Update: The infection figures below were produced using telemetry data generated by Symantec products, and are therefore weighted towards countries with a larger Symantec install base. For more comprehensive and up-to-date infection figures, generated from traffic going directly to W32.Stuxnet command and control servers, please see our blog from July 22 or our W32.Stuxnet whitepaper.
We have received some queries recently regarding the new rootkit threat being called “Tmphider" or "Stuxnet.” This threat, discovered recently, has been garnering some attention due to the fact that it uses a previously unseen technique to spread via USB drives—among other interesting features. We have compiled some of the questions we have been receiving along with our current responses. Analysis of the threat is still ongoing and we will update this blog with more information as appropriate.
Q) Am I protected against this threat?
Q) I've heard that there are multiple files associated with this threat. Any details?
A) Yes, there are multiple files associated with the threat. The files consist of the threat installer and the rootkit component. They are both detected as W32.Stuxnet. Here are the file names of these components:
In addition, the threat creates associated shortcut/link files on a system. Here are some examples:
- Copy of Shortcut to.lnk
- Copy of Copy of Shortcut to.lnk
- Copy of Copy of Copy of Shortcut to.lnk
- Copy of Copy of Copy of Copy of Shortcut to.lnk
Q) Who is being targeted by this threat?
A) While our analysis is ongoing, we've seen that a significant proportion of machines seeing this threat are in South East Asia. Here is a breakdown of countries that are seeing this threat:
The “Others” category has a listing of 50+ countries, but their visibility of this threat is minimal.
Q) Does the threat use a new, unpatched (zero-day) vulnerability?
A) The threat is indeed using a previously unseen vulnerability to spread using removable drives. The vulnerability have been confirmed by Microsoft who have released a security advisory for this issue
Q) Do you know what OS platforms are seeing the attacks?
A) Our in-field data shows that multiple versions of Windows are seeing these malicious files. However, not all versions may be vulnerable to the exploit being used. Here is a breakdown:
Q) Does the threat in question contain a rootkit? What does it hide?
A) Yes, the threat does contain a rootkit component that it uses to hide two types of files:
- All files that end in '.lnk'.
- All files files that start with '~WTR' and end with '.tmp'.
The threat has a user and kernel mode rootkit. The '.sys' files mentioned above are used in kernel mode; the '.tmp' files are used to hide the files via user mode.
This means that when a system is infected, you will not be able to see the files that are copied to the USB drive because they are being hidden by the rootkit. However, our product will still detect these files.
Q) What does the threat do?
A) The link files, mentioned above, are part of the exploit and are used to load ~WTR4141.tmp, which in turn loads ~WTR4132.tmp. The threat contains many different functions. Our analysis of these functions is currently ongoing; however, we can confirm at this time that the threat is using some DLLs from Siemens for the product 'Step 7' to access SCADA systems. It uses a predetermined username and password to connect to the database associated with the SCADA systems to obtain files and run various queries to collect infromation. It may also gather other information relating to servers and the network configuration.
Q) Do you detect the .lnk files used in this attack?
A) Yes, we have released a signature set that is designed to detect the .lnk files used in this attack. These files are detected as W32.Stuxnet!lnk, from Rapid Release definitions July 16, 2010, revision 035 onwards.
Q) Will turning off AutoPlay protect me against this threat?
A) No, unfortunately this worm exploits a newly discovered and unpatched vulnerability in the way that Windows Explorer handles .lnk files. This feature is unrelated to AutoPlay, so turning AutoPlay off will not help prevent being compromised in this attack. That said, turning off AutoPlay is generally a good idea.
We'll publish more information as it becomes available.
Update: Changed threat name from W32.Temphid to W32.Stuxnet.