The Stuxnet worm has received significant media coverage for the large number of different types of systems it...
has infected. Symantec Corp. published an informative technical write-up that explains Stuxnet in detail (.pdf) and reports that around 100,000 systems have been infected.
Stuxnet is similar to the Operation Aurora attacks from December 2009 and the Zeus botnet in that it demonstrates cutting-edge techniques in the way malware is created. However, Stuxnet is more sophisticated, primarily because it exploits several zero-day vulnerabilities at once. While it's always hard to predict the future of malware, it's safe to say this won't be the last attack that utilizes multiple zero-day exploits simultaneously. In this tip, we'll discuss this tactic in the context of Stuxnet, and explain how enterprises can fend off similar exploits in the future.
Current state of Stuxnet
Stuxnet is one of the most advanced pieces of malware in the wild today because of all the different malicious functionalities it includes. It exploited four zero-day vulnerabilities, including a remotely exploitable vulnerability in the Windows print spooler and another that enabled local privilege escalation. While compromising one zero-day flaw has become common, attempting to compromise multiple zero-day attack vectors makes it more likely that an attacker will successfully penetrate a system. While it's true that, for each zero-day, there could be protections in place to stop an exploit, or the system may not be running a vulnerable version of the software (for example, if the malware attacks a 64-bit version of Windows but is meant to exploit a 32-bit version, or the target system is using an alternative PDF reader instead of Adobe Reader), when malware includes multiple zero days, chances are that one of those attack vectors will not be adequately protected.
Malware that targets zero-day flaws is not as common as malware that attacks older, more commonly known vulnerabilities that haven't been patched, or malware that exploits basic poor security practices, but malware that attacks multiple zero-day flaws tends to be even less common.
While targeting multiple zero-day flaws can increase the chances of an attacker successfully taking over a system, the amount of damage the attacker can do once inside is not dependant on the number of zero day vulnerabilities it attempts to exploit. The amount of damage depends on what type of access the attacker gains as a result of the exploit, and whether he or she is able to completely take over the system. If the malware is able to take over the system, it doesn't matter how many zero days were used, since it only takes one vulnerability to compromise a system. Once the attacker has taken control of the system, he or she can then siphon off data, use the system to attack other systems, or anything else the system was originally programmed to do.
One good thing about malware that targets multiple zero days is, depending on how the malware works, the multiple attack vectors could potentially increase the odds of its detection. If multiple failed exploits are logged, this could draw more attention, since this is probably a rare event. Attackers would need to weigh the odds: They're more likely to penetrate the system using multiple zero days, but they're also more likely to be detected.
Zero-day attacks: Who is vulnerable?
Given the amount of discussion surrounding Stuxnet, it might seem like a significant number of systems have been infected. While 100,000 systems infected is not insignificant, it is a small number compared to the more than 1 million systems infected with the Renos malware. However, while the number of infected systems may be small, the number of systems vulnerable to malware that exploits multiple zero-day flaws is vast (provided the zero-day attacks target different pieces of software on a computer).
Interestingly enough, the organizations that should be most concerned about multiple zero-day attacks are usually the ones that have blocked other common attack vectors; attackers are more likely to resort to zero-day attacks if more traditional techniques are ineffective. The organizations that haven't blocked the common attack vectors could also be attacked by multiple zero-day exploits, but they've probably already been compromised by common malware.
To find out if your organization is especially vulnerable to such attacks, carefully evaluate the security protections in place and determine if all those protections could be bypassed by recent zero-day exploits used. All such evaluations will be enterprise specific, since they will depend on the protections in place on your systems.
The emergence of malware using multiple zero days is something that security-conscious organizations should be aware of and consider when evaluating their systems and networks. If system protections overlap heavily and all fail in the same way, having multiple layers of protections installed many not actually provide significant additional security and may actually increase the attack surface of the systems and make them more difficult to manage.
Enterprise defense strategy against multiple zero-day attacks
Trying to defend against multiple zero-days or targeted attacks requires more than the standard recommendations of using antimalware software, keeping patches current and using a host-based firewall. Many organizations should consider deploying perimeter firewalls, network-based antimalware detection and blocking, and intrusion detection to try to combat all attacks. While additional layers of security can help protect if one layer fails, the additional layers may not truly provide enough defense-in-depth.
For example, if your organization is using the same antimalware engine on its desktops, servers, email systems and network-based antimalware appliances, the single point of reliance on those antimalware engine detections may not provide significantly more coverage than just running antimalware software on desktops. If not all desktops have antimalware software installed, or potentially have issues with proper operation of the antimalware engine, additional layers using the same detection engine may provide additional coverage. Potentially running different or additional antimalware engines on servers, email systems and network-based antimalware appliances could add additional zero-day protection or malware-detection coverage.
If your enterprise is concerned about these types of attacks, some additional steps can be taken to prevent or limit their potential effectiveness by securing USB connections; if USB connections are not needed, they should be disabled to ensure USB devices aren't used in conjunction with an insecure configuration or autorun functionality to attack the system. After disabling USB devices, lock down other physical security settings, such as the system BIOS. Also, only allowing software signed with a valid certificate -- in conjunction with application whitelisting -- could prevent the malicious code from executing on the system. Microsoft's Enhanced Mitigation Experience Toolkit (EMET), which offers an additional set of malware protections available from Microsoft, can prevent software from being exploited. Enterprises should also consider not connecting mission-critical systems to general-purpose networks or the Internet whenever possible.
Stuxnet is just one of several pieces of malware incorporating advanced functionality and exploiting multiple zero-day flaws. Historically, malware and attackers have done the minimum necessary to penetrate systems, but, as defenses improve, so must attackers. Stuxnet -- and future malware that will likely utilize multiple zero-day exploits -- demonstrates the need for enterprises to carefully evaluate the protections they have in place to see if and how those protections can be used to stop such attacks. Attacks using multiple zero-days will become more common as frameworks for bundling attacks into malware add functionality and as it becomes easier to include new attacks in that malware.
About the author:
Nick Lewis (CISSP, GCWN) is an information security analyst for a large Public Midwest University responsible for the risk management program and also supports its technical PCI compliance program. Nick received his Master of Science in Information Assurance from Norwich University in 2005 and Telecommunications from Michigan State University in 2002. Prior to joining his current organization in 2009, Nick worked at Children's Hospital Boston, the primary pediatric teaching hospital of Harvard Medical School, as well as for Internet2 and Michigan State University. He also answers your information security threat questions.