Stuxnet Update

Stuxnet has received a lot of attention since McAfee first blogged about it in July. This post will answer some of the frequently asked questions we’ve received.

Q: What is Stuxnet?
A: Stuxnet is a highly complex virus targeting Siemens’ SCADA software. The threat exploits a previously unpatched vulnerability in Siemens SIMATIC WinCC/STEP 7 (CVE-2010-2772) and four vulnerabilities in Microsoft Windows, two of which have been patched at this time (CVE-2010-2568, CVE-2010-2729). It also uses a rootkit to conceal its presence, as well as two stolen digital certificates. Additional information is provided in the McAfee Virus Information Library.

Q: When did it first appear and where was it first reported?
A: The threat was discovered in July, but is believed to have been released a year before. McAfee Global Threat Intelligence (GTI) File Reputation first became aware of Stuxnet components starting in January and several File Reputation detections took place before Stuxnet became widely known in July (Artemis!97FD438F25A4, Artemis!4589EF6876E9, Artemis!CC1DB5360109). Early telemetry showed the highest concentration in the Middle East.

Q: What is McAfee’s product coverage for the threat?
A: There are many aspects to Stuxnet, including two recently patched vulnerabilities, and two yet-to-be patched privilege-escalation vulnerabilities. Coverage of the two announced vulnerabilities follows:

CVE-2010-2568

Product Coverage
DAT FILES Coverage for known exploits is provided as “Stuxnet” and “Exploit-CVE2010-2568” in the current DATs. Updated coverage is provided as Downloader-CJX.gen.g in the 6057 DATs, released July 28.
VIRUS SCAN ENTERPRISE SCAN BOP Out of scope
HOST IPS Out of scope
NETWORK SECURITY PLATFORM The sigset release of December 29, 2005, includes the signature “SMTP: Suspicious .Lnk Attachment Found.” The sigset releases of July 20 include the signatures “HTTP: Windows Shell Shortcut LNK File Parsing Vulnerability,” “HTTP: lnk File Download Detected,” and “NETBIOS-SS: lnk File Access Detected.” All four provide coverage.
VULNERABILITY MANAGER The FSL/MVM package of July 16 includes a vulnerability check to assess if your systems are at risk.
WEB GATEWAY Coverage for known exploits is provided as “Stuxnet,” “Downloader-CJX.gen.g,” and “Exploit-CVE2010-2568” in the current Gateway Anti-Malware Database update.
REMEDIATION MANAGER The V-Flash of July 23 contains a remedy for this issue.
FIREWALL ENTERPRISE Partial coverage is provided via the McAfee Firewall Enterprise’s TrustedSource component, which will filter or block URLs associated with known exploits and malware. Detection for known exploits (and malware variants) is available via the anti-virus component of McAfee Firewall Enterprise.
MCAFEE APPLICATION CONTROL Proactively secures against this new malware vector by virtue of whitelisting and memory-protection capabilities. McAfee Application Control will not allow any driver to load or execute unless it is specifically on the whitelist.

CVE-2010-2729

Product Coverage
DAT FILES Out of scope
VIRUS SCAN ENTERPRISE SCAN BOP Out of scope
HOST IPS Out of scope
NETWORK SECURITY PLATFORM Signature 2272, “Possible Print Spooler Service Impersonation Attempt Detected,” provides coverage for code-execution exploits. The sigset release of September 14 includes the signature “NETBIOS-SS: Microsoft Windows Print Spooler Service Impersonation Vulnerability,” which provides coverage.
VULNERABILITY MANAGER The FSL/MVM package of September 14 includes a vulnerability check to assess if your systems are at risk.
REMEDIATION MANAGER An upcoming V-Flash will contain a remedy for this issue.
MCAFEE APPLICATION CONTROL Proactively secures against this new malware vector by virtue of whitelisting and memory-protection capabilities. McAfee Application Control will not allow any driver to load or execute unless it is specifically on the whitelist.

Coverage of the malware itself:

Stuxnet

Product Coverage
DAT FILES Initial coverage of “Stuxnet” was included in the 6045 DAT files, released July 16.  Expanded coverage was last updated in the 6053 DAT release of July 24. Rootkit components will be detected as “Generic Rootkit.d.”
WEB GATEWAY Coverage is provided as “Stuxnet” in the current Gateway Anti-Malware Database update.
MCAFEE APPLICATION CONTROL Proactively secures against this new malware vector by virtue of whitelisting and memory-protection capabilities. McAfee Application Control will not allow any driver to load or execute unless it is specifically on the whitelist.

Product coverage information has been previously communicated through the free McAfee Labs Threat Advisory service and Virus Information Library.

Q: How does McAfee Global Threat Intelligence (GTI) help protect me against this threat?
A: McAfee GTI File Reputation can identify and block all malware files associated with the Stuxnet worm. In addition, GTI Web Reputation and Network Connection Reputation prevent outbound connectivity to Stuxnet’s command servers, which are used for uploading confidential SCADA data collected by Stuxnet malware from industrial-control systems.

Q: If I have discovered a file identified as Stuxnet on my computer or in my environment, does that mean I was targeted by the creators of the threat?
A: Not necessarily, for a couple of reasons:

  1. Although Stuxnet targeted SCADA systems, it also spread through removable media, such as USB devices, via a previously unknown Windows vulnerability, allowing nontargeted systems to be a carrier of the virus. Thousands of McAfee consumer product users have reported binaries that were intended to target systems running Siemens industrial-control systems.
  2. Once the Stuxnet attack vector became known, unrelated attackers starting exploiting the same vector. Generic detection signatures can overlap with the initial attack such that other attacks are detected by the Stuxnet name. Although McAfee chose to name generic signatures separately from the signature detecting the original attack binaries, other vendors may not have done so. More than 1,000 binaries have been flagged by various vendors as Stuxnet over the past few months.

Tune in later for additional Stuxnet-related information.

Leave a Comment

ten − 6 =