Video Screencast Help
Security Response

Stuxnet 0.5: How It Evolved

Created: 26 Feb 2013 17:40:00 GMT • Updated: 23 Jan 2014 18:09:19 GMT
Symantec Security Response's picture
0 2 Votes
Login to vote

Introduction

Stuxnet stores a version number within its code. Analysis of this code reveals the latest discovery to be version 0.5. Based on website domain registration details, Stuxnet 0.5 may have been in operation as early as 2005. The exact date this version began circulating in the wild is unclear. What is known is that the date this early variant stopped compromising computers was July 4, 2009—just 12 days after version 1 was created.
 

Table 1. Known Stuxnet variants, based on main module PE timestamps
 

This blog focuses on the Stuxnet timeline, how Stuxnet 0.5 fits into the attack timeline, and its evolution to Stuxnet version 1.
 

Evolution

Stuxnet 0.5 is the oldest known Stuxnet variant analyzed to date. This variant stopped compromising computers on July 4, 2009 and stopped communicating with its command-and-control (C&C) servers on January 11 of the same year. The compile timestamps found within most of the code appear unreliable and generally are in the range of 2001.

The main differences between Stuxnet 0.5 and later versions are as follows:

  1. Later versions significantly increased their spreading capability and use of vulnerabilities
  2. Replacement of Flamer platform code with Tilded platform code
  3. Later versions adopted an alternative attack strategy from uranium enrichment valve disruption to centrifuge speed modification

1. Significantly increased spreading capability and use of vulnerabilities

Stuxnet significantly increased its spreading capabilities and aggressiveness by introducing multiple vulnerabilities. The only method of replication identified in Stuxnet 0.5 was through the infection of Siemens Step 7 project files. Stuxnet 0.5 does not exploit any Microsoft vulnerabilities to move from one computer to the next unlike version 1.x.

Tables 2 and 3 show the differences in exploited vulnerabilities and spreading mechanisms.
 

Table 2. Evolution of the Stuxnet exploits
 

Table 3. Evolution of the Stuxnet replication mechanisms
 

2. Migration from Flamer toward Tilded

Until now Stuxnet was believed to be a project developed by people with access to Flamer components and not necessarily the whole Flamer platform source code. The discovery of Stuxnet 0.5 shows that Stuxnet’s developers had access to the complete Flamer platform source code.

Stuxnet 0.5 is partly based on the Flamer platform whereas 1.x versions were based primarily on the Tilded platform. Over time, the developers appear to have migrated more towards the Tilded platform. The developers actually re-implemented Flamer platform components using the Tilded platform in later versions.

Both the Flamer and Tilded platform code bases are different enough to suggest different developers were involved.
 

3. Adopting an alternative attack strategy

Stuxnet version 1 contained code that targeted Siemens 315 PLCs, which controlled the speed of spinning centrifuges, and also an incomplete code sequence that targeted Siemens 417 PLCs with unknown consequences at that time.

We have discovered a full working version of the attack on Siemens 417 PLCs in version 0.5, the purpose of which is to modify the valve operation during uranium enrichment.

Stuxnet 0.5 only contains the 417 attack code and does not contain the 315 attack code.

Detailed information on the 417 attack code can be found in the blog Stuxnet 0.5: Disrupting Uranium Processing at Natanz.
 

Summary

The discovery of Stuxnet 0.5 further clarifies the evolution of Stuxnet. To put this evolution in context, we have mapped key dates of Stuxnet development against low-enriched uranium (LEU) production levels at Natanz. Interesting events are dips in feed or production amounts and lower levels of production given the same or greater feed amounts (gaps between the two lines).
 

Figure 1. LEU production (Source: ISIS)
 

The existence of unrecovered versions of Stuxnet, both before version 0.5 and especially between versions 0.5 and 1.001, are likely. Partial components of Stuxnet discovered in 2010 still remain unmatched to known versions of Stuxnet. A summary list of the key differences between known versions is shown in Table 4.
 

Table 4. Stuxnet comparison between versions
 

More information on key aspects of Stuxnet 0.5 can be found in the following blogs, video, and technical white paper:

For further details on Stuxnet 0.5 you can download a copy of our white paper.