Stuxnet is a family of multi-component malware that spreads via removable drives. It was apparently created in 2009 but was first detected in June 2010 by a security firm based in Belarus. Due to the complexity and sophistication of Stuxnet, it has proven to be difficult and time consuming to analyze in detail. Interesting details from several researchers have been reported in the media in the past few days and have gained significant media attention. As this is a topic scheduled for several presentations at the upcoming Virus Bulletin Conference in Vancouver, the media activity on the topic has probably not yet reached its peak.
To spread, Stuxnet exploits one or more (up to four) vulnerabilities in Microsoft Windows operating systems. This allows the worm component to automatically execute in vulnerable systems by using specially-crafted, malicious shortcut files. When executed, a Stuxnet worm drops these malicious shortcut files into removable drives. When the drive is accessed using an application that displays shortcut icons (such as Windows Explorer) on a vulnerable computer, the shortcut file is automatically executed.
Once executed on a vulnerable Windows system, the highly sophisticated worm is reportedly designed to search for industrial control systems manufactured by Siemens, generically known as Supervisory Control and Data Acquisition or SCADA systems. Once the targeted SCADA systems are located, the malware will take advantage of, by design, Programmable Logic Controllers (PLCs) and upload its own code to them, reportedly changing the programmed behavior of the PLC. This uploaded rootkit function is the first publically known rootkit that is able to hide injected code located in a PLC. If it does not find the specific configuration it was programmed for, Stuxnet is rather benign.
There has been intense speculation by some experts on who created the worm and its intended target. Without sufficient confirmation or details of technical analysis, this is speculation and not facts. The speculation cannot be ignored, but neither can it be believed, or repeated, without making clear that it is speculation at this point.
As of September 24, 2010, 100 percent of the products in ICSA Labs Anti-Virus Certification program detect the Stuxnet malware.