Stuxnet Using Three Additional Zero-Day Vulnerabilities
Our continued analysis of W32.Stuxnet has revealed a total of four zero-day vulnerabilities being used by the threat. We have already discussed the .lnk file vulnerability that Stuxnet uses to spread through USB drives here. Further investigations have revealed that Stuxnet uses one additional remote code execution vulnerability as well as two local privilege escalation vulnerabilities. We reported these vulnerabilities to Microsoft and today Microsoft has released a patch for the Print Spooler (CVE-2010-2729) remote code execution vulnerability. Microsoft is investigating both local elevation of privilege vulnerabilities and has confirmed that they do intend to address them in a future security bulletin.
We have already released signatures for the Print Spooler vulnerability; customers with updated IPS signatures are protected, but of course make sure to get the patch to eliminate the vulnerability.
Stuxnet takes advantage of the print spooler vulnerability to copy itself from one infected machine to another. The print spooler vulnerability itself allows for a file to be written to the %System% directory of a vulnerable machine. Stuxnet first uses this vulnerability to plant a copy of itself on a vulnerable machine and later it uses a feature of WBEM to achieve execution of that file on the remote machine.
A threat using one zero-day vulnerability by itself is a quite an event, however a threat using four zero-day vulnerabilities is extraordinary and is unique to this threat. This is the first time we have ever encountered a threat using so many unknown and unpatched vulnerabilities. Not only does Stuxnet use zero-day vulnerabilities, it also uses a variety of other vulnerabilities (such as the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability), which shows the extraordinary sophistication, thought, and planning that went into making Stuxnet.
We are currently preparing a paper about Stuxnet that will be presented at the annual Virus Bulletin conference being held in Vancouver from 29th September to 1st October that will provide further details about the threat.
We have prepared the following video that shows the vulnerability being exploited on an unpatched computer running Windows 2003 server. The video shows the payload being transferred to a remote computer and being executed in the remote environment.