Symantec updates against W32.Stuxnet threat

CIOL Bureau
Updated On
New Update


BANGALORE, INDIA: End-point security firm Symantec has said its products has been updated to check W32.Stuxnet, the latest trojan threat.

According to a Syamantec release, the company products can detect and remove the malware from infected systems.

Symantec had recently detected W32.Stuxnet, which uses a previously unseen technique to target sensitive information by attacking an enterprise with global operations. The attacks are based on a new Microsoft zero-day vulnerability in Windows Shell and is somewhat reminiscent of the Hydraq attacker earlier this year when certain users were targeted with a brand new zero-day vulnerability.


Also read: Security Threats 2010

According to the security company, the W32.Stuxnet threat contains a rootkit component that it uses to hide two types of files —(i) All files that end in '.lnk'. (ii)  All files that start with '~WTR' and end with '.tmp'. It also contains many different functions including attempts to access SCADA (supervisory control and data acquisition) systems. Due to security reasons these systems are usually not connected to the Internet, but this virus spreads when infected USB removable media is inserted into a computer. 

The release adds that prior to this there have been many threats that spread via USB drive by leveraging the autorun.inf file capability. However in this case, the autorun.inf feature is not needed because as soon as the user opens the drive at its base folder, the file system is accessed to display the contents and that triggers the hidden .lnk file.


Also read: W32.Stuxnet - Commonly Asked Questions

Once a system is infected, users will not be able to see the files that are copied to the USB drive because they are being hidden by the rootkit. The threat injects itself into iexplore.exe.  As iexplore.exe is generally trusted by firewalls this technique allows the threat to bypass certain firewalls enabling communication outside the network. It also attempts to terminate several processes that belong to security products, the release said.

Microsoft has recommended the following mitigation:


> Disable the displaying of icons for shortcuts — this will result in blank icons for every shortcut on the computer.

> Disable the WebClient service — It turns out that this is also remotely exploitable and not limited to USB keys.