Kaspersky works with Microsoft to lock down zero-day Stuxnet worm

The culmination of the project was the issue of a set of patches within this week's Patch Tuesday update from Microsoft.

According to Kaspersky, the vulnerability was classified as being a 'zero-day' flaw when it was detected, and has been used by the notorious Stuxnet worm, Worm.Win32.Stuxnet. Since the worm first emerged in July 2010, the IT security specialist says it has been watching Worm.Win32.Stuxnet very closely.

The virus, says Kaspersky, was designed as an industrial espionage tool to gain access to the Siemens WinCC operating system, which is responsible for data collection and monitoring production.

As a result of the serious nature of the virus, Kaspersky Lab says its research experts have gone to great lengths to research the worm's capabilities and have discovered that, in addition to the vulnerability when processing LNK and PIF files that was detected originally, it also uses four other vulnerabilities in Windows.

One such example is MS08-067, which was also used by the infamous Conficker worm in early 2009. The other three vulnerabilities were previously unknown and exist in the current versions of Windows.

Along with MS08-067, Kaspersky says that Stuxnet also uses a vulnerability in the Windows Print Spooler to propagate. It uses this weakness, says Kaspersky, to send malicious code to a remote computer where it is then executed. By virtue of the features of this vulnerability, the infection can spread to computers using a printer or through shared access to one.

Having infected a computer connected to a network, Stuxnet then attempts to spread to other computers.

Kaspersky says that its chief security expert Alexander Gostev played an active role in identifying the new threat and co-operated closely with Microsoft to resolve the issue.

Gostev later published an informative blog posting on the topic. The plan is for the data collected while analysing Stuxnet – including the details of how the vulnerabilities can be exploited – to be presented at the Virus Bulletin conference in Canada later this month.

"Stuxnet was the first malware programme to simultaneously exploit as many as four vulnerabilities", he said, adding that this makes the worm quite unique, as it is the first threat that Kaspersky has encountered that contains this many surprises in a single package.

"Before we detected this new vulnerability, it would have been worth a fortune to hackers. Given Stuxnet also uses Realtek and Jmicron digital certificates – and remember too that it was ultimately designed to steal the data stored in Simatic WinCC SCADA – all of this makes this threat truly unprecedented", he explained.

"It has to be said, the malware writers have demonstrated quite remarkable programming skills", he noted.

What’s Hot on Infosecurity Magazine?