Stuxnet Circulates Via Binary Planting

Researchers at the security firm Symantec have unveiled a new method of Stuxnet propagation that affects Step7 project folders. This leads to computer infection while opening the corrupt project folder that might have originated from a third party.

Step 7 software is basically a SIMATIC Step7 software with folder named as .s7p. As per Symantec, the worm has a third propagation routine that involves exploiting a DLL preloading flaw in the SIMATIC Step7 software.

In this way, any project that comes across the threat may be infected. Analysis further indicates that the projects inside Zip archives could be infected via the same technique.

It appears Stuxnet drops a specifically named DLL file at various locations inside the hOmSave7 folder of a Step7 project structure. This DLL file works as a decryptor and loader for the copy of the chief DLL placed in xutils\listen\xr000000.mdx. This tactic is very similar to the DLL Preloading attacks that occurred in August, 2010.

When a specific DLL is called without specifying a full path, the Step7 software looks for it at various locations in a particular order. Out of which, the last are subfolders of the project's hOmSave7 directory.

Stuxnet's capability to infect project files with malware when they are opened is an additional proliferation vector to add to the list. Security experts warn programmers and operators to be cautious against project files from unreliable sources such as Internet forums. For example - the most probable source of infection is a trusted party whose systems have been infected by the attacks.

The worst thing is that the infected projects restored from backups may infect the previously cleaned systems. Hence, administrators need to exercise caution while restoring files in this manner.

Security experts say that there are many things about Stuxnet that makes it an exception from the crowd. Its industrial espionage purpose alone has already created a lot of hype but this new disclosure that Stuxnet employs is yet another evidence of the worm's never-before-seen complexity.

Related article: Stuxnet malware Signed With JMicron Certificate

» SPAMfighter News - 10/5/2010