It has been a busy week for people analyzing the Stuxnet worm. Recent developments include:
- The Windows shortcut / ".LNK" vulnerability affects all Windows versions back to Windows 2000.
- Microsoft has issued a prevention tool which disables the display of all file shortcuts. However, reports from people who have tried the tool are unanimous in that it renders the Windows GUI nearly unusable.
- Siemens has issued a remediation tool to remove Stuxnet from compromised computers. However, Siemens advises customers to contact their support organizations before running the tool, because PCS 7 systems are routinely very customized and it is the support organizations for each site that can tell you whether application of the Siemens tool to a system is safe.
- Sophos has issued a tool to prevent the Windows shell from interpreting malicious shortcuts but still display benign shortcuts.
- Most anti-virus vendors, including unified threat manager manufacturers like Fortinet, have issued signatures for Stuxnet and/or the compromised file shortcuts.
Symantec has posted some nice work focussed on the "generic" part of the worm - everything except the part that touches the control system. Once the worm takes over a machine, it tries to contact a command and control server in Denmark and another server in Malaysia. Traffic to both servers has been diverted and IP addresses trying to contact the servers are being counted. Some 14,000 addresses were counted in the first 72 hours, most from Iran, Indonesia and India, in that order. IP addresses are not very reliable indicators of how many machines are compromised though. Dynamic NAT-ing can make one compromised machine look like it has many IP addresses, and static NAT-ing can make many machines look like they have one IP address. But experience with counting IP addresses indicates that the count is usually off by no more than 10x in either direction. What this means is that this is a relatively small set of compromised machines, by the standards of the world's botnets.
Almost nothing new has been published regarding the interaction of the worm with a Siemens control system.
Industrial Defender has been busy as well. We have created a Stuxnet advisory page and will be updating that page as new information becomes available. Our labs have obtained a live copy of the original Stuxnet worm and have confirmed that our new Host Intrusion Prevention System blocks the worm. Even better, on machine that blocked the worm, our team could find no indication of any adverse side effects of the attempted compromise. We have also tested the worm on machines protected by our Host Intrusion Detection System agents. The agents are detection only, not prevention, so the worm did compromise our test machines. Our agents though, reported the compromise promptly and produced all of the alerts we expected - in particular: alerts for new driver files appearing in ".../system32/drivers", and an alert saying someone had installed a new service.
For a deeper analysis of the Stuxnet worm, you can join the Stuxnet webinar on Tuesday, July 27 at 11 AM ET. Industrial Defender is hosting a panel of industry experts to discuss what Stuxnet means for industrial security: Patrick Miller of ICF International, Erik Byres of Tofino Security, Dale Peterson of Digital Bond, Mark Zanotti of Lofty Perch, and myself Andrew Ginter of Industrial Defender. A recording of the webinar will be posted shortly after the webinar completes.