Madrid, September 17, 2010 – Kaspersky Lab detected this vulnerability in Microsoft Windows and has cooperated with Microsoft to fix it.
The vulnerability, classified as "zero-day" when it was detected, has been used by the famous Stuxnet worm. This worm is dangerous, as it is an industrial spying tool: it is designed to gain access to the Siemens WinCC operating system, responsible for collecting and monitoring data.
Since its appearance last July, security specialists have been able to study it closely. Kaspersky Lab experts have gone further in the search for stuxnet's functionalities and have discovered that, in addition to the vulnerability that was detected in one source (when processing LNK and PIF files), it also uses four other Microsoft vulnerabilities.
Along with MS08-067, Stuxnet also uses another vulnerability to spread, located in the Windows Print Spooler service, which can be used to send malicious code to a remote computer when the program is run.
Kaspersky Lab experts were the first to detect that vulnerability and reported it to Microsoft, where they analyzed it and agreed with Kaspersky Lab in their findings. The vulnerability was dubbed "Print Spooler Service Impersonation" and was classified as "critical." Microsoft immediately began working to close the loop and released patch MS10-061 on September 14. Due to the characteristics of this breach, the infection can spread to computers that use a printer or through shared access to one of them. Once it has infected a computer connected to a network, Stuxnet tries to expand to other computers.
An example is MS08-067, a vulnerability that was also used by the infamous Kido (Conficker) worm in early 2009. The other three breaches were unknown until now and are in current versions of Windows.
Kaspersky Lab has yet detected another zero-day vulnerability in Stuxnet's code. It was classified as "Elevation of Privilege" (EoP) and the worm could use it to gain full control of the infected computer. Another similar vulnerability was also detected by Microsoft experts. Both will be corrected in future security updates for Windows operating systems.
Alexander Gostev, kaspersky Lab's chief security expert, played an active role in identifying the new threat and cooperated closely with Microsoft to resolve the issue. Alexander has published an informative blogpost on the subject. The data collected in Stuxnet's analysis, including details of how these vulnerabilities could be exploited, will be presented at Canada's Virus Bulletin conference in September 2010.
"Stuxnet was the first malware program capable of simultaneously exploiting up to four vulnerabilities," said Alexander Gostev. "This makes it unique: it's the first threat we've detected that contains so many surprises in a simple package. Before we detected this new vulnerability, it must have been worth a fortune for hackers. Since Stuxnet also uses realtek and Jmicron digital certificates – and remember that its function was to steal data stored in Simatic WinCC SCADA – all this makes it an unprecedented threat. We have to say it, its developers have shown great qualities in programming."
All Kaspersky Lab products detect and neutralize Stuxnet.
About Kaspersky LabKaspersky Lab is the largest antivirus company in Europe. Kaspersky Lab provides one of the world's most immediate protections against computer security threats, including viruses, spyware, crimeware, hackers, phishing and spam. Thanks to products such as Internet Security, the company is among the top four global manufacturers of computer security solutions for end users. Kaspersky Lab products and solutions provide one of the fastest response times and highest detection levels in the industry, both for home users, small and medium-sized businesses and large corporations, and for the mobile computing environment. Kaspersky® technology is also included in products and services of other developers of leading security solutions in the computer industry. You can find more information and access to Kaspersky antivirus downloads on our website. For the latest in antivirus, antispyware, and other aspects and trends in computer security, visit www.viruslist.com/sp/.
