Key Stuxnet LNK Spreading Mechanism Stops Working

Author: Dennis Fisher
minute read

One of the key infection methods for the Stuxnet worm was hard-coded to stop working on June 24, removing one of its techniques for propagation. Researchers say that the date, which is found in coded form in the worm’s instructions, is nearly three years to the day from the date that the first version of Stuxnet was seeded.

One of the key infection methods for the Stuxnet worm was hard-coded to stop working on June 24, removing one of its techniques for propagation. Researchers say that the date, which is found in coded form in the worm’s instructions, is nearly three years to the day from the date that the first version of Stuxnet was seeded.

Stuxnet contains several different methods for spreading and infecting new machines. One of those infection methods is through the use of LNK files that are copied to a USB storage device. This was among the first sections of Stuxnet to be identified and dissected by researchers.

“There are currently three known variants of Stuxnet – which were all seeded in waves, on different dates. The first known variant was seeded on June 23rd, 2009 at 4:40am GMT. The next wave took place on June 28th and then on July 7th.

So, on June 24th, 2012, we were roughly three years since the initial deployment of the worm that squirmed through carefully selected Iranian organizations,” Costin Raiu of Kaspersky Lab wrote in an analysis of the drop-dead date for the LNK mechanism.

One other bit of weirdness involved in this episode is that there’s another date that’s hard-coded into the Duqu code. That date, June 24, 1982, is the day that a British Airways flight from London to Auckland, New Zealand, flew through an ash cloud from a volcanic eruption and lost all four of its engines, eventually making an emergency landing in Jakarta. What that incident has to do with a piece of malware designed almost 30 years later is unclear.

“Of course, nobody outside of the project can say for sure why Stuxnet stopped spreading exactly 30 years from this incident, or why the date is also hardcoded in the Duqu decryption subroutine. In addition to June 24th, the Stuxnet MS10-061 exploit stopped working on June 1st, 2011. Moreover, the MS08-067 exploit checks dates before January 2030.

Nevertheless, all these checks probably indicate that the attackers were planning to have it long updated by June 1st, 2011 and retired or replaced by June 24th, 2012,” Raiu said.

Suggested articles

Cybersecurity for your growing business
Cybersecurity for your growing business

Topics

Show all

Authors

Threatpost

InfoSec Insider

Infosec Insider Post

Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Content

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.