1. /
  2. Security Response/
  3. W32.Stuxnet

W32.Stuxnet

Risk Level 2: Low

Discovered:
July 13, 2010
Updated:
February 26, 2013 7:15:33 PM
Also Known As:
Troj/Stuxnet-A [Sophos], W32/Stuxnet-B [Sophos], W32.Temphid [Symantec], WORM_STUXNET.A [Trend], Win32/Stuxnet.B [Computer Associates], Trojan-Dropper:W32/Stuxnet [F-Secure], Stuxnet [McAfee], W32/Stuxnet.A [Norman], Rootkit.Win32.Stuxnet.b [Kaspersky], Rootkit.Win32.Stuxnet.a [Kaspersky]
Type:
Worm
Infection Length:
Varies
Systems Affected:
Windows 2000, Windows 7, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Server 2008, Windows Vista, Windows XP
CVE References:
CVE-2010-2568
W32.Stuxnet was first categorized in July of 2010. Originally Symantec named the detection W32.Temphid based upon the information originally received but later renamed it Stuxnet to bring our naming convention in line with other vendors, and therefore virus definitions dated July 19, 2010 or earlier may detect this threat as W32.Temphid.

It targets industrial control systems in order to take control of industrial facilities, such as power plants. While the attacker’s exact motives for doing so are unclear, it has been speculated that it could be for any number of reasons with the most probable intent being industrial espionage. The identities of the attackers are also unknown but there seems little doubt that regardless of their identities, they are skilled and well resourced; this wasn’t something that was put together in a short period of time.

Incredibly, Stuxnet exploits four zero-day vulnerabilities, which is unprecedented.


October, 2011 - W32.Duqu, a new beginning?

Symantec received reports of a new threat (W32.Duqu) that was created from the same code base as Stuxnet. Whilst the code base was near identical, and the methods around the attacks are similar, the purpose of the new threat appears to be completely different from Stuxnet. Stuxnet was primarily designed to sabotage industrial machinery whereas Duqu appears to be designed for information theft, particularly information related to industrial systems and other secrets. This activity could be carried out with a goal to use the stolen information to plan and mount future attacks of a similar nature to those made by Stuxnet.

Symantec have analyzed this threat in detail and have made our analysis available in a report.
W32.Duqu: The precursor to the next Stuxnet


Infection

Stuxnet was the first piece of malware to exploit the Microsoft Windows Shortcut 'LNK/PIF' Files Automatic File Execution Vulnerability (BID 41732) in order to spread. The worm drops a copy of itself as well as a link to that copy on a removable drive. When a removable drive is attached to a system and browsed with an application that can display icons, such as Windows Explorer, the link file runs the copy of the worm. Due to a design flaw in Windows, applications that can display icons can also inadvertently run code, and in Stuxnet’s case, code in the .lnk file points to a copy of the worm on the same removable drive.

Furthermore, Stuxnet also exploits the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (BID 31874), which was notably used incredibly successfully by W32.Downadup (a.k.a Conficker), as well as the Microsoft Windows Print Spooler Service Remote Code Execution Vulnerability (BID 43073).

The worm also attempts to spread by copying itself to network shares protected by weak passwords.


Functionality
The primary purpose of the Stuxnet worm is to take control of industrial facilities. Interestingly, one would expect the malware authors to design malware that would target only computers running the software that controls these facilities. However, like any other garden variety worm, it spreads indiscriminately using the vulnerability mentioned above.

Historic data from the early days of the Stuxnet worm attack showed that Iran, Indonesia and India accounted for the bulk of the countries where computers were targeted.




To achieve this goal, it firstly uses two different and most importantly legitimate certificates signed by well-known companies to avoid detection by antivirus applications. Once it finds its way onto a computer and exploits the .lnk vulnerability to run, it then installs a rootkit in order to hide itself on the system.

Stuxnet searches for industrial control systems, often generically (but incorrectly) known as SCADA systems, and if it finds these systems on the compromised computer, it attempts to steal code and design projects. It may also take advantage of the programming software interface to also upload its own code to the Programmable Logic Controllers (PLC), which are ‘mini-computers’, in an industrial control system that is typically monitored by SCADA systems. Stuxnet then hides this code, so when a programmer using a compromised computer tries to view all of the code on a PLC, they will not see the code injected by Stuxnet.

Thus, Stuxnet isn’t just a rootkit that hides itself on Windows, but is the first publicly known rootkit that is able to hide injected code located on a PLC.


Symantec Endpoint Protection – Application and Device Control
Symantec Security Response has developed an Application and Device Control (ADC) Policy for Symantec Endpoint Protection to protect against the activities associated with this threat. ADC policies are useful in reducing the risk of a threat infecting a computer, the unintentional removal of data, and to restrict the programs that are run on a computer.

This particular ADC policy can be used to help combat an outbreak of this threat by slowing down or eliminating its ability to spread from one computer to another. If you are experiencing an outbreak of this threat in your network, please download the policy.

To use the policy, import the .dat file into your Symantec Endpoint Protection Manager. When distributing it to client computers, we recommend using it in Test (log only) mode initially in order to determine the possible impacts of the policy on normal network/computer usage. After observing the policy for a period of time, and determining the possible consequences of enabling it in your environment, deploy the policy in Production mode to enable active protection.

For more information on ADC and how to manage and deploy them throughout your organization, please refer to the Symantec Endpoint Protection Administration Manual (PDF).

Note: The ADC policies developed by Security Response are recommended for use in outbreak situations. While useful in such situations, due to their restrictive nature they may cause disruptions to normal business activities.


GEOGRAPHICAL DISTRIBUTION
Symantec has observed the following geographic distribution of this threat.






PREVALENCE
Symantec has observed the following infection levels of this threat worldwide.



SYMANTEC PROTECTION SUMMARY
The following content is provided by Symantec to protect against this threat family.


Antivirus signatures
W32.Stuxnet


Antivirus (heuristic/generic)
W32.Stuxnet!lnk


Intrusion Prevention System

Antivirus Protection Dates

  • Initial Rapid Release version July 13, 2010 revision 038
  • Latest Rapid Release version February 19, 2013 revision 016
  • Initial Daily Certified version July 13, 2010 revision 040
  • Latest Daily Certified version February 1, 2013 revision 020
  • Initial Weekly Certified release date July 14, 2010
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Threat Assessment

Wild

  • Wild Level: Low
  • Number of Infections: 0 - 49
  • Number of Sites: 0 - 2
  • Geographical Distribution: Low
  • Threat Containment: Easy
  • Removal: Easy

Damage

  • Damage Level: Medium
  • Releases Confidential Info: Collects various information from compromised computers.

Distribution

  • Distribution Level: Medium
  • Shared Drives: Spreads through removable drives.
  • Target of Infection: Removable/network drives and computers vulnerable to certain vulnerabilities.
Writeup By: Jarrad Shearer

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver