Security researchers have disclosed yet another propagation routine used by the infamous Stuxnet worm, which is very similar to the binary planting techniques disclosed recently.
New revelations keep on coming in the case of the Stuxnet worm, already considered by most experts the most sophisticated piece of malware to date.
There are many things about Stuxnet that makes it stand out from the crowd. It's industrial espionage purpose alone has already generated a lot of noise.
Some people strongly believe the worm is the work of a nation state and claim it was created to target Iran's Bushehr nuclear plant.
Giving the professional design, the amount of work put into it and the fact that Iran was one of the most affected countries, those speculations might well be true.
But, sticking to what's supported by evidence, Stuxnet exploited four unpatched vulnerabilities in Windows, it used components digitally signed with legit certificates stolen from large companies and targeted SCADA systems.
We already know that Stuxnet is capable of stealing project information from databases used by Siemens SIMATIC systems and writing hidden code to the PLCs (programmable logic controllers).According to
security researchers from Symantec, the worm has a third propagation routine, which involves exploiting a DLL preloading vulnerability in the SIMATIC Step7 software.
It seems Stuxnet drops a specially named DLL file in several places inside the hOmSave7 folder of a Step7 project structure.
By doing this it attempts to exploit a type of DLL search path weakness (DLL preloading
), which affects hundreds of applications and was publicly revealed last month.
When a particular DLL is called without specifying a full path, the Step7 software searches for it in several locations in a particular order, the last of which are the subfolders of the project’s hOmSave7 directory.
"Infected projects restored from backups may reintroduce the infection to previously cleaned machines so administrators should exercise caution when restoring files in this manner
," the Symantec researchers warn.
This new revelation that Stuxnet employs an exploitation technique since long before it was publicly disclosed, is yet another testament of the worm's never-before-seen sophistication.