Security researchers reveal that the Stuxnet worm targeting industrial companies exploits four zero-day vulnerabilities - including two that remain unpatched.
Security researchers revealed today the Stuxnet worm has been
exploiting four zero-day vulnerabilities in Windows in an attempt
to infect industrial control systems.
In the months since Stuxnet was first publicized in July, much of the
attention focused on a now-patched Microsoft
Windows bug tied to the way shortcut files are parsed on vulnerable
machines. Researchers reported today however that the malware has
actually been seen exploiting multiple zero-day bugs, including two that
Microsoft said remain unpatched.
"If I have to single something out [as the most interesting]-which is
hard in this case-then I'd go for the fact that Stuxnet exploits four
previously unknown vulnerabilities," said Roel Schouwenberg, senior antivirus
researcher at Kaspersky Lab. "But overall, the thought which has been
put into Stuxnet is just amazing. Four zero-days, two
stolen [digital] certificates
, knowing SCADA systems inside and out-it's
all been very carefully orchestrated."
In addition to the Windows shortcut bug, the worm also used a vulnerability
in Windows' Print Spooler service that was patched
today by Microsoft
. Still left open, however, are two privilege escalation
vulnerabilities the malware tries to use to gain control of infected systems.
"One of these EoP [escalation of privilege] vulnerabilities affects
Windows XP and the other affects Windows Vista, Windows 7, Windows Server 2008
and Windows Server 2008 R2," blogged Jerry Bryant, group manager of
Response Communications at Microsoft. "These are local EoP issues, which
means that an attacker, in this case Stuxnet, already has permission to run
code on the system or has compromised the system through some other means.
"We are currently working to address both issues in a future bulletin,"
First reported by security vendor VirusBlokAda, the worm targeted Siemens'
Simatic WinCC and PCS 7 software, which
run on industrial control systems.
In the months since the worm became publicly known, the number of infected
machines in India
has continued to grow, Schouwenberg said. The amount of infected machines in Iran
is significantly lower than earlier in the year, he added.
According to Siemens spokesperson Michael Krampe, Siemens has
customers that found Stuxnet on their systems, and "each
was able to detect and remove the virus without any impact to their operations."
"Luckily, most control system operators separate their control network
from their business and public networks," noted Mike Sconzo, senior
security analyst at NetWitness. "That has been a limiting factor in
keeping the number of viable infections down. Even though the initial
infection vector was discovered to be based on USB
drives, newer information points to Stuxnet being able to replicate via the
network. Because of the limited network connectivity and the restrictions
imposed on employees to not plug USB drives
into controls systems, this threat has not been as serious as it could have
"While being regarded as the first targeted attack against industrial
systems in the wild, it will likely not be the last," he added. "Being
a first effort in the target space and only going after a limited number of
system types, it has accomplished an amazing amount."