"I'd call it groundbreaking," said Roel Schouwenberg, a senior antivirus researcherat Kaspersky Lab. By comparison, other notable attacks, like the one dubbed"Aurora" that hacked Google's network, andthose of dozens of other major companies, was child's play.
Unbeknownst to Microsoft, it had plugged just one of four zero-day vulnerabilities thatStuxnet used to gain access to a company's network, then seek out and infect the specific machines that managed SCADA systems controlled by software from German electronics giant Siemens.
With a sample of Stuxnet in hand, researchers at both Kaspersky and Symantecwent to work, digging deep in its code in an attempt to learn how it ticked.
What the two companies independently found was attack code that targeted three more unpatched Windows bugs.
"Within a week, a week-and-a-half [of news of Stuxnet], we discovered the print spooler bug," said Schouwenberg. "Then we found one of the EoP (elevation of privilege) bugs." Microsoft researchers discovered a second EoP flaw, Schouwenberg said.
Working independently, Symantec researchers found the print spooler bug and two EoP vulnerabilities in August.
Both firms reported their findings to Microsoft, which patched the print spooler vulnerability [8] on Tuesday, and said it would address the less-dangerous EoP bugs in a future security update.
"Using four zero-days, that's really, really crazy," said O Murchu. "We've never seen that before."
Neither has Kaspersky, Schouwenberg echoed.
But the Stuxnet wonders didn't stop there. The worm also exploited a Windows bug patched in 2008 with Microsoft's MS08-067 update. That bug was the same vulnerabilityused to devastating effect by the notorious Conficker worm [9] in late 2008 and early 2009 to infect millions of machines.
Once within a network -- initially delivered via an infected USB device -- Stuxnet used the EoP vulnerabilities to gain administrative access to other PCs, sought out systems running the WinCC and PCS 7 SCADA management programs, hijacked them by exploiting either the print spooler or MS08-067 bugs, then tried the default Siemens passwords to commandeer the SCADA software.
They could then reprogram the so-called PLC(programmable logic control) software to give machinery new instructions.
On top of all that, the attack code seemed legitimate because the people behind Stuxnet had stolen at least two signed digital certificates.
Users browsing this forum: No registered users and 6 guests