14 DAY TRIAL // One of the security updates released by Microsoft yesterday addresses a previously undisclosed vulnerability exploited by the notorious Stuxnet malware, which also leverages two additional zero-day privilege escalation bugs that have yet to be patched.
These new revelations, coupled with the previous findings about the worm, most likely earn Stuxnet the title of most sophisticated malware of all time.
The threat was discovered by a Belarusian antivirus company called VirusBlokAda, which disclosed that it exploits a critical and previously unknown vulnerability in the way Windows processes LNK files.
Soon after, researchers from other companies revealed that it also a drops rootkit component signed with digital certificates stolen from chipset manufacturers Realtek and JMicron.
This was followed by the announcement that it is designed to steal designs and other data from databases used by Simatic WinCC Supervisory Control and Data Acquisition (SCADA) systems.
Not only that, but it can actually write rogue code to the PLCs (Programmable Logic Controllers) of such systems, which are used to control and monitor mission critical operations in industrial environments.
And as if all this wasn't enough, security researchers from Kaspersky Lab now reveal that the intriguing piece of malware also exploits two other vulnerabilities in order to spread on local networks.
One of them affects the Windows Print Spooler service, which is used to share printers, and was patched today in the MS10-061 critical security bulletin.
"The vulnerability could allow remote code execution if an attacker sends a specially crafted print request to a vulnerable system that has a print spooler interface exposed over RPC," Microsoft explains.
The other exploit used in the propagation routines targets the 2008 MS08-067 vulnerability also leveraged by the notorious Conficker worm.
The people behind Stuxnet probably chose to make use of such an old exploit because they know that SCADA networks don't employ advanced intrusion detection systems.
"In addition, Microsoft researchers uncovered two additional Elevation of Privilege (EoP) vulnerabilities (one of which was also reported to us by Kaspersky, and later independently confirmed by Symantec) used by the malware to gain full control of the infected system," Microsoft's Jerry Bryant, wrote in a post on the Microsoft Security Response Center (MSRC) blog.
These two previously undisclosed vulnerabilities, one of which affects Windows XP and the other all post-Vista systems, will be addressed by Microsoft in a future security bulletin.
"Stuxnet was undoubtedly created by professionals who’ve got a thorough grasp of antivirus technologies and their weaknesses, as well as information about as yet unknown vulnerabilities and the architecture and hardware of WinCC and PSC7," Alexander Gostev, the head of Kaspersky's Global Research and Analysis Team, concludes.