"Silent" Worms: Stuxnet
The vulnerability patched with MS10-061 is perhaps one of the most interesting we've covered in a "Patch Tuesday" post this year. The vulnerability was discovered when antivirus researchers at Kaspersky Lab analyzed malware called "Stuxnet". The malware was one of the first worms to use the LNK vulnerability, and contained code to exploit three other vulnerabilities, the print spooler vulnerability patched by MS10-061 and two other unnamed privilege escalation vulnerabilities that have yet to be patched. Its not everyday that we hear of malware in the wild exploiting 4 0-day vulnerabilities.
I am not easily impressed (in fact, I am even less than impressed) with the capabilities of most malware in the wild. However, there are some facts about the "Stuxnet" malware that do impress me:
- Stuxnet also contains an exploit for a vulnerability from 2008. It will only execute this exploit if it determines it is inside an organization using SCADA systems and not a typical corporation.
- Stuxnet was written specifically to attack control systems, and is the first publicly known malware to contain a rootkit for PLCs, devices that control SCADA systems. The rootkit silently waits for commands.
- Stuxnet gains access to control systems using default passwords and is rumored to have compromised 14 different control systems-based organizations.
- Stuxnet was first thought to primarily use USB devices to propagate (likely to get around "air gapped" security measures)
There was an interesting quote from Symantec that stated, "Symantec gained control of the domain used to send commands to infected machines shortly after Stuxnet was discovered". Apparently, this turned over control of Stuxnet-infected systems to Symantec. I just don't understand the logic behind the malware authors; if they had used fast flux, they may still have control over the botnet they seemed to have worked so hard to implement.