Eset Discovers Second Variation of Stuxnet Worm

Researchers at Eset have discovered a second variant of the Stuxnet worm that uses a recently disclosed Windows vulnerability to attack Siemens industrial machines .

The second variant, which Eset calls “jmidebs.sys,” can spread via USB drives, exploiting an unpatched flaw in Windows involving a malicious shortcut file with the “.lnk” extension.

Like the original Stuxnet worm, the second variant is also signed with a certificate, used to verify the integrity of an application when installed. The certificate was bought from VeriSign by JMicron Technology Corp., a company based in Taiwan, wrote Pierre-Marc Bureau, a senior researcher at Eset, on a blog.

The first Stuxnet worm’s certificate came from Realtek Semiconductor Corp., although VeriSign has now revoked it, said David Harley, Eset senior research fellow. Interestingly, both companies are listed to have offices in the same place, the Hsinchu Science Park in Taiwan.

“We rarely see such professional operations,” Bureau wrote. “They either stole the certificates from at least two companies or purchased them from someone who stole them. At this point, it isn’t clear whether the attackers are changing their certificate because the first one was exposed or if they are using different certificates in different attacks, but this shows that they have significant resources.”

Although Eset analysts are still studying the second variant, it is closely related to Stuxnet, Harley said. It may also be designed to monitor activity on Siemens WinCC supervisory control and data acquisition (SCADA) systems, which are used to manage industrial machines used for manufacturing and power plants. The code for the second variant was compiled on July 14, Harley said.

While the code for the second variant appears to be sophisticated, the way it has been released was probably not ideal. Releasing a worm rather than a Trojan makes it more likely that security researchers will see a sample of it sooner if it spreads quickly, which undermines its effectiveness, Harley said.

“That argues to me that maybe what we’re looking at is someone outside the malware field that didn’t understand the implications,” Harley said. “If they were intending to hide their interest in SCADA installations they obviously haven’t succeeded.”

Stuxnet is believed to be the first piece of malware targeting Siemens SCADA. If the worm finds a Siemens SCADA system, it uses a default password to get inside the system and then copy project files to an external Web site.

Siemens is advising that its customers not change the password because that can disrupt the system. Siemens plans to launch a Web site addressing the issue and how to remove the malware.

Microsoft has issued an advisory with a workaround for the vulnerability until a patch is ready. All versions of Windows are vulnerable.

Send news tips and comments to jeremy_kirk@idg.com