attacked the valves that controlled a certain type of gas released into the centrifuges.
The earlier version was disseminated through infected USBs and sought out Siemens Step 7 project files. The malware was officially taken offline January 2009 when it stopped communicating with its command-and-control servers, but traces of it can still be found within Step 7 files on computers around the world.
It was built in part on the Flamer platform, the same one built, of course, Flame. The Russian security firm Kaspersky Lab discovered Flame last year and quickly called it one of the most sophisticated cyber-espionage tools ever.
The later version of Stuxnet was moved to the Tilded platform, relating it to Duqu.
Further differentiating itself, this Stuxnet 0.5 was slightly less sophisticated in that it didn’t move from system to system exploiting a vulnerability in Windows.