Check Point Protects Systems Against Stuxnet Worm
( CVE-2010-2772, MS08-067, MS10-046, MS10-061 )
Summary
The Stuxnet worm is a sophisticated malware program that exploits several vulnerabilities in Microsoft Windows, including the "Shortcut LNK" flaw that Check Point has provided protection against since July 19. Stuxnet's ultimate targets are Programmable Logic Controllers (PLCs) manufactured by Siemens running SIMATIC WinCC and PCS7 industrial automation software. These systems, which are typically programmed via network-connected Windows computers, are used for automation and control in various industrial and scientific applications. Successful infection of PLCs could result in modification of their operation.
Details
Stuxnet contains several different components, including Windows exploits that leverage the Server RPC, Shortcut LNK, and Print Spooler vulnerabilities, all of which have had Check Point network protections applied immediately after their disclosure. The worm includes a Windows rootkit that is employed to hide Stuxnet binaries from the operating system, as well as to replace those files if they are deleted. It also contains a rootkit that is intended to infect Siemens embedded controller systems. In addition, two other as yet undisclosed Windows escalation of privilege vulnerabilities are present.
The worm was initially propagated via USB memory devices using the Shortcut LNK vulnerability; however, it also leverages network connections to infect peer Windows systems as well as Siemens PLCs. As of October 2010, it is estimated that at least 100,000 systems are infected with Stuxnet world-wide.
The Server RPC vulnerability was also leveraged by the Conficker worm in 2008. Check Point provided network protection of unpatched systems the same day that the flaw was announced by Microsoft. More information on that outbreak is available here and here.
Affected Products
Stuxnet can infect systems running Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, as well as Siemens PLCs running SIMATIC WinCC or Step 7.
Solution
Check Point IPS Software Blade, IPS-1, and SmartDefense continue to provide immediate network protection against the Windows vulnerabilities employed by the Stuxnet worm as detailed in the following table:
|
Vulnerability |
Protection since
|
More Information
|
|---|---|---|
|
Server RPC |
October 2008 | information page |
|
Shortcut LNK |
July 2010 | information page |
|
Print Spooler |
September 2010 | more information |
Check Point Antivirus and Anti-Spyware Software Blade version R71 provides additional protection against Stuxnet.
Originally Published:
Last Updated: 25-Oct-2010