We’ve had a number of inquiries regarding the .LNK (CVE-2010-2568) vulnerability and related Stuxnet malware. There are a number of stories (for example, CNET) that detail the timeline of events and the SCADA angle to the attacks. Being a SaaS vendor focusing on web-based threats and having the powerful ability to do post-incident web log forensics, I wanted to share information on what we saw.
Detections:
Conducting web log forensics, we detected a small number of Stuxnet infected machines calling out to known C&C servers. None of the impacted machines appear to be running SCADA or industrial equipment.
We are sharing the below information to facilitate detection and analysis for other security operations centers (SOCs) and the like.
The date of all of the infected transactions observed was on July 12.
C&C Server: www.mypremierfutbol.com
Server IP: 78.111.169.146
URL Sample: www.mypremierfutbol.com/index.php?data=66a96e28<redacted>
Request Type: GET
- Only one transaction was observed to the C&C per infected machine.
- The request size varied depending on the data parameter.
- The response size was always 24,778 bytes in the observed transactions.
- The user agent string varied among Microsoft Internet Explorer versions (to include MS IE 8).
- The transaction to the C&C was observed immediately following a transaction to MSN or WindowsUpdate.
The URL data parameter always began with “66a96e28” in the observed transactions – the remainder of the data string has been redacted to protect the victim information. The exact details of the data string is currently unknown, however it is likely to contain encoded details about the victim – such as Windows version, host name, account name, and possibly whether the Siemens WinCC or PCS7 software is running.
Organizations that have the ability to, should conduct similar log analysis, and respond to any identified infections.
In-Line Protections:
The following are in-line protections that an enterprise can and should have in place to protect its users against this threat.
Blocks against known C&C servers including:
- mypremierfutbol.com
- todaysfutbol.com
In-line anti-virus signatures in place and tested against known related malware artifacts. For example, MD5s:
- 743E16B3EF4D39FC11C5E8EC890DCD29F (Stuxnet)
- 15db99383d46d790812e83df6196f4fd (SuckMe LNK PoC)
Signatures deployed for traffic that may mimic past observed C&C activity, for example,
- In URL: “index.php?data=66a96e28”
As well as signatures to detect the Metasploit WebDAV .LNK exploit.
Additionally, if appropriate or available organizations can deploy technologies to identify, parse, and/or block LNK files entering their organization.
Local Protections:
There is not currently a patch, though Microsoft has issued a work around detailed here.
Didier Stevens, a security researcher, has released a tool and screenshots on his blog about how to apply protections locally to prevent against LNK exploitation.
Conclusion:
This vulnerability has been, is being, and will continue to be exploited in the wild. Use the above information to conduct log forensics and analysis to identify and respond to infected systems. Apply appropriate in-line and local protections as appropriate within your environments.
