Posted on by Mr Goose

Stuxnet, another slash in Microsoft’s death of a thousand cuts?

Micro$haft operating systems hit by yet another “zero-day” malware strike is hardly news. But this latest attack in the guise of “Stuxnet” is different. Seems from my albeit limited reading on the subject that the Stuxnet concept strikes right at the very heart of the “Windows way of doing things“.

scutigera coleoptrata animation

For example:-

  1. Windows 7 64bit insists on so-called “signed drivers” – the excuse being that it makes the system much more secure. But Stuxnet worm uses stolen digital certificates (from Realtek & JMicron). So it can freely install its payload ( a.sys file rootkit) as a legitimate driver.
  2. Whilst Verisign has now withdrawn one of these stolen certificates, it is clear that digital signing can no longer be relied upon as a means of verifying the integrity of Windows software or drivers.
  3. Microsoft has been crowing about its “better than Unix” UAC (user access control) system. Stuxnet completely bypasses that. In fact, it appears that in this context that the “.lnk” files that MS uses for its short-cuts are not subject to any form of UAC at all!
  4. This does not only spread by USB sticks as some would have us believe. Infected machines can spread the worm via ethernet connections too. In fact, you don’t have to open a file. You merely need to use Microsoft’s file Explorer to view a directory! So external SMB connections and Sharepoint are both vulnerable now.
  5. Now it is “in the wild” and currently infecting roughly 1000 Windows PCS a day, other “copycat” criminals will use the same or similar techniques.

So, if your computing is important to you, then please don’t put all your proverbial “eggs in one basket” by relying solely on Micro$oft’s poor quality, over-priced operating systems. Or better still, dump M$ completely! It is perfectly achievable and will save you a small fortune:-

http://www.garfnet.org.uk/joomla/index.php?option=com_content&task=view&id=66&Itemid=16

Some further reading:-

http://news.softpedia.com/news/New-Stuxnet-Related-Malware-Signed-Using-Certificate-from-JMicron-148213.shtml

http://www.controlengeurope.com/article.aspx?ArticleID=35267

Probably most easily digested Stuxnet analysis I have read so far:-

http://www.theregister.co.uk/2010/07/20/win_shortcut_vuln_exploit_code/

Honk! Honk!

Leave a Reply