What is unique about Stuxnet is that it utilizes a new method of propagation. Specifically, it takes advantage of specially-crafted shortcut files (also known as .lnk files) placed on USB drives to automatically execute malware as soon as the .lnk file is read by the operating system. In other words, simply browsing to the removable media drive using an application that displays shortcut icons (like Windows Explorer) runs the malware without any additional user interaction. We anticipate other malware authors will be taking advantage of this technique. Stuxnet will infect any usb drive that is attached to the system and, for this reason, we’ve classified the malware as a worm.
Stuxnet uses the aforementioned .lnk technique to install additional malware components. Microsoft did not release a fix to this vulnerability but a workaround disables .LNK and .PIF file functionality automatically.
For more information about the vulnerability (http://www.microsoft.com/technet/security/advisory/2286198.mspx).
Two variants are identified by Anti-virus signatures :
Worm:Win32/Stuxnet.A alias Stuxnet (McAfee) , W32/Stuxnet.A.worm (Panda)
Worm:Win32/Stuxnet.B alias Stuxnet (McAfee) , W32/Stuxnet.B.worm (Panda)
The most dangerous part of Stuxnet is that it automatically installs a driver signed from a well-known hardware manufacturer called Realtek Semiconductor Corp. Because it has been signed by a Microsoft trusted source, the driver is installed without any prompt to the user. This driver is a rootkit that will hide Stuxnet from any applications – even the user’s Anti-Virus. The worm will then also copy itself onto any USB devices plugged into the infected workstation risking further propagation.
StormShield offers the most comprehensive, granular and powerful endpoint Device Control (this module includes USB port and device security) and Host IPS protection available on the market today. The combination of these two StormShield protections virtually assures that these recent extremely advanced and sophisticated attacks like Stuxnet are detected and blocked.
To prevent Stuxnet from infecting a computer and spread thru USB devices you need to deny access to these extensions: lnk, pif, exe, com, vbs and msi on any removable devices. The StormShield Device Control module can easily be set to deny this access. Here is a screenshot of the settings in the StormShield Management Console:
If, for some reason, a worm like Stuxnet has gotten onto a StormShield protected computer from a source other than a USB drive, StormShield can also detect and protect workstations that are infected by the worm. Using the multi-layered StormShield HIPS technology, StormShield will detect and block any drivers doing suspicions activities like hiding files, processes or keylogging.