Stuxnet Worm Detection

critical Nessus Plugin ID 49270

Synopsis

The remote Windows host has been infected with the Stuxnet worm.

Description

The remote Windows host has files present on the system that indicate the Stuxnet worm has infected the system. This worm attempts to spread in several ways, making use of known Windows vulnerabilities and removable media. It has been seen making use of several 0-day vulnerabilities as well as attacking Siemens SCADA systems.

This plugin looks for files present on Windows systems that are generated upon infection. The Stuxnet executable uses hard-coded file names, and generates several files, such as malicious drivers that are loaded by the system. The presence of these files is indicative of a system that has been infected through one of the multiple vectors Stuxnet attempts to use.

Solution

Update the host's antivirus software, clean the host, and scan again to ensure its removal. If symptoms persist, re-installation of the infected host is recommended.

See Also

http://www.nessus.org/u?af45eeeb

http://www.nessus.org/u?38fada60

Plugin Details

Severity: Critical

ID: 49270

File Name: stuxnet_detect.nasl

Version: 1.13

Type: local

Agent: windows

Family: Backdoors

Published: 9/17/2010

Updated: 4/11/2022

Configuration: Enable thorough checks

Asset Inventory: true

Supported Sensors: Nessus Agent, Nessus

Vulnerability Information

Required KB Items: SMB/Registry/Enumerated