Symantec say they have discovered how the Stuxnet worm manages to re-infect a computer that has been cleaned of it.

Posted on September 29, 2010


The Stuxnet worm continues to make headlines, most recently with reports that computers at an Iranian nuclear power plant have been infected, potentially giving hackers the ability to access computer-control systems and compromise plant operations.

Analysis of the Stuxnet worm reveals something interesting on an almost daily basis. Liam O Murchu, manager of Symantec’s North American Malware Response team, says that he has discovered how the worm manages to re-infect a computer that has been cleaned of it.

Stuxnet has been spotted using various propagation methods: infected flash drives, autorun files, Windows vulnerabilities, and more.

Computerworld reports that the latest discovery by O Murchu reveals that Stuxnet injects a malicious DLL into every Step 7 project on an already compromised computer, so that even when a PC gets cleaned of the worm, the opening of any Step 7 file will compromise it again.

And this is another feature that lends to the likelihood of the theory that Stuxnet’s makers are state-backed. It also points to the fact that whoever designed and wrote it, must have known the ins and outs of the targeted SCADA system well – since the Step 7 is Siemens’ software used to configure the control system hardware.

Security researchers at Veracode say that the Iranian power plant incident is further proof for government agencies in particular that cyber security threats have moved beyond data breaches to impacting the safety of entire nations.

This statement follows earlier warnings from the company about vulnerabilities created by third-party software that were associated with the earlier Siemens Stuxnet attack.

Veracode and others in the security community view Stuxnet as particularly worrisome due to its sophistication, ability to steal data and target computer-control systems, and, in many ways, avoid detection.

Stuxnet is the most recent example of an advanced persistent threat (APT), a category of attack primarily for the use of espionage – either at the corporate or government level – that is particularly coordinated and clandestine. There has been a documented rise in APTs, a trend that presents a significant risk to software infrastructure that sits behind porous firewalls.

“For far too long cyber security efforts have focused on network-based approaches to thwarting advanced persistent threats,” said Matt Moynahan, CEO, Veracode. “It’s critical for governments and corporations to quickly connect the dots between cyber security and the need for software assurance. Cyber security efforts must include a focus on securing our nation’s software infrastructure given that is where the vast majority of exploitable vulnerabilities lie. The recent Iranian power plant episode is a clear example of the ease of exploiting insecure software.”

Posted in: Virus and more