SECURITY researchers have identified malware dating back to 2005 that appears to have been designed to disrupt Iran’s nuclear program years before the Stuxnet campaign, according to SentinelOne. The team, Vitaly Kamluk and Juan Andrés Guerrero-Saade, explained in a blog post that their starting point was to determine whether any malware with an embedded Lua VM predated state-backed efforts like Flame and Project Sauron.
They found a service binary named svcmgmt[.]exe featuring an embedded Lua 5.0 VM referencing a kernel driver called fast16[.]sys, described as a boot-start filesystem component that intercepts and modifies executable code as it’s read from disk. The driver, while not runnable on Windows 7 or later, was, for its time, a cut above commodity rootkits due to its position in the storage stack, control over filesystem I/O, and rule-based code patching functionality.
Fast16 predates Stuxnet by at least five years and is described as the first operation of its kind, being the first recorded Lua-based network worm designed to target Windows 2000/XP and to exploit weak or default admin passwords on file shares. It was noted to only start after checking that the targeted environment is not running specific security software and was associated with three high-precision engineering and simulation suites: LS-DYNA 970, PKPM and MOHID.