Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Stuxnet scored quick hit on first target, says researcher

Gregg Keizer | Feb. 14, 2011
Infected Iranian PC just 12 hours after worm's code was compiled, reports Symantec

The average time between compilation and infection for all 10 initial attacks was 19 days, and the median was 26 days, said Symantec.

Another target in the first wave was also the most important, said O Murchu, who noted that the organization was hit not only in mid-2009, but also by two later waves in March and April 2010. That organization was the only one of the five infected by all three attacks.

Of the three waves of Stuxnet attacks -- June 2009, March 2010 and April 2010 -- the second was the most successful, according to O Murchu.

The March 2010 variant was the first to include an exploit of a vulnerability in how Windows parsed shortcut files, the small files displayed by icons on the desktop, on the toolbar and in the Start menu that launch applications and documents when clicked. By crafting malicious shortcuts, the hackers could automatically execute malware whenever a user viewed the shortcut or the contents of a folder containing the malevolent shortcut.

"That exploit was far more effective than the original AutoRun attack," said O Murchu, referring to the June 2009 Stuxnet's reliance on malformed files contained on a USB drive. "[Using the Windows shortcut vulnerability] allowed [the March 2010] Stuxnet to spread so much faster."

Stuxnet was able to exploit the shortcut bug for months before the vulnerability went public in June 2010. Microsoft rushed an emergency patch to customers in early August.

Although there were only minor differences between the March 2010 and April 2010 variants, the former infected more machines, and had a better chance of reaching the intended target, said O Murchu. He was at a loss to explain the difference, but speculated that the first PC infected by the March wave may have been better connected to other Iranian computer networks.

Most analysts have assumed that the initial attacks were delivered on infected USB drives since it would be unlikely that Natanz is directly connected to the Internet. O Murchu said it was impossible to tell from the Stuxnet code if that was the case, however.

"It could have been delivered on a USB drive, but whether it was, or as an e-mail attachment, we can't tell," he said.

Symantec's revised report on Stuxnet can be downloaded from the company's site (download PDF).


Previous Page  1  2 

Sign up for Computerworld eNewsletters.