Tuesday, September 14, 2010

Stuxnet Attackers Used Four Different Windows Zero-Day Exploits

Via ZDNet -

The attackers behind the recent Stuxnet worm attack used four different zero-day security vulnerabilities to burrow into — and spread around — Microsoft’s Windows operating system, according to a startling disclosure from the world’s largest software maker.

Two of the four vulnerabilities are still unpatched.

As new details emerge to shine a brighter light on the Stuxnet attack, Microsoft said the attackers initially targeted the old MS08-067 vulnerability (used in the Conficker attack), a new LNK (Windows Shortcut) flaw to launch exploit code on vulnerable Windows systems and a zero-day bug in the Print Spooler Service that makes it possible for malicious code to be passed to, and then executed on, a remote machine.

The malware also exploited two different elevation of privilege holes to gain complete control over the affected system. These two flaws are still unpatched.


The following two vulnerabilities were used by the Stuxnet attackers and are currently patched.

MS10-046 - Vulnerability in Windows Shell Could Allow Remote Code Execution
MS10-061 - Vulnerability in Print Spooler Service Could Allow Remote Code Execution



A sophisticated worm designed to steal industrial secrets and disrupt operations has infected at least 14 plants, according to Siemens.


Researchers at Symantec have cracked Stuxnet's cryptographic system, and they say it is the first worm built not only to spy on industrial systems, but also to reprogram them.

Once installed on a PC, Stuxnet uses Siemens' default passwords to seek out and try to gain access to systems that run the WinCC and PCS 7 programs -- so-called PLC (programmable logic controller) programs that are used to manage large-scale industrial systems on factory floors and in military installations and chemical and power plants.

The software operates in two stages following infection, according to Symantec Security Response Supervisor Liam O'Murchu. First it uploads configuration information about the Siemens system to a command-and-control server. Then the attackers are able to pick a target and actually reprogram the way it works. "They decide how they want the PLCs to work for them, and then they send code to the infected machines that will change how the PLCs work," O'Murchu said.


Stuxnet comes with a rootkit, deigned to hide any commands it downloads from operators of the Siemens systems. Because of that, Symantec warns that even if the worm's Windows components are removed, the Siemens software might still contain hidden commands. Symantec advises companies that have been infected to thoroughly audit the code on their PLCs or restore the system from a secure backup, in order to be safe.

Stuxnet has infected systems in the U.K., North America and Korea, however the largest number of infections, by far, have been in Iran.

The first samples of the Stuxnet code date back to June of 2009, but security experts believe that it probably did not start infecting systems until earlier this year.

Defense contractors and companies with valuable intellectual property have been hit with targeted attacks for years now -- in January Google said it was the target of a sophisticated data-stealing effort known as operation Aurora. But Stuxnet marks the first time that someone has targeted the factory floor.


"We've definitely never seen anything like this before," O'Murchu said. "The fact that it can control the way physical machines work is quite disturbing."


Nobody knows who's behind Stuxnet, but recently Kaspersky Lab researcher Roel Schouwenberg said that it was most likely a nation state.

Symantec's O'Murchu agrees that the worm was done by particularly sophisticated attackers. "This is definitely not your typical operation," he said.

No comments:

Post a Comment