Video Screencast Help
Security Response

Stuxnet 0.5: Command-and-Control Capabilities

Created: 26 Feb 2013 17:40:00 GMT • Updated: 23 Jan 2014 18:09:21 GMT • Translations available: 日本語
Symantec Security Response's picture
+1 1 Vote
Login to vote

Similar to Stuxnet 1.x versions, Stuxnet 0.5 has limited command-and-control (C&C) ability. In particular, Stuxnet 0.5 does not provide fine-grained control to its authors. Instead, Stuxnet 0.5 can only download new code and update itself. Stuxnet needs to spread on isolated networks and therefore has been designed to be autonomous, reducing the need to have robust and fine-grained C&C ability. Stuxnet 0.5 also uses a secondary peer-to-peer mechanism in order to propagate code updates to peers on networks inaccessible to the broader Internet.

Stuxnet 0.5 has four C&C servers, all of which are now either unavailable or have since been registered by an unrelated party.

Interestingly, Stuxnet 0.5 is programmed to stop contacting the C&C server after January 11, 2009, even though the threat is programmed to stop spreading several months later after July 4, 2009.

The C&C server domains were created in 2005 and all displayed the same front page purporting to be an Internet advertising agency named Media Suffix with the tag line “Believe What the Mind Can Dream.”
 

Figure 1. Stuxnet C&C server front page
 

The servers were hosted on commercial hosting providers in the United States, Canada, France, and Thailand.

The final target network for Stuxnet 0.5 was, in all likelihood, isolated from the Internet. To allow updates to reach these computers, Stuxnet 0.5 used a peer-to-peer mechanism. If one updated version of the threat was introduced into a network, on a USB key for example, all other compromised computers on the network could receive updates or new code modules.

Stuxnet 0.5 uses Windows mailslots for peer-to-peer communication. Mailslots allow a process to pass a message to another process on a remote computer. The threat enumerates all computers on the network and attempts to connect to a mailslot with the following name:

\\\mailslot\svchost

The threat then provides the following callback mailslot name:

\\\mailslot\imnotify

Stuxnet 0.5 uses these mailslots to provide peer-to-peer communication and distribute updates to other versions of the threat. In addition, Stuxnet 0.5 may configure the system to allow anonymous logins and open four file shares (temp$, msagent$, SYSADMIN$, and WebFiles$), sharing a set of files for retrieval by peer infections.

Stuxnet 1.x versions also included a peer-to-peer updating mechanism, but implemented in a different manner using a remote procedure call.

Additional details of the various components of Stuxnet 0.5 can be found in the following blogs, video, and technical whitepaper:

For further details on Stuxnet 0.5 you can download a copy of our whitepaper.