This attack would have "caused serious damage to the centrifuges and uranium enrichment system as a whole," the researchers said.
In addition, the rogue PLC code was designed to output fake readings in order to hide the attack and trick operators into believing that everything was running as planned. These were normal readings collected by the malware during a 30-day wait period following the time of infection and were being played back during the attack.
The malicious PLC code also prevented operators from intervening and altering the state of the valves while the attack was in progress.
In comparison, Stuxnet 1.0 was designed to infect a different model of PLC called 315 that was being used to control the speed of spinning uranium enrichment centrifuges. Incomplete sequences of the 417 PLC attack code had been found in Stuxnet 1.0, but their significance was unknown until now.
It's not clear why the Stuxnet creators decided to change the attack strategy from manipulating centrifuge valves to altering their spinning speeds. It's possible that the 417 PLC attack was not delivering the desired results, but it's also possible that the attacked entity replaced the 417 PLC model, forcing the Stuxnet creators to change their attack, Thakur said.
Stuxnet 0.5 was designed to perform extensive system fingerprinting in order to make sure that it only targets specific configurations of centrifuge cascades. Based on the values found in the code and open-source information from various sources it's very likely that the target was Iran's Natanz uranium enrichment plant, Thakur said.
The version of the malware was programmed to stop contacting the C&C servers after Jan. 11, 2009, and stop spreading several months later, on July 4, 2009. The oldest version of Stuxnet 1.0 found so far was compiled on June 22, 2009, but the Symantec researchers believe that there might have been other versions between 0.5 and 1.0 that have not been discovered yet.
Despite the fact that Stuxnet 0.5 was designed to stop spreading in 2009, Symantec was still able to identify a small number of dormant infections -- copies of the malware in infected Step 7 projects -- during the past year. Almost half of them were in Iran and 21 percent of them were in the U.S.
This version of the malware far surpasses the sophistication of any malicious program that existed in 2005, when the C&C domains were registered, or 2007, when a sample was uploaded to a public malware-scanning service, Thakur said. "The mere fact of it being able to do the kind of harm to hardware as it is designed to do is simply breathtaking."
"The people behind this were very, very forward looking; very focused in what their end goal was," Thakur said. "Nobody else was even close to doing what they did at that same point in time, as far as we know."
Sign up for Computerworld eNewsletters.