Fortinet Blog | News and Threat Research

Since the Belarus vendor VirusBlokAda pulled the alarm last week on a new malware deemed “Stuxnet”, a whole lot of information has been released here and there on different portions of the threat. As a matter of fact, the Stuxnet case presents a certain level of multiplicity, as it consists in an “exploit” part, a “rootkit” part, involves specific infection vectors, targets a specific class of victims, and has unusual characteristics (for instance regarding software certificates). The subsequent fragmentation of information across the Web lead us to think some people may find a comprehensive FAQ - including our own bits, of course - somewhat useful.

Q: So, what is Stuxnet exactly? A:** Technically, Stuxnet is solely the name of the Trojan component of the threat. The Trojan component is split in two malicious drivers, mrxnet.sys and mrxcls.sys, both droped into System32\drivers\ during the attack.

Q: And what do these drivers do? A: This is still under active investigation, and will be addressed in depth in an upcoming blog post. But essentially, they have rootkit features: attempting to hide themselves and to inject malicious code in key parts of the system to spy on it, and possibly act based on what it sees.

Q: Why is Stuxnet said to target SCADA systems? A: Because in the aforementioned injected code were found strings suggesting monitoring of (and possibly interaction with) SIMATIC WinCC and SIMATIC Siemens STEP 7, two software pieces relevant to industrial processes.

Q: So, could the attack aim at shutting down the electricity grid or any other nation-wide catastrophe that terrorists would want to trigger? A: It is too early to identify the precise aim of the attack (let alone to attribute it) but let’s consider the following: SIMATIC STEP 7 is an engineering software (i.e. it is used to design industrial controllers) and SIMATIC WinCC is mainly a monitoring software, used to visualize industrial processes. It is therefore permitted to think the Stuxnet attack is somewhat industrial espionage oriented, rather than armageddon-driven.

Q: Then if I don’t run an industrial facility, I’m safe, right? A: Not necessarily. For starters, having a Trojan planted in your machines is never totally innocuous: the rootkit component can generate system instability due to conflicts in hooking APIs, and worse, the Trojan may be updated at some point to spy on something else than SCADA software. Furthermore, the exploit part used to “seed” the Trojan is independent from the Trojan itself. Some reports lead us to think it actually may have been used by cybercriminals as long as one month before the vulnerability was made public, possibly to seed other malware pieces. In any case, it will be used from now on.

Q: And what is this vulnerability about? How does it work? A: The vulnerability, labeled ‘CVE-2010-2568’, is a design flaw in the way MS Windows handles .lnk and .pif files. Essentially, MS Windows has a feature allowing such files to load “control panel applets” dlls with an arbitrary path as soon as a folder containing such files is opened in Windows explorer. Apparently this is to allow for dynamic icon management on external/remote storage.

Q: OK, so opening a folder that contains a malicious .lnk file will result in a malicious dll being loaded in my system, right? A: If the system has access to the malicious dll as defined by the path embedded in the .lnk file, yes.

Q: And what does the malicious dll do? A: In the case of the Stuxnet attack, it drops the two drivers mentioned in the very first answer above.

Q: Why do people mention USB sticks as the infection vector, and “AutoPlay” as an infection catalyst? A: Because with MS Windows AutoPlay, infection could be automatic upon connecting a USB stick to the system, assuming the default action is set to “open to view files”. But frankly, AutoPlay should not be the center of discussions: USB sticks primarily being storage media, a user inserting one is likely to open it at some point. Beyond that, USB sticks have two interesting properties for the attackers:

1. They can carry the malicious dll to be loaded, almost without any size restriction.
2. Being physical objects, they tend to pass through firewalls… Directly from the parking lot to the internal network.

Q: So are USB sticks the only possible infection vectors? A: No, a remote attack could also be mounted either via Webdav or remote SMB shares, leading to the remote malicious dll being loaded into the local system. In addition, Microsoft has indicated that Office documents could be used to trigger the same design vulnerability.

Q: Ok, so how do I patch my system? A: There is no patch available yet, however Microsoft has published some workarounds in an advisory.

UPDATE (2010-07-22): Microsoft released a tool that automates implementation of such a workaround.

Q: What is this I keep hearing about valid certificates in Stuxnet? A: The malicious drivers mentioned above are signed by certificates issued to Realtek and JMicron, two legitimate companies. The private keys used to sign software with those certificates were likely stolen: ESET researcher PM Bureau noted that both companies have offices in Hsinchu Science Park, Taiwan.

Q: What is Fortinet doing about it? A: We have released AntiVirus (Data/StuxnetLnk!tr) and IPS (MS.Windows.Shell.LNK.Code.Execution) detections for the malicious .lnk files, tackling the threats from different angles, in order to increase robustness of overall detection in FortiGates. The malicious dll and drivers are taken care of by detections** W32/Stuxnet!tr andW32/Stuxnet!tr.rkit, respectively.