Stuxnet infections continue to rise

Malware targeting critical control systems still rising with over 90,000 infections to date, Symantec data reveals. Iran tops infected countries list with about 33,000 compromised hosts.
Written by Vivian Yeo, Contributor on

Stuxnet infections are continuing to rise with the total number of infected systems worldwide currently between 90,000 and 100,000, according to security vendor Symantec.

In an e-mail interview Thursday, Kevin Hogan, senior director for Symantec Security Response, noted that the company has observed "a consistent number of infections" since the malware was first detected last month. The number of infected countries, he added, now stands at 115.

Iran has been hardest hit, with the number of infections in the country at about 33,000. This is three times higher than the next most infected country, Indonesia, which has nearly 10,000 compromised systems. India is at No. 3 with over 5,000 infections.

The Stuxnet malware exploits a vulnerability in the way Microsoft's Windows Shell handles shortcut files and if tapped, can allow the attacker to gain complete control of a system. The virus was initially written to steal data from critical infrastructure companies by specifically targeting Scada (supervisory control and data acquisition) systems running Siemens' WinCC software.

In response to e-mail queries from ZDNet Asia, a Siemens spokesperson said six customers to date have detected and removed the virus. Three are based in Germany, two in Western Europe and the remaining in Eastern Europe.

Over 7,000 customers have also downloaded the virus scanner made available on Siemens support page, he added.

The cause of the malware is still unknown. The Siemens spokesperson said the company is still investigating the original source of the virus.

Impact of Microsoft patch unclear
Earlier this week, Microsoft rushed out an out-of-band patch for the shortcut vulnerability.

The fix followed Redmond's warning last week highlighting copycat attacks that were exploiting the hole. One such exploitation involves the Sality malware family, which Microsoft said was "highly virulent".

Sean Sullivan, security advisor at F-Secure, also identified a Zeus variant attempting to exploit the shortcut vulnerability. Zeus joins the Chymine, