The initial attack vector is the malicious shortcut files (.LNK) that take advantage of the Windows operating system vulnerabilities that was recently identified ( MS10-046 ). Back in July, I wrote about this vulnerability here.
When a drive containing malicious .LNK file is accessed using an application (Windows Explorer or Internet Explorer), it tries to render the file that points to a malicious executable. What is interesting is that the user need not double click on the .LNK file to trigger the vulnerability; just opening the folder containing the malicious file is enough to get infected.
Once executed, the worm is designed to search for SCADA systems manufactured by Siemens. Once the targeted SCADA systems are located, the malware uploads its own code to the programmable logic controllers of the SCADA system, and changes the whole behavior of the SCADA systems. Even though the initial attack vector is the malicious shortcut files, in the second stage it exploits an application vulnerability within the Siemens SCADA systems. This vulnerability, a hard coded password, is exploited to actually upload the code.
Check the below links for more information on this worm
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fStuxnet
http://www.microsoft.com/technet/security/bulletin/MS10-046.mspx
http://www.veracode.com/blog/2010/07/deadly-combo-zero-day-application-vulnerability-os-vulnerability-attacker-win/
http://www.symantec.com/connect/blogs/stuxnet-introduces-first-known-rootkit-scada-devices
1 comment:
BitDefender has a free tool that removes the Stuxnet malware. It can be downloaded from
http://www.malwarecity.com/blog/bitdefender-offers-free-removal-tool-for-stuxnet-902.html
Post a Comment