Examining the Stuxnet worm

Digging into the Stuxnet worm reveals all kinds of interesting information.

Maybe you’ve heard that the worm propagates by exploiting the Windows .lnk file vulnerability in order to spread through removable drives. But what you probably didn’t know is that the code allowing it to do this wasn’t originally part of the worm.

Analysis of Stuxnet samples that predate March 2010 have revealed that it would create an autorun.inf file in the root of removable drives – one that could pass either as executable or as a correctly formatted autorun.inf file.

The worm takes advantage of the notoriously forgiving Windows parsing process and inserts the MZ file into the autorun.inf file, knowing that the MZ content will be ignored as garbage.

“Using this trick the autorun.inf file will first be treated as a legitimate autorun.inf file and then as a legitimate executable file (and thus the worm’s code is executed),” says Symantec‘s Liam O Murchu.

And, in case this method fails for whatever reason, a set of strings in the footer of the file will turn off AutoPlay and then add a new command to the context menu:

One of the two “Open” commands has been inserted by the worm. If the user chooses the wrong one, the worm will be executed, leaving the user none the wiser because it will also open an Explorer window and display the contents of the drive – as the legitimate command would do.