SentinelLABS uncovered fast16, a 2005 state-level sabotage framework that silently patches high-precision calculation software in memory, predating Stuxnet by five years.
Key Takeaways
fast16.sys is a boot-start filesystem driver that intercepts executables on disk read and patches them in memory to silently corrupt high-precision calculation results.
Carrier svcmgmt.exe embeds a Lua 5.0 VM with encrypted bytecode, predating Flame’s Lua architecture by three years, and spreads via weak-credential Windows SMB shares.
A pre-install kill-switch checks 18+ AV/firewall registry keys (Symantec, Kaspersky, ZoneAlarm, F-Secure, others) before deploying to avoid monitored environments.
‘fast16’ appears in the 2017 ShadowBrokers Territorial Dispute deconfliction list; NSA operators were instructed to treat it as ‘Nothing to see here, carry on.’
Designed for facility-wide effect: propagate to every networked box so all machines produce equivalent inaccurate calculations simultaneously, making drift invisible by consensus.
Hacker News Comment Review
SCCS/RCS version-control notation inside the binary points to developers with government/military computing roots from the 1970s-80s, not mainstream 2005 Windows tooling.
Once the worm propagates facility-wide, no clean reference machine remains inside the target network, making calculation drift structurally undetectable from the inside.
IEEE-754 transcendentals (sin/cos/exp/log) are allowed to vary in the last ULPs across glibc, MSVC, and Intel SVML; sensor linearization and motor control code compounds small drifts every cycle, meaning even zero-diff firmware revisions can diverge in production.
Notable Comments
@PoignardAzur: staying undetected for 20 years raises the question of how many similar frameworks remain undiscovered today.
@anthk: heterogeneous reproducible computing setups (Guix, diverse ISAs like PowerPC) structurally resist this class of precision-patch attack.
