W32/Stuxnet (hereinafter called Stuxnet) is a computer virus that spreads through the exploitation of the Windows shell vulnerability MS10-046. This vulnerability is related to the way Windows handles a shortcut file*. Specifically, when a PC user tries to display a shortcut-file icon using Windows Explorer, Windows does not accurately analyze the file to be referenced by the icon. For this reason, if a file containing malicious code is referenced instead of the file supposed to be referenced by clicking the shortcut-file icon, any program exploiting such vulnerability might be executed (See Figure 1-1).
*shortcut file : A file that serves as a reference to a file, folder, or application program. Though the referenced file is not there, on the surface, shortcut files can be handled in the same manner as that of the referenced file, thus allowing a simplified access to the referenced file.
Figure 1-1:Example of Opening a Folder from My Computer, which Results in Referencing Files Contained
IPA obtained a sample of Stuxnet virus and analyzed it. How it is transmitted is detailed below.
Distinctive feature of this virus is "the virus is activated only by opening a folder that contains a doctored shortcut file (lnk file) from Windows Explorer." This is a new attack method that has never been observed before.
For example, if a USB thumb drive containing a Stuxnet-virus file is inserted into a PC that has the Windows Shell Vulnerability MS10-046, and if the user opens the folder containing that virus file from Windows Explorer to refer to the files contained in the USB thumb drive, a Stuxnet virus attack is lunched without touching that file. (See Figure 1-1)
As for a virus that infects PCs via USB thumb drive, several viruses have been detected, including W32/Autorun (For the sake of convenience, we call them "Traditional USB-thumb-drive infection virus".) Traditional USB-thumb-drive infection virus can be prevented by disabling the "auto-execute" feature of Windows*. On the other hand, the new attack method that has been detected this time does not use the "auto-execute" feature and therefore, we cannot prevent Stuxnet virus attacks only by disabling the "auto-execute" feature.
*"Auto-execute" feature of Windows: A feature of Windows in which when a USB thumb drive is inserted into a PC or when the icon of a USB thumb drive is double-clicked, the files contained are automatically executed. Also called Autorun.
- "Procedures for Disabling the "Auto-Execute" Feature on Windows" (IPA)http://www.ipa.go.jp/security/virus/autorun/ (in Japanese)
We found that Stuxnet virus infects PCs from other routes than USB thumb drive, including the following routes (see Figure 1-2):
(a)Infections via a shared folder on a network
If a virus file is placed in a shared folder on a network, opening the shared folder to display the folder contents leads to the virus infection of that PC.
(b)Saves a virus file attached to an e-mail and opens the folder containing it, for which the PC is infected
If a virus file is sent as an e-mail attachment and the recipient saves it in a folder, opening that folder to display the folder contents leads to the virus infection of that PC.
(c)Infected by opening a doctored document file
Opening a document file (e.g. Microsoft office's) containing a virus file leads to the virus infection of that PC.
(d)Infected by browsing a defaced Website
Browsing a trapping Website with a script to open a virus file embedded leads to the virus infection of that PC. The same can be said for browsing a legitimate Website that has been defaced by a person with malicious intent.
Figure 1-2:Image of virus Infections from Other Routes than USB Thumb Drive
The only way to prevent Stuxnet-virus infection is to eliminate Windows vulnerability that can be exploited by this virus. A security patch for this vulnerability has already been released (Supported OS: Windows XP SP3, Windows Vista SP1 or later version, Windows 7). Let's apply them promptly.
- "Microsoft Security Bulletin MS10-046 - Critical " (Microsoft)
In addition to the above-mentioned vulnerability, check for any other vulnerabilities you have not addressed yet and promptly apply countermeasures when available.
- "Keeping Your Computer Up-to-Date by Using Microsoft Update" (Microsoft)
- "Microsoft Security " (Microsoft)
●Fundamental Antivirus Measures
Be sure to install antivirus software and keep its pattern files up-to-date, which is one of the important countermeasures. It is recommended to use "Integrated" antivirus software that has a feature to block access to risky Websites, which is designed for general users.
(3)Countermeasures against Zero-Day Attack
The existence of Stuxnet virus had already been confirmed before the release of security patches to remedy this vulnerability, as well as countermeasures. In short, it had been in the state of "Zero-Day Attack" until such security patches were released.
"Zero-Day Attack" is an attack that exploits OS or application software vulnerability that has already been detected but not remedied yet.
To avoid receiving "Zero-Day Attack", you need to collect information from vendors in a timely manner so that you can adequately respond when information on vulnerability being exploited is released. It is recommended to subscribe to e-mail magazines transmitted by vendors and to check periodically for articles posted on news sites or portal sites.
- "IPA What's New E-mail Distribution" (IPA)
- "Security Newsletter" (Microsoft)
IPA analyzes vulnerability information released by vendors and if deemed urgent, "emergency countermeasures information" is posted on its Website. Refer also to JVN or other portal sites that provide information on vulnerability of software products used in Japan as well as countermeasures.
- "Emergency Countermeasures Information/Security Alert List" (IPA)http://www.ipa.go.jp/security/announce/alert.html(in Japanese)
- "JVN(Japan Vulnerability Notes)"
- "Security TechCenter" (Microsoft)
- "security at home " (Microsoft)
For more details, refer to "(3) Points to Avoid Receiving 'Zero-Day Attack'" in the Web page below. If you feel that you have been under "Zero-Day Attack", refer to "(4) If you find that you have been under 'Zero-Day Attack'."
- "About Zero-Day Attack That Exploits Vulnerability Whose Security Patch Has Not Been Released" (IPA)