Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

W32.Stuxnet — Network Information

Created: 23 Jul 2010 03:52:38 GMT • Updated: 23 Jan 2014 18:26:12 GMT • Translations available: 日本語
Vikram Thakur's picture
+1 1 Vote
Login to vote

We’ve been analyzing W32.Stuxnet, which is a threat that uses a legitimate digital certificate from a major third party and takes advantage of a previously unknown bug in Windows; ultimately, it searches for SCADA systems and design documents. The findings of our analysis are being documented in a series of blog articles.

Stuxnet contacts two remote servers for command and control, and until last week those domains were pointing to a server hosted in Malaysia. Once we identified those domains, we redirected traffic away from the C&C servers thereby preventing them from controlling the infected machines and retrieving stolen information.

Within the past 72 hours we've seen close to 14,000 unique IP addresses infected with W32.Stuxnet attempt to contact the C&C server. Here is a breakdown per country of the approximately 14,000 IP addresses obtained during the past 72 hours:

These numbers represent machines actively infected with Stuxnet. The number of machines that have seen Stuxnet—but were blocked by our security products—can be seen in a previous blog here. It is evident that W32.Stuxnet was created and distributed with the intent of stealing critical infrastructure documents in organizations in specific countries. A number of theories about who may be behind this data have already been discussed here.

Now, it is important to note that most enterprises use a network address translation (NAT) at their network perimeter. This results in a large number of corporate computers being masked behind a single IP when they visit sites external to their network. In effect, the number of infected W32.Stuxnet clients without an updated security solution (or without one at all) should be considered to be much higher than 14,000. Here is a snippet of where these infected hosts are:

Also, by default, W32.Stuxnet always sends the IP address, name of the computer, and name of the workgroup or domain they were a part of to the command-and-control server. For example, here are a bunch of different computers that use the same IP address:

Using this information, we’re engaging relevant authorities for assistance. Not surprisingly, infected machines include a variety of organizations that would use SCADA software and systems, which is clearly the target of the attackers.

Thanks to Gavin O'Gorman and Nicolas Falliere for their analysis.

Click here for more information relating to W32.Stuxnet.