Home -> Resources -> Stuxnet

Stuxnet Reference Material

The following material was compiled from a variety of relability sources, and contains information covering the various aspects of the Win32.Stuxnet worm.

How Stuxnet Works (Detailed Analysis)

How Digital Detectives Deciphered Stuxnet, the Most Menacing Malware in History - Kim Zetter - Threat Level/Wired

Summing Up Stuxnet in Four Easy Sections
What Does Stuxnet Mean for ICS (presentation)

Win32.Stuxnet Dossier - Symantec
Symantec Blog on Stuxnet
Stuxnet Under the Microscope - ESET
Roger Langner's Site
Code-Signing Best Practices by Microsoft

Stuxnet Malware Analysis - Amr Thabet - published Sept. 9, 2011 (website, MrxNet.sys source)

Stuxnet Research

Stuxnet Expert: Analysis Shows Design Flaw, Not Vulnerability Sunk Siemens - ThreatPost - published Jan. 19, 2012 (Langner presents new findings at 2012 S4)

White Papers Co-Authored by SCADAhacker

How Stuxnet Spreads – A Study of Infection Paths in Best Practice Systems
Five Part Series by Greg Hale at ISSSource on "How Stuxnet Spreads"

Mitigation Recommendations by SCADAhacker

Stuxnet Migitation Strategies

Siemens Automation

Control System Security Assessments (presented in 2008 by INL and Siemens)
Official Siemens Support Page regarding Stuxnet 

Industrial Control System
Cyber Emergency Response Team (ICS-CERT)

USB Malware Targeting Siemens Control Software (Initial Release)
USB Malware Targeting Siemens Control Software (Rev A)
USB Malware Targeting Siemens Control Software (Rev B)
USB Malware Targeting Siemens Control Software (Rev C)
Stuxnet Malware Mitigation (Initial Release)
Stuxnet Malware Mitigation (Rev A)
Stuxnet Malware Mitigation (Rev B)
Primary Stuxnet Indicators

Symantec Security Focus (includes exploit code)

Windows Server Service RPC Handling Remote Code Execution Vulnerability (MS08-067)
Windows Shortcut 'LNK/PIF' Files Automatic File Execution Vulnerability (MS10-043)
Windows Print Spooler Service Remote Code Execution Vulnerability (MS10-061)
Windows 'NtUserCheckAccessForIntegrityLevel' Local Privilege Escalation Vulnerability (MS10-073)
Windows Kernel 'Win32k.sys' Keyboard Layout Local Privilege Escalation Vulnerability (MS10-073)
Windows Kernel 'Win32k.sys' Window Class Local Privilege Escalation Vulnerability (MS10-073)
Windows Kernel Task Scheduler Service Local Privilege Escalation Vulnerability (MS10-092)

Microsoft Security Bulletins

MS08-067: Server Service Vulnerability
MS10-046: Windows Shell (Shortcut LNK) Vulnerability
MS10-061: Print Spooler Vulnerability
MS10-073: Windows Kernel-mode Drivers (Keyboard Layout) Vulnerability
MS10-092: Task Scheduler Vulnerability

Common Vulnerability & Exposure (CVE) References

CVE-2008-4250 (MS08-067)
CVE-2010-2568 (MS10-046)
CVE-2010-2729 (MS10-061)
CVE-2010-2549 (MS10-073)
CVE-2010-2743 (MS10-073)
CVE-2010-2744 (MS10-073)
CVE-2010-3338 (MS10-092)
CVE-2010-2772 (Siemens Hardcoded Password)

Microsoft Malware Protection Center (Blog)

"The Stuxnet Sting"
"Stuxnet, malicious .LNKs, ... and then there was Sality"
"One Week Later: Broken LNKs and MSRT August"