The Stuxnet Worm
The Stuxnet worm stole the headlines last week, the second time a self-reproducing program came into the limelight in less than three weeks. What is distinctive about this worm is not only its proficiency in infecting Windows systems, but also its seeking and infecting supervisory control and data acquisition (SCADA) systems. Stuxnet attempts to exploit several Windows vulnerabilities, some of which have been zero-day vulnerabilities, and if successful in doing so, then tries to infect Siemens SCADA systems.
Stuxnet initially exploited a zero-day vulnerability in how Window manages shortcut files. Shortcut files, which have a “.lnk” extension, link easy-to-identify icons to specific executables. They are usually located on the Windows Desktop or within the Start Menu. Normally, a user must click on an icon to access these files, but they can also execute automatically if they are copied to a USB drive that the Windows Explorer accesses. Microsoft issued an out-of-cycle patch for this very serious vulnerability in August of last year. At that point in time, researchers thought that this vulnerability was the only one that this worm exploited. But researchers have since discovered that Stuxnet exploits three additional zero-day Windows vulnerabilities.
1. A vulnerability in the Print Spooler Service that can enable remote execution of rogue code if an attacker sends a specially crafted print request to a host with a print spooler interface that is exposed via the Remote Procedure Call (RPC). Microsoft patched this vulnerability last week.
2. Two zero-day elevation of privileges (EoP) vulnerabilities, one in Windows XP and the other in Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2, are also being exploited. In both of these vulnerabilities, a user who is authorized to execute code on a host or has compromised a host in some other manner can become a privileged user without proper authentication. No patches for these bugs are currently available, but Microsoft says it is in the process of developing them.
Stuxnet also exploits a vulnerability in the Server service that can allow unauthorized execution of rogue code. This vulnerability, long exploited by the Conficker (or Downadup) worm, was originally announced two years ago.
Different opinions exist concerning when Stuxnet was first discovered. Kaspersky maintains that July 2009 was the time of discovery, whereas Symantec propounds that Stuxnet was found January of this year. Still others think that this worm was first identified last June.
Once again, just when we thought that viruses and worms were largely things of the past, a highly prolific worm has surfaced. Some experts are calling Stuxnet the most sophisticated worm ever in that it not only has multiple infection vectors, but also is able to penetrate Siemons SCADA systems. The thought of malware infecting SCADA systems should make us all cringe. These systems are used in the electrical and nuclear power arena, plant process control systems, and other critical settings and environments. The fact that someone or perhaps even a country is targeting these systems and is doing so very successfully should be a cause for alarm. Yet power and industrial plants carry on as usual, with management oblivious to the risks. And the fact that the code (all 0.5 MB of it!) is so sophisticated has caused some to speculate that once again we are witnessing state-sponsored cyberattacks.
Vendors keep releasing buggy code, attackers keep developing new attacks, and users and organizations fail to embrace and invest in information security. There is thus no end in sight.