Analysis of the Stuxnet worm reveals something interesting on an almost daily basis. Liam O Murchu, manager of Symantec’s North American Malware Response team, says that he has discovered how the worm manages to re-infect a computer that has been cleaned of it.
Stuxnet has been spotted using various propagation methods: infected flash drives, autorun files, Windows vulnerabilities, and more.
Computerworld reports that the latest discovery by O Murchu reveals that Stuxnet injects a malicious DLL into every Step 7 project on an already compromised computer, so that even when a PC gets cleaned of the worm, the opening of any Step 7 file will compromise it again.
And this is another feature that lends to the likelihood of the theory that Stuxnet’s makers are state-backed. It also points to the fact that whoever designed and wrote it, must have known the ins and outs of the targeted SCADA system well – since the Step 7 is Siemens’ software used to configure the control system hardware.