15 February 2011
Last updated at 08:51 ET
By Jonathan Fildes
Technology reporter, BBC News
A powerful internet worm repeatedly targeted five industrial facilities in Iran over 10 months, ongoing analysis by security researchers shows.
Stuxnet, which came to light in 2010, was the first-known virus specifically designed to target real-world infrastructure, such as power stations.
Security firm Symantec has now revealed how waves of new variants were launched at Iranian industrial facilities.
Some versions struck their targets within 12 hours of being written.
"We are trying to do some epidemiology," Orla Cox of Symantec told BBC News. "We are trying to understand how and why it spread."
Repeated attacks
The worm first grabbed headlines late last year after initial analysis showed that the sophisticated piece of malware had likely been written by a "nation state" to target Iran's nuclear programme, including the uranium enrichment centrifuges at the Natanz facility.
Russia's Nato ambassador recently said the virus "could lead to a new Chernobyl," referring to the 1986 nuclear accident.
Although speculation surrounds which countries may have been involved in its creation, the origins of the worm still remain a mystery.
Continue reading the main story "Start Quote
One organisation was attacked three times, another was targeted twice"
End Quote
Orla Cox
Symantec
Iranian officials have admitted that the worm infected staff computers. However, they have repeatedly denied that the virus caused any major delays to its nuclear power programme, although its uranium enrichment programme is known to have suffered setbacks.
The new research, which analysed 12,000 infections collected by various anti-virus firms, shows that the worm targeted five "industrial processing" organisations in Iran.
"These were the seeds of all other infections," said Ms Cox.
The firm was able to identify the targets because Stuxnet collected information about each computer it infected, including its name, location and a time stamp of when it was compromised.
This allowed the researchers to track the spread of the virus.
Symantec declined to name the five organisations and would not confirm whether they had links to the country's nuclear programme.
However, Ms Cox, said that previous research confirmed that the worm could disrupt the centrifuges used to enrich uranium.
The five organisations were targeted repeatedly between June 2009 and April 2010, she said.
"One organisation was attacked three times, another was targeted twice," she said.
These waves of attacks used at least three different variants of the worm.
"We believe there was also a fourth one but we haven't seen it yet," she said.
Analysis of the different strains and the time it took between the code being written and it making its first infection suggested that the virus writers had "infiltrated" targeted organisations, she said.
The researchers drew this conclusion because Stuxnet targeted industrial systems not usually connected to the internet for security reasons.
Instead, it infects Windows machines via USB keys - commonly used to move files around and usually plugged into a computer manually.
The virus therefore had to be seeded on to the organisation's internal networks by someone, either deliberately or accidentally.
The virus could have been spread between the organisations by contractors that worked for more than one of them, she said.
"We see threads to contractors used by these companies," she said. "We can see links between them."
Big picture
Once on a corporate network, the worm is designed to seek out a specific configuration of industrial control software made by Siemens.
The code can then reprogram so-called PLC (programmable logic control) software to give attached industrial machinery new instructions.
Previous analysis suggests that it targeted PLCs operating at frequencies between 807 and 1210Hz, a range that includes those used to control uranium enrichment centrifuges.
Subverting PLCs requires detailed knowledge and, although security researchers had raised concerns about exploits in the past, had not been seen before Stuxnet.
Ms Cox said the firm's analysis revealed incomplete code in Stuxnet that looked like it was intended to target another type of PLC.
"The fact that it is incomplete could tell us that [the virus writers] were successful in what they had done," she said.
The novelty of the virus, combined with attack mechanisms that targeted several previously unknown and unpatched vulnerabilities in Windows, have led many to describe Stuxnet as "one of the most sophisticated pieces of malware ever".
However, research by Tom Parker from security firm Securicon says that elements of it were "not that advanced at all".
"I've compared this less advanced code to other malware and it does not score very highly," he said last year.
Ms Cox agrees that elements of the code and some of the techniques it uses are relatively simple. But, she says, that misses the bigger picture.
"If you look at the sum of its parts, then it is certainly very sophisticated," she said.