Stuxnet is a computer worm that targets industrial control systems that are used to monitor and run large scale industrial facilities like power plants, dams, assembly lines and similar 0perations.
How Stuxnet Worm Works
Stuxnet looks for industrial control systems and then changes the code in them to allow the
attackers to take control of these systems without the operators knowing. In other words, this threat is designed to allow hackers to manipulate real-world equipment, which makes it very dangerous.
It’s like nothing
we’ve seen before – both in what it does, and how it came to exist. It is the
first computer virus to be able to wreak havoc in the physical world. It is
sophisticated, well-funded, and there are not many groups that could pull this
kind of threat off. It is also the first cyberattack we’ve seen specifically
targeting industrial control systems.
The worm is made
up of complex computer code that requires lots of different skills to put it together. Symantec security experts estimate it took five to ten people to work on this project for six months. In addition, knowledge of industrial control systems was needed along with access to such systems to do quality assurance testing; again indicating that this was a highly organized and well-funded
project.
"We've definitely never seen anything like this before," said Liam O’Murchu,
Researcher, Symantec Security Response. "The fact that it can control the
way physical machines work is quite disturbing."
W32.Stuxnet
Explained
Download the updated W32.Stuxnet Dossier, November 2010 (PDF)
Read
the Symantec Security Response Blog post on the W32.Stuxnet Dossier
Watch the video "Stuxnet: How It Infects PLCs"
Update: The infection
figures below were produced using telemetry data generated by Symantec
products, and are therefore weighted towards countries with a larger Symantec
install base. For more comprehensive and up-to-date infection figures,
generated from traffic going directly to W32.Stuxnet command and control
servers, please see our
blog from July 22 or our W32.Stuxnet
whitepaper.
We have received some queries recently
regarding the new rootkit threat being called “Tmphider" or
"Stuxnet.” This threat, discovered recently, has been garnering some
attention due to the fact that it uses a previously unseen technique to spread
via USB drives—among other interesting features. We have compiled some of the
questions we have been receiving along with our current responses. Analysis of
the threat is still ongoing and we will update this blog with more information
as appropriate.
Q) Am I protected against this threat?
A) Yes, Symantec added
detection for this threat on July 13. The threat is detected as W32.Stuxnet,
you can read some details of the threat here.
Q) I've heard that there are multiple files
associated with this threat. Any details?
A) Yes, there are
multiple files associated with the threat. The files consist of the threat
installer and the rootkit component. They are both detected as W32.Stuxnet.
Here are the file names of these components:
~WTR4141.tmp
~WTR4132.tmp
Mrxcls.sys
Mrxnet.sys
In addition, the threat creates associated
shortcut/link files on a system. Here are some examples:
Copy of Shortcut
to.lnk
Copy of Copy of Shortcut
to.lnk
Copy of Copy of
Copy of Shortcut to.lnk
Copy of Copy of
Copy of Copy of Shortcut to.lnk
Q) Who is being targeted by this threat?
A) While our analysis
is ongoing, we've seen that a significant proportion of machines seeing this
threat are in South East Asia. The “Others” category has a listing of 50+
countries, but their visibility of this threat is minimal.
Q) Does the threat use a new, unpatched
(zero-day) vulnerability?
A) The threat is
indeed using a previously unseen vulnerability to spread using removable
drives. The vulnerability have been confirmed by Microsoft who have released a security
advisory for this issue
Q) Do you know what OS platforms are seeing
the attacks?
A) Our in-field data
shows that multiple versions of Windows are seeing these malicious files.
However, not all versions may be vulnerable to the exploit being used. Here is
a breakdown:
Q) Does the threat in question contain a
rootkit? What does it hide?
A) Yes, the threat
does contain a rootkit component that it uses to hide two types of files:
All files that end
in '.lnk'.
All files files
that start with '~WTR' and end with '.tmp'.
The threat has a user and kernel mode
rootkit. The '.sys' files mentioned above are used in kernel mode; the '.tmp'
files are used to hide the files via user mode.
This means that when a system is infected,
you will not be able to see the files that are copied to the USB drive because
they are being hidden by the rootkit. However, our product will still detect
these files.
Q) What does the threat do?
A) The link files,
mentioned above, are part of the exploit and are used to load ~WTR4141.tmp,
which in turn loads ~WTR4132.tmp. The threat contains many different functions.
Our analysis of these functions is currently ongoing; however, we can confirm
at this time that the threat is using some DLLs from Siemens for the product
'Step 7' to access SCADA systems. It uses a predetermined username and password
to connect to the database associated with the SCADA systems to obtain files
and run various queries to collect infromation. It may also gather other
information relating to servers and the network configuration.
Q) Do you detect the .lnk files used in this
attack?
