The “Stuxnet” computer worm made international headlines in July, when security experts discovered that it was designed to exploit a previously unknown security hole in Microsoft Windows computers to steal industrial secrets and potentially disrupt operations of critical information networks. But new information about the worm shows that it leverages at least three other previously unknown security holes in Windows PCs, including a vulnerability that Redmond fixed in a software patch released today.
As first reported on July 15 by KrebsOnSecurity.com, Stuxnet uses a vulnerability in the way Windows handles shortcut files to spread to new systems. Experts say the worm was designed from the bottom up to attack so-called Supervisory Control and Data Acquisition (SCADA) systems, or those used to manage complex industrial networks, such as systems at power plants and chemical manufacturing facilities.
The worm was originally thought to spread mainly through the use of removable drives, such as USB sticks. But roughly two weeks after news of Stuxnet first surfaced, researchers at Moscow-based Kaspersky Lab discovered that the Stuxnet worm also could spread using an unknown security flaw in the way Windows shares printer resources. Microsoft fixed this vulnerability today, with the release of MS10-061, which is rated critical for Windows XP systems and assigned a lesser “important” threat rating for Windows Vista and Windows 7 computers.
In a blog post today, Microsoft group manager Jerry Bryant said Stuxnet targeted two other previously unknown security vulnerabilities in Windows, including another one reported by Kaspersky. Microsoft has yet to address either of these two vulnerabilities – known as “privilege escalation” flaws because they let attackers elevate their user rights on computers where regular user accounts are blocked from making important system modifications.
Anti-virus researchers also discovered that Stuxnet leverages a Windows vulnerability that Microsoft patched back in 2008. Roel Schouwenberg, a senior anti-virus researcher at Kaspersky, said initially it wasn’t clear why the worm’s designers included such an antiquated vulnerability, which would almost certainly set off alarm bells inside of any organization using common intrusion detection and prevention tools.
But Schouwenberg said the inclusion of that 2008 vulnerability made more sense when he learned that most industrial control system networks do not employ these defensive tools or even basic network logging, as is common in most corporate networks. Consequently, he said, Stuxnet behaves differently depending on what type of network it thinks it is running on. Stuxnet performs some rudimentary checking to see whether it is on a corporate network or a control systems network: If it detects that it is running on a corporate network, it won’t invoke the older 2008 vulnerability, Schouwenberg said.
The Kaspersky analyst said that whoever is responsible for writing the Stuxnet worm appears to be quite familiar with the way that SCADA systems are configured. Stuxnet, which targeted specific SCADA systems manufactured by Siemens, also disguised two critical files by signing them with the legitimate digital signatures belonging to industrial giants Realtek Semiconductor Corp. and JMicron.
“If you look at the way they must have organized the entire attack, it’s very impressive,” Schouwenberg said. “These guys are absolutely top of the line in terms of sophistication.”
News of just how successful this stealthy malware family has been in compromising SCADA systems is still trickling out. Earlier today, IDG News’s Robert McMillan quoted Siemens as saying the worm had infected SCADA systems in at least 14 plants in operation, although Siemens said the infections did not impair production at those plants or cause any malfunction. Stuxnet has infected systems in the U.K., North America and Korea, however the largest number of infections, by far, have been in Iran, IDG reports.
But Joe Weiss, managing partner at Cupertino, Calif. based Applied Control Systems, said far too many people have been fixated on Stuxnet’s impact on Microsoft Windows systems and are missing the fact that its authors are using the worm as a means to an end. For example, researchers at Symantec found that Stuxnet uses default passwords built into Siemens systems to gain access to and reprogram the SCADA systems’ “programmable logic controllers” — mini-computers that can be programmed from a Windows system. According to Symantec:
Stuxnet has the ability to take advantage of the programming software to also upload its own code to the PLC in an industrial control system that is typically monitored by SCADA systems. In addition, Stuxnet then hides these code blocks, so when a programmer using an infected machine tries to view all of the code blocks on a PLC, they will not see the code injected by Stuxnet. Thus, Stuxnet isn’t just a rootkit that hides itself on Windows, but is the first publicly known rootkit that is able to hide injected code located on a PLC.
“The Department of Homeland Security put out an advisory on Stuxnet on September 2nd, and the only two things it didn’t say anything about is how to find it or get rid of it at the PLC level,” Weiss said. “People are focusing on what they know and understand, which are the standard Microsoft vulnerabilities. But that’s not the scary part. The really scary thing is that right now we don’t even know which controllers are trusted and which ones aren’t trusted.”
While the intended target of Stuxnet appears to be the manipulation of Siemens PLCs, Weiss said Stuxnet could have just as easily been designed to attack PLCs made by other SCADA manufacturers. These and other topics will be the center of discussion at the ACS Control System Cyber Security Conference next week in Rockville, Md. — although the event is closed to the media.
“The mechanism [the Stuxnet worm] used to install the Siemens payload came at the very end, which means this isn’t a Siemens problem and that they could have substituted [General Electric], Rockwell or any other PLCs as the target system,” Weiss said. “At least one aspect of what Stuxnet does is to take control of the process and to be able to do…whatever the author or programmer wants it to do. That may be opening or closing a plant valve, turning a pump on or off, or speeding up a motor or slowing one down. This has potentially devastating consequences, and there needs to be a lot more attention focused on it.”
Update, Sept. 22, 9:45 a.m. ET: Secunia has published a bit more information about these unpatched privilege escalation flaws in Windows, here and here.