Early versions of the Stuxnet worm used a novel and cunning method to manipulate Windows Autorun feature in order to spread, according to information published by a Symantec Researcher who helped analyze the worm after it was first identified.
Writing on the Symantec Connect blog, Symantec researcher Liam O Murchu detailed one method that early instances of the worm used to infect machines from infected USB drives that many security researchers believe were used to propagate the worm. The information provides new indication about the sophistication of the threat, as well as its evolution over time.
O Murchu was a lead researcher responsible for analyzing Stuxnet after it was first publicly reported and, along with researchers at Kaspersky Lab, discovered the recently patched Windows Print Spooler Service vulnerability that the worm used to infect vulnerable systems. In recent days, he has revealed that the Print Spooler hole was publicly disclosed in a Polish hacking magazine more than a year after he and others independently discovered it as part of the Stuxnet post mortem.
Security experts initially focused on Stuxnet’s use of an until-then unknown flaw in the way Windows parses desktop shortcut (LNK format) files to spread from infected USBs to host systems. Microsoft published a tool to fix the LNK vulnerability in July.
However, O Murchu reveals in his blog post that the addition of the LNK exploit was a later development in the life of the worm – dating to approximately March, 2010. Earlier versions of the worm used a different method to jump from USB drives to vulnerable Windows systems, which O Murchu describes as a ‘cunning’ misappropriation of the AutoRun feature, a standard component on Windows systems since Windows 95 that allows application developers to dictate a series of actions that will take place when external media like CD ROMs, DVDs or USB flash drives are inserted into systems running Windows.
The Stuxnet authors did not discover a vulnerability in AutoRun, O Murchu wrote. Instead, they discovered a flaw in the way the function processes instructions from autorun.inf files. That flaw allowed the Stuxnet authors to craft an autorun.inf file that contained both legitimate AutoRun commands and the malicious executable. The finished file could be interpreted as either an executable file or as a correctly formatted autorun.inf file, O Murcho wrote. Thus the autorun.inf file would allow the USB drive to load on the Windows system, and launch the Stuxnet payload on the system, he said. If that failed, the authors also planted a bogus “Open” command on the context (or right-click) menu for the USB drive. Users who activated the context menu and clicked on the bogus Open command would launch the Stuxnet malware invisibly in the background, O Murcho wrote.
The latest details on Stuxnet come amid mounting speculation about the source and purposes of Stuxnet. Nation-state involvement was suspected with Stuxnet from early on, given the worm’s focus on industrial control systems manufactured by Siemens. More recently, though, some security experts have openly speculated that the worm was designed as a stealth, targeted attack on nuclear facilities in Iran, but jumped the fence.
O Murchu’s post is also ahead of presentations by O Murchu and Kaspersky Lab researcher Alexander Gostev at the annual Virus Bulletin Conference in Vancouver that will divulge further details about the inner functionings of the worm. At least two of the previously undisclosed, or “zero day” vulnerabilities used by Stuxnet to take control of systems are still unpatched and little is known about them.