Stuxnet is a computer worm first discovered in 2010. It is notable because it is the … Stuxnet includes the capability to reprogram the programmable logic
In terms of numbers of attacks, the most reports are coming from the US, Indonesia, India, and Iran.Â When you factor in the number of MMPC monitored machines along with the number that are reporting attacks, the US falls further down the list, giving way to Iran and Indonesia with attack attempts far higher than the global average.
Figure 1: Geographic saturation of Stuxnet infection attempts
Although the number of new machines reporting an infection attempt has remained constant at around a thousand per day, the number of attempts (tries per machine) has increased over the past few days:
Figure 2: Threat prevalence
In addition to these attack attempts, about 13% of the detections weâ€™ve witnessed appear to be email exchange or downloads of sample files from hacker sites.Â Some of these detections have been picked up in packages that supposedly contain game cheats (judging by the name of the file).
What is unique about Stuxnet is that it utilizes a new method of propagation. Specifically, it takes advantage of specially-crafted shortcut files (also known as .lnk files) placed on USB drives to automatically execute malware as soon as the .lnk file is read by the operating system. In other words, simply browsing to the removable media drive using an application that displays shortcut icons (like Windows Explorer) runs the malware without any additional user interaction. We anticipate other malware authors taking advantage of this technique. Stuxnet will infect any usb drive that is attached to the system, and for this reason weâ€™ve classified the malware as aÂ worm.Â This classification for the malware should not be confused with another vector used by this worm, the newly disclosed vulnerability (CVE-2010-2568) covered in todayâ€™sÂ advisory.Â The vulnerability itself is not wormable.
Stuxnet uses the aforementioned .lnk technique to install additional malware components.Â It first injects a backdoor (Worm:Win32/Stuxnet.A) onto the compromised system, and then drops two drivers:
- Trojan:WinNT/Stuxnet.A – hides the presence of the .lnk files
- Trojan:WinNT/Stuxnet.B – injects (formerly) encrypted data blobs (.tmp files) into memory, each of which appear to serve different purposes as the Stuxnet deployment system infrastructure (drivers, .lnk files, propagation, etc.).
These drivers are signed with a digital certificate belonging to a well-known hardware manufacturer called Realtek Semiconductor Corp., which is unusual because it would imply that the malware authors somehow had access to Realtekâ€™s private key.Â Microsoft MMPC has been working with Verisign to revoke this certificate, and did so at 08:05:42 PM UTC with the agreement and support of Realtek.
We have multiple signatures that detect this threat for customers using Microsoft Security Essentials, Microsoft Forefront Client Security, Windows Live OneCare, the Forefront Threat Management Gateway, and the Windows Live Safety Platform. In addition to using antimalware technology, MSRC has released anÂ advisorywith work-around details.
Initial malware (the dropper):
Malware the dropper attempts to drop onto the system:
Trojan:WinNT/Stuxnet.B (initially calledÂ VirTool:WinNT/Rootkitdrv.HK)
Attack vector (.lnk files):
Exploit:Win32/CplLnk.A (added recently â€“ versions 220.127.116.11+)
We suspect that Stuxnet has been active for at least a month, possibly longer… we have detection for it and its various components and will keep you posted with developments as our talented researchers (like Matt McCormack, Holly Stewart, Peter Ferrie, Patrick Nolan, Andrei Florin Saygo and Francis Allan Tan Seng) continue tracking this threat.