Stuxnet Worm Detection

Critical Nessus Plugin ID 49270

Synopsis

The remote Windows host has been infected with the Stuxnet worm.

Description

The remote Windows host has files present on the system that indicate the Stuxnet worm has infected the system. This worm attempts to spread in several ways, making use of known Windows vulnerabilities and removable media. It has been seen making use of several 0-day vulnerabilities as well as attacking Siemens SCADA systems.

This plugin looks for files present on Windows systems that are generated upon infection. The Stuxnet executable uses hard-coded file names, and generates several files, such as malicious drivers that are loaded by the system. The presence of these files is indicative of a system that has been infected through one of the multiple vectors Stuxnet attempts to use.

Solution

Update the host's antivirus software, clean the host, and scan again to ensure its removal. If symptoms persist, re-installation of the infected host is recommended.

See Also

http://www.nessus.org/u?af45eeeb

http://www.nessus.org/u?38fada60

Plugin Details

Severity: Critical

ID: 49270

File Name: stuxnet_detect.nasl

Version: 1.10

Type: local

Family: Backdoors

Published: 2010/09/17

Modified: 2018/11/15

Dependencies: 13855

Risk Information

Risk Factor: Critical

CVSS v2.0

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS v3.0

Base Score: 10

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Vulnerability Information

Required KB Items: SMB/Registry/Enumerated