Stuxnet 0.5: Command-and-Control Capabilities
Similar to Stuxnet 1.x versions, Stuxnet 0.5 has limited command-and-control (C&C) ability. In particular, Stuxnet 0.5 does not provide fine-grained control to its authors. Instead, Stuxnet 0.5 can only download new code and update itself. Stuxnet needs to spread on isolated networks and therefore has been designed to be autonomous, reducing the need to have robust and fine-grained C&C ability. Stuxnet 0.5 also uses a secondary peer-to-peer mechanism in order to propagate code updates to peers on networks inaccessible to the broader Internet.
Stuxnet 0.5 has four C&C servers, all of which are now either unavailable or have since been registered by an unrelated party.
Interestingly, Stuxnet 0.5 is programmed to stop contacting the C&C server after January 11, 2009, even though the threat is programmed to stop spreading several months later after July 4, 2009.
The C&C server domains were created in 2005 and all displayed the same front page purporting to be an Internet advertising agency named Media Suffix with the tag line “Believe What the Mind Can Dream.”
Figure 1. Stuxnet C&C server front page
The servers were hosted on commercial hosting providers in the United States, Canada, France, and Thailand.
The final target network for Stuxnet 0.5 was, in all likelihood, isolated from the Internet. To allow updates to reach these computers, Stuxnet 0.5 used a peer-to-peer mechanism. If one updated version of the threat was introduced into a network, on a USB key for example, all other compromised computers on the network could receive updates or new code modules.
Stuxnet 0.5 uses Windows mailslots for peer-to-peer communication. Mailslots allow a process to pass a message to another process on a remote computer. The threat enumerates all computers on the network and attempts to connect to a mailslot with the following name:
The threat then provides the following callback mailslot name:
Stuxnet 0.5 uses these mailslots to provide peer-to-peer communication and distribute updates to other versions of the threat. In addition, Stuxnet 0.5 may configure the system to allow anonymous logins and open four file shares (temp$, msagent$, SYSADMIN$, and WebFiles$), sharing a set of files for retrieval by peer infections.
Stuxnet 1.x versions also included a peer-to-peer updating mechanism, but implemented in a different manner using a remote procedure call.
Additional details of the various components of Stuxnet 0.5 can be found in the following blogs, video, and technical whitepaper:
- Stuxnet 0.5: The Missing Link
- Stuxnet 0.5: Disrupting Uranium Processing at Natanz
- Stuxnet 0.5: How It Evolved
- Video: Stuxnet Timeline and Attack Strategy
For further details on Stuxnet 0.5 you can download a copy of our whitepaper.