Stuxnet worm can re-infect scrubbed PCs

Iran's attempts to eradicate worm could be stymied by new infection vector, says researcher

By , Computerworld |  Security, Stuxnet

A security researcher today revealed yet another way that the Stuxnet worm spreads, a tactic that can re-infect machines that have already been scrubbed of the malware.

[ Was Stuxnet built to attack Iran's nuclear program? ]

The new information came on the heels of admissions by Iranian officials that Stuxnet had infected at least 30,000 of the country's Windows PCs, including some of the machines at the Bushehr nuclear reactor in southwestern Iran.

The worm, which has been dubbed the world's most sophisticated malware ever , targets Windows PCs that oversee industrial-control systems, called "SCADA" systems, that in turn manage and monitor machinery in power plants, factories, pipelines and military installations.

Previously, researchers had spotted several propagation methods in Stuxnet that ranged from spreading via infected USB flash drives to migrating between machines using multiple unpatched Windows bugs.

Liam O Murchu, manager of operations on Symantec's security response team and one of a handful of researchers who have been analyzing Stuxnet since its public appearance in July, said today he'd found another way that the worm spreads. According to O Murchu, Stuxnet also injects a malicious DLL into every Step 7 project on a compromised PC, ensuring that the worm spreads to other, unaffected PCs whenever an infected Step 7 file is opened.

Step 7 is the Siemens software used to program and configure the German company's industrial control system hardware. When Stuxnet detects Step 7 software, it tries to hijack the program and pass control to outsiders.

"All Step 7 projects [on a compromised computer] are infected by Stuxnet," O Murchu said in an interview today. "Anyone who opens a project infected by Stuxnet is then compromised by the worm."

O Murchu said that the Step 7 propagation vector would insure that already-cleaned PCs would be re-infected if they later opened a malicious Step 7 project folder. "You could imagine the scenario where someone had cleaned the computer of Stuxnet, but before they did that, they backed up the project," he said. "When the project was later restored [to the now-clean] PC, it would be re-infected."

Another possibility, said O Murchu, is that Stuxnet's makers hoped to infect systems at a central SCADA-programming authority, which would then pass along the worm to PCs at several facilities that would use the Step 7 files to configure the local control hardware.


Originally published on Computerworld |  Click here to read the original story.
Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question