Slashdot Mirror

← Back to Stories (view on slashdot.org)

Stuxnet Attacks Used 4 Windows Zero-Day Exploits

Posted by CmdrTaco on from the i'll-exploit-you dept.

abadnog writes "The attackers behind the recent Stuxnet worm attack used four different zero-day security vulnerabilities to burrow into — and spread around — Microsoft's Windows operating system, according to a startling disclosure from Microsoft. Two of the four vulnerabilities are still unpatched. Microsoft said the attackers initially targeted the old MS08-067 vulnerability (used in the Conficker attack), a new LNK (Windows Shortcut) flaw to launch exploit code on vulnerable Windows systems and a zero-day bug in the Print Spooler Service that makes it possible for malicious code to be passed to, and then executed on, a remote machine. The malware also exploited two different elevation of privilege holes to gain complete control over the affected system."

21 of 67 comments (clear)

  1. Well, at least by by+(1706743) · · Score: 4, Funny

    ...zero-day bug in the Print Spooler Service...

    it won't affect the iPad!

    Yeah, yeah, -1 Troll, -1 Flamebait, -1 Offtopic...

  2. Re:Zero Day? by CannonballHead · · Score: 4, Insightful

    define: zero day
    Pertaining to the day on which software is released; New; as yet unpatched

    So it sounds like zero day means that it was present in the unpatched version?

    That said, the summary says nothing about patched vs. unpatched. There would be a great outcry if a vulnerability in Linux/OSS was exploited, even though that vulnerability was already patched, and the summary failed to mention that the only reason it was exploited was because the system was NOT patched...

  3. Re:4 != four by jonescb · · Score: 2, Funny

    Do you mean "for"? Because 4 == four.

  4. Re:4 != four by CannonballHead · · Score: 2, Funny

    When not four, 4 is 2 B.
    ... or maybe ! 2 B.

  5. Gee What a Coincidence by Kernel+Rootkits · · Score: 2, Funny

    It's funny how this happened right after Microsoft released the source code of Windows 7 to the Russian government...Just sayin...

    1. Re:Gee What a Coincidence by gad_zuki! · · Score: 2, Interesting

      Lots of organizations and most governments have the source to windows, its not like its this closely guarded secret. Considering Stuxnet was found infecting Iranian systems more than anything else, its probably made in the good ol' USA. This thing has NSA written all over it. Its really well-done, I guess my tax dollars are at work.

  6. Re:Zero Day? by dch24 · · Score: 2, Interesting

    The exploits used unpatched bugs.

    That said, if this is the work of well-funded terrorists, they are probably well funded enough to have access to the Windows source code. Yes, yes, Microsoft doesn't disclose the entire code base for their OS. The parts that were exploited (like the print spooler) are probably considered "not high enough risk" and so are disclosed to governments far and near.

    In fact, the only guys playing catch-up seem to be the anti-virus writers.

  7. Re:Zero Day? by TheRedDuke · · Score: 2, Insightful

    Just because MS releases a patch doesn't mean that users apply said patch.

  8. Re:4 != for by clone53421 · · Score: 2, Informative

    it took me like 30 seconds to figure out what you were trying to say here

    Same here – but I actually figured it out as soon as I looked up and read TFHeadline.

    --
    Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
  9. Re:Zero Day? by dch24 · · Score: 2, Interesting

    Actually I was responding to his specific question: "How can a vulnerability that Microsoft had patched a very long time ago (MS08-067) be called a zero-day?"

    In response to your question, no, I don't define "zero-day" to mean "unpatched bug". I define it to mean "exploit found using unpatched bug in the wild on the day it is first reported to a security researcher (preferred), or else vendor (not ideal, as they have less incentive to disclose all important details)"

  10. Re:Zero Day? by GrumpySteen · · Score: 4, Informative

    A zero-day vulnerability is widely recognized to be a vulnerability that is found only because it's being exploited, which is how the four vulnerabilities appear to have been discovered. I suspect that the author of the article reasoned that a zero-day vulnerability remains a zero-day vulnerability even after a patch is available for it.

    I don't think there's any guidelines for when, if ever, an exploit stops being called a zero-day vulnerability and becomes just a normal one.

  11. All these vulnerabilities.. by simp · · Score: 3, Insightful

    All these neat day0 exploits wasted to get into an industrial control system. The numbers of those systems are only in the thousands, they could have taken control over millions of normal Windows PCs. Who-ever designed this must have been really determined to get data out of those Siemens controllers. Wouldn't it be easier just to bribe a local operator into getting the info?

    Or did they want to create their own bot-net of Scada systems? Then you can brag that you can shutdown a country at the touch of a button.

    1. Re:All these vulnerabilities.. by NatasRevol · · Score: 2, Insightful

      Seriously, why go to that level of trouble.

      Especially when the passwords to the database are hardcoded:
      http://www.wired.com/threatlevel/2010/07/siemens-scada/

      --
      There are two types of people in the world: Those who crave closure
    2. Re:All these vulnerabilities.. by omglolbah · · Score: 2, Interesting

      I work with a constrol system made by one of the largest competetors to Siemens... The root level passwords are almost always left as the default...
      Same with the software access passwords :(

      All of the systems I work with are physically disconnected from the outside world though, so it is less of an issue.

    3. Re:All these vulnerabilities.. by antifoidulus · · Score: 3, Insightful

      This thing is able to inject code as well. Imagine how much a company could gain if it was able to inject difficult to detect faults in its competitors products. Imagine how many armies around the world would be salivating at the opportunity to, for a few thousand dollars, basically have an opportunity to render their opponents half-billion dollar jet useless. These attacks only work, however, if you are able to fly under the radar. If the authors would have attacked normal PCs the odds of the bug being discovered and fixed would be much greater than if they only target a very small subset of Windows computers.

      --
      Monstar L
  12. Interesting note spied in the article by Anonymous Coward · · Score: 2, Interesting

    "...noting that the worm also used signed digital certificates stolen from RealTek and JMicron..."
    I wonder how they obtained driver level certificates. I can imagine how, but I'd be curious to know the actual method.

    I also chuckled at the fact that part of the exploit involved something that was patched a month ago. More unpatched PCs get attacked. I'm shocked. SHOCKED!

  13. Re:Zero Day? by Anonymous Coward · · Score: 2, Informative

    TFS lists 5 vulnerabilities, one identified as old (MS08-067). What gives you the impression that they are calling the known exploit a zero day instead of the remaining four (previously undisclosed) that they list ? Generally when being pedantic it's best to ensure you aren't making a more obvious error.

  14. Re:Zero Day? by NatasRevol · · Score: 4, Informative

    No, it can't. The article may use it that way, but it is incorrect.

    zero-day means that there is a hack before there is knowledge or, obviously, a fix of it.

    http://en.wikipedia.org/wiki/Zero-day_attack

    --
    There are two types of people in the world: Those who crave closure
  15. Re:Zero Day? by NatasRevol · · Score: 3, Insightful

    It stops being called a zero-day vulnerability... once there's a patch out. Just because a patch is or isn't used doesn't change that.

    --
    There are two types of people in the world: Those who crave closure
  16. Re:old news? by turbidostato · · Score: 2, Funny

    "Hey Taco man you do realize this is recycled old news from about two month ago, don't you?"

    Do you mean it's not zero-day news?

  17. Re:Zero Day? by Lord+Ender · · Score: 2, Informative

    Reference: common, universally-accepted infosec lingo.

    An zero-day exploit is an exploit which works against a zero-day vulnerability. As soon as a patch is released (day 1) neither the exploit nor the vulnerability are "zero-day" anymore.

    --
    A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.