More evidence arises that Stuxnet was created to attack Iran

Analysis by Symantec researchers traces the path of infection, starting with attacks on five Iranian organizations in mid-2009

The cyber saboteurs who released the Stuxnet attack against a nuclear refining facility in Iran targeted five organizations in that nation, attacking at least 10 times, according to new data gleaned from thousands of samples of the worm.

The data comes from security firm Symantec, which collected nearly 3,300 samples of Stuxnet and pieced together the worm's path of infection through more than 12,000 computers. Each Stuxnet program archives certain data from each computer it infects, including the date of the infection, the computer name, the domain name, and the internal and external IP addresses, according to Liam O'Murchu, a researcher with Symantec.

The information allowed Symantec researchers to trace the path of the virus through different company's computers. The data supported the conclusion that Stuxnet was created to attack Iran's nuclear processing capabilities, says O'Murchu.

"All the organizations that we looked at had a presence in Iran," he says. "When we first started analyzing Stuxnet, we saw that 60 or 70 percent of infections were in Iran, but we did not have any concrete evidence."

At its peak, Stuxnet had infected more than 100,000 computers, more than 60 percent of which were in Iran, according to Symantec. In September, the network traces from infected computers in Iran suddenly stopped, suggesting that the country started a major effort to clean up Stuxnet and likely had blocked traffic due to the virus.

The first attacks appear to have started on June 22, 2009. Additional attacks occurred in March, April, and May 2010, according to Symantec. Antivirus firms did not detect the worm until July 2010.

The attacks involved three different variants of the program -- the original, and then two modified versions in March and April 2010.

"A big difference between them is that the USB zero day was put in the March version," says O'Murchu. "That made the March version spread far more quickly then the June 2009 version."

In some cases, attackers acted quickly. The shortest time between compiling the worm and an attack was 12 hours, yet the median time between the act of creating the worm and an attack was more than three weeks. Symantec cautioned that the time on infected systems may have been wrong, and it did not account for time zones in their calculations.

In total, more than 1,800 organizations, as identified by specific domains, were infected by Stuxnet.

This story, "More evidence arises that Stuxnet was created to attack Iran," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest business technology news, follow on Twitter.