W32.Stuxnet was first categorized in July of 2010. Originally Symantec named the detection W32.Temphid based upon the information originally received but later renamed it Stuxnet to bring our naming convention in line with other vendors, and therefore virus definitions dated July 19, 2010 or earlier may detect this threat as W32.Temphid.
It targets industrial control systems in order to take control of industrial facilities, such as power plants. While the attacker’s exact motives for doing so are unclear, it has been speculated
that it could be for any number of reasons with the most probable intent being industrial espionage. The identities of the attackers are also unknown but there seems little doubt that regardless of their identities, they are skilled and well resourced; this wasn’t something that was put together in a short period of time.
Incredibly, Stuxnet exploits four zero-day
vulnerabilities, which is unprecedented.
October, 2011 - W32.Duqu, a new beginning?
Symantec received reports of a new threat (W32.Duqu
) that was created from the same code base as Stuxnet. Whilst the code base was near identical, and the methods around the attacks are similar, the purpose of the new threat appears to be completely different from Stuxnet. Stuxnet was primarily designed to sabotage industrial machinery whereas Duqu appears to be designed for information theft, particularly information related to industrial systems and other secrets. This activity could be carried out with a goal to use the stolen information to plan and mount future attacks of a similar nature to those made by Stuxnet.
Symantec have analyzed this threat in detail and have made our analysis available in a report.
W32.Duqu: The precursor to the next Stuxnet
Stuxnet was the first piece of malware to exploit the Microsoft Windows Shortcut 'LNK/PIF' Files Automatic File Execution Vulnerability
(BID 41732) in order to spread. The worm drops a copy of itself as well as a link to that copy on a removable drive. When a removable drive is attached to a system and browsed with an application that can display icons, such as Windows Explorer, the link file runs the copy of the worm. Due to a design flaw in Windows, applications that can display icons can also inadvertently run code, and in Stuxnet’s case, code in the .lnk file points to a copy of the worm on the same removable drive.
Furthermore, Stuxnet also exploits the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability
(BID 31874), which was notably used incredibly successfully by W32.Downadup
(a.k.a Conficker), as well as the Microsoft Windows Print Spooler Service Remote Code Execution Vulnerability
The worm also attempts to spread by copying itself to network shares protected by weak passwords.
The primary purpose of the Stuxnet worm is to take control of industrial facilities. Interestingly, one would expect the malware authors to design malware that would target only computers running the software that controls these facilities. However, like any other garden variety worm, it spreads indiscriminately using the vulnerability mentioned above.
Historic data from the early days of the Stuxnet worm attack showed that Iran, Indonesia and India accounted for the bulk of the countries where computers were targeted.
To achieve this goal, it firstly uses two different and most importantly legitimate certificates signed by well-known companies to avoid detection by antivirus applications. Once it finds its way onto a computer and exploits the .lnk vulnerability to run, it then installs a rootkit in order to hide itself on the system.
Stuxnet searches for industrial control systems, often generically (but incorrectly) known as SCADA systems, and if it finds these systems on the compromised computer, it attempts to steal code and design projects. It may also take advantage of the programming software interface to also upload its own code to the Programmable Logic Controllers (PLC), which are ‘mini-computers’, in an industrial control system that is typically monitored by SCADA systems. Stuxnet then hides this code, so when a programmer using a compromised computer tries to view all of the code on a PLC, they will not see the code injected by Stuxnet.
Thus, Stuxnet isn’t just a rootkit that hides itself on Windows, but is the first publicly known rootkit that is able to hide injected code located on a PLC.
Symantec Endpoint Protection – Application and Device Control
Symantec Security Response has developed an Application and Device Control (ADC) Policy for Symantec Endpoint Protection to protect against the activities associated with this threat. ADC policies are useful in reducing the risk of a threat infecting a computer, the unintentional removal of data, and to restrict the programs that are run on a computer.
This particular ADC policy can be used to help combat an outbreak of this threat by slowing down or eliminating its ability to spread from one computer to another. If you are experiencing an outbreak of this threat in your network, please download the policy
To use the policy, import the .dat file
into your Symantec Endpoint Protection Manager. When distributing it to client computers, we recommend using it in Test (log only)
mode initially in order to determine the possible impacts of the policy on normal network/computer usage. After observing the policy for a period of time, and determining the possible consequences of enabling it in your environment, deploy the policy in Production
mode to enable active protection.
For more information on ADC and how to manage and deploy them throughout your organization, please refer to the Symantec Endpoint Protection Administration Manual
The ADC policies developed by Security Response are recommended for use in outbreak situations. While useful in such situations, due to their restrictive nature they may cause disruptions to normal business activities.
Symantec has observed the following geographic distribution of this threat.
Symantec has observed the following infection levels of this threat worldwide.
SYMANTEC PROTECTION SUMMARY
The following content is provided by Symantec to protect against this threat family.
Intrusion Prevention System
Click for a more detailed description of Rapid Release and Daily Certified virus definitions.