Stuxnet - More details emerge on this advanced threat - Security Protection

Common Tasks

Community

Email Notifications

Personal Links

Security Protection - Harry Waldron (CS)

Security Best Practices, Breaking News, & Updates

Stuxnet - More details emerge on this advanced threat

Stuxnet is one of the most sophisticated malware attacks to emerge and not much is known regarding it's origin or intent at this time. As security researchers continue to investigate this new potential attack on industrial systems, details continue to emerge as noted in the updates below:

Stuxnet - More details emerge on this advanced threat
http://blogs.pcmag.com/securitywatch/2010/10/more_details_emerge_on_stuxnet.php
http://www.f-secure.com/weblog/archives/00002040.html
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf
http://threatpost.com/en_us/blogs/stuxnet-analysis-supports-iran-israel-connections-093010
http://www.v3.co.uk/v3/news/2270771/stuxnet-worm-inside-job

QUOTE: It's not often that malware like Stuxnet comes around. Stuxnet appears to be the new black at the Virus Bulletin 2010 conference, currently ongoing in Vancouver. Everyone's talking about it. The mountain of research and just plain blabbing about Stuxnet there includes a paper from Symantec entitled Win32.Stuxnet Dossier. It summarizes what we know (or rather what Symantec knows) on the matter and adds some interesting new details dug out of the innards of the code. There's also a great Stuxnet Questions and Answers from F-Secure. Some summary characteristics of Stuxnet from the paper:

It self-replicates through removable drives exploiting a vulnerability allowing auto-execution. Microsoft Windows Shortcut 'LNK/PIF' Files Automatic File Execution Vulnerability (BID 41732)

It spreads in a LAN through a vulnerability in the Windows Print Spooler.Microsoft Windows Print Spooler Service Remote Code Execution Vulnerability (BID 43073)

It spreads through SMB by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (BID 31874).

Copies and executes itself on remote computers through network shares.

Copies and executes itself on remote computers running a WinCC database server.

Copies itself into Step 7 projects in such a way that it automatically executes when the Step 7 project is loaded.

Updates itself through a peer-to-peer mechanism within a LAN.

Exploits a total of four unpatched Microsoft vulnerabilities, two of which are previously mentioned vulnerabilities for self-replication and the other two are escalation of privilege vulnerabilities that have yet to be disclosed.

Contacts a command and control server that allows the hacker to download and execute code, including updated versions.

Contains a Windows rootkit that hide its binaries.

Attempts to bypass security products.

Fingerprints a specific industrial control system and modifies code on the Siemens PLCs to potentially sabotage the system.

Hides modified code on PLCs, essentially a rootkit for PLC.

Posted: Oct 04 2010, 10:02 AM by Harry Waldron | with no comments |

Questions? Contact Susan at Susan-at-msmvps.com. Each post's copyright held by the original author. All rights reserved. Blog site is an independent site not sponsored by Microsoft.
Our servers would like to thank www.ownwebnow.com and www.exchangedefender.com. We wouldn't be here without the generosity of Vlad Mazek and his companies.

Powered by Community Server (Commercial Edition), by Telligent Systems

Theme based on the Paperclip Blog Theme included in Community Server.
Enhanced to a Site-Wide Theme by Interscape Technologies.