The malware has been active for several days, targeting supervisory control and data acquisition (SCADA) systems, which are used to manage operations at places such as power plants and gas and oil refineries, to obtain data. The United States, Iran and Russia have been hit the hardest, according to security firm ESET. Almost 58 percent of all infections have occurred in the United States.The Stuxnet worm exploits a zero-day vulnerability present in Windows Shell that was disclosed by Microsoft on Friday. The bug “exists because Windows incorrectly parses shortcuts [.lnk files, which are represented by an icon] in such a way that malicious code may be executed when the icon of a specially crafted shortcut is displayed,” according to Microsoft's security advisory.
Microsoft on Tuesday updated its advisory to include an automated "Fix It" solution that mitigates the bug's risk by disabling icons from being displayed for shortcuts, which can prevent attacks attempting to exploit this vulnerability.
The flaw permits a malicious .lnk file to be executed by simply plugging in an infected USB device, Randy Abrams, director of technical education at ESET, told SCMagazineUS.com on Wednesday.
“The user doesn't have to click on anything at all,” Abrams said. “You can disable AutoRun, but that doesn't prevent this vulnerability from being executed.”
Once installed, the Stuxnet malware attempts to connect to the database associated with SCADA systems to obtain files and run various queries to collect information, according to Symantec. It also may gather other information relating to servers and the network configuration.
“This specific worm targets SCADA systems, which, for the general public, was a good thing,” Abrams said. “Most people don't have SCADA software on their computers, so when they got infected the worm didn't do anything particularly harmful.”
Major SCADA manufacturer Siemens warned customers about the threat this week. The malware currently is spreading via infected USB devices and targeting Siemens' Simatic WinCC and Simatic PCS 7 software, the company said.
“There is only one known case of infection in Germany,” Siemens said. “We are, at present, trying to find out whether the virus caused any damage.”The purpose of the Stuxnet malware is likely to carry out corporate espionage, researchers said. Going forward, however, it is likely that the same attack vector will be exploited by other cybercriminals who may have different targets.
“This is version one...copycats are sure to follow,” Jamz Yaneza, threat researcher at anti-virus firm Trend Micro, told SCMagazineUS.com on Wednesday.
Besides being exploited locally through a malicious USB drive, the flaw also can be exploited remotely via network shares and a set of extensions that allow users to edit and manage files on remote web servers called web-based Distributed Authoring and Versioning (WebDAV), Microsoft said in its security advisory. Additionally, an exploit also can be included in specific document types that support embedded shortcuts.
If a maliciously crafted link file is placed on a network share, for instance, a user automatically can be infected by connecting to the network share, Abrams said.
“Removable media is probably the most likely exploit scenario, but it certainly isn't the only one,” Abrams said. “You could potentially see another Conficker coming out of this vulnerability because that spread through removable media but also through network shares.”