A) Yes, we have
released a signature set that is designed to detect the .lnk files used in this
attack. These files are detected as W32.Stuxnet!lnk,
from Rapid Release definitions July 16, 2010, revision 035 onwards.
Q) Will turning off AutoPlay protect me
against this threat?
A) No, unfortunately
this worm exploits a newly discovered and unpatched vulnerability in the way
that Windows Explorer handles .lnk files. This feature is unrelated to
AutoPlay, so turning AutoPlay off will not help prevent being compromised in
this attack. That said, turning off AutoPlay
is generally a good idea.
--------------------
Update: Changed threat name
from W32.Temphid to W32.Stuxnet.
Read
the Symantec Security Response Blog post on the W32.Stuxnet Dossier
Watch the video "Stuxnet: How It Infects PLCs"
Update: The infection
figures below were produced using telemetry data generated by Symantec
products, and are therefore weighted towards countries with a larger Symantec
install base. For more comprehensive and up-to-date infection figures,
generated from traffic going directly to W32.Stuxnet command and control
servers, please see our
blog from July 22 or our W32.Stuxnet
whitepaper.
We have received some queries recently
regarding the new rootkit threat being called “Tmphider" or
"Stuxnet.” This threat, discovered recently, has been garnering some
attention due to the fact that it uses a previously unseen technique to spread
via USB drives—among other interesting features. We have compiled some of the
questions we have been receiving along with our current responses. Analysis of
the threat is still ongoing and we will update this blog with more information
as appropriate.
Q) Am I protected against this threat?
A) Yes, Symantec added
detection for this threat on July 13. The threat is detected as W32.Stuxnet,
you can read some details of the threat here.
Q) I've heard that there are multiple files
associated with this threat. Any details?
A) Yes, there are
multiple files associated with the threat. The files consist of the threat
installer and the rootkit component. They are both detected as W32.Stuxnet.
Here are the file names of these components:
~WTR4141.tmp
~WTR4132.tmp
Mrxcls.sys
Mrxnet.sys
In addition, the threat creates associated
shortcut/link files on a system. Here are some examples:
Copy of Shortcut
to.lnk
Copy of Copy of Shortcut
to.lnk
Copy of Copy of
Copy of Shortcut to.lnk
Copy of Copy of
Copy of Copy of Shortcut to.lnk
Q) Who is being targeted by this threat?
A) While our analysis
is ongoing, we've seen that a significant proportion of machines seeing this
threat are in South East Asia. The “Others” category has a listing of 50+
countries, but their visibility of this threat is minimal.
Q) Does the threat use a new, unpatched
(zero-day) vulnerability?
A) The threat is
indeed using a previously unseen vulnerability to spread using removable
drives. The vulnerability have been confirmed by Microsoft who have released a security
advisory for this issue
Q) Do you know what OS platforms are seeing
the attacks?
A) Our in-field data
shows that multiple versions of Windows are seeing these malicious files.
However, not all versions may be vulnerable to the exploit being used. Here is
a breakdown:
Q) Does the threat in question contain a
rootkit? What does it hide?
A) Yes, the threat
does contain a rootkit component that it uses to hide two types of files:
All files that end
in '.lnk'.
All files files
that start with '~WTR' and end with '.tmp'.
The threat has a user and kernel mode
rootkit. The '.sys' files mentioned above are used in kernel mode; the '.tmp'
files are used to hide the files via user mode.
This means that when a system is infected,
you will not be able to see the files that are copied to the USB drive because
they are being hidden by the rootkit. However, our product will still detect
these files.
Q) What does the threat do?
A) The link files,
mentioned above, are part of the exploit and are used to load ~WTR4141.tmp,
which in turn loads ~WTR4132.tmp. The threat contains many different functions.
Our analysis of these functions is currently ongoing; however, we can confirm
at this time that the threat is using some DLLs from Siemens for the product
'Step 7' to access SCADA systems. It uses a predetermined username and password
to connect to the database associated with the SCADA systems to obtain files
and run various queries to collect infromation. It may also gather other
information relating to servers and the network configuration.
Q) Do you detect the .lnk files used in this
attack?
A) Yes, we have
released a signature set that is designed to detect the .lnk files used in this
attack. These files are detected as W32.Stuxnet!lnk,
from Rapid Release definitions July 16, 2010, revision 035 onwards.
Q) Will turning off AutoPlay protect me
against this threat?
A) No, unfortunately
this worm exploits a newly discovered and unpatched vulnerability in the way
that Windows Explorer handles .lnk files. This feature is unrelated to
AutoPlay, so turning AutoPlay off will not help prevent being compromised in
this attack. That said, turning off AutoPlay
is generally a good idea.
--------------------
Update: Changed threat name
from W32.Temphid to W32.Stuxnet.
