SentinelOne said on Friday it found malware that appears designed to cause errors in engineering and physics simulation software, in a sample uploaded to VirusTotal in 2016 that the company says may date back to around 2005.
KEY FACTS
- Discovery The sample included a reference to “fast16”.
- Age Researchers said clues in the code suggest it may have originated around 2005.
- Behavior The malware tries to install a worm and deploy a driver called fast16.sys.
- Targeting It appears aimed at precision tools used in civil engineering, physics and process simulation.
In the technical analysis from SentinelOne, researcher Vitaly Kamluk said the work began after he looked for older examples of nation-state tools that used Lua and a virtual machine. That search led to the VirusTotal sample.
The report says the sample would not run on systems newer than Windows XP and needed a single-core CPU, which led researchers to place it years before modern multi-core consumer chips became common. They also connected the code to a fast16 reference seen in the ShadowBroker malware trove that surfaced in 2016.
According to the disclosure, the fast16.sys driver includes a routine that alters floating-point output and searches for precision calculation tools in specialized domains. The researchers identified LS-DYNA 970, PKPM and the MOHID hydrodynamic modeling platform as likely targets, all of which were used for crash testing, structural analysis and environmental modeling.
Kamluk said he believed the purpose was to trigger calculation errors in engineering software and potentially create real-world damage. He also said the sample may represent a cyberweapon that appeared about five years before Stuxnet, the worm used against Iran’s uranium enrichment centrifuges.
WHY IT MATTERS
If the analysis is correct, the malware would show that software sabotage tools existed earlier than previously documented and were aimed at manipulating physical processes through calculation errors. That raises questions for vendors of engineering and simulation products, which may need to check whether past outputs were affected.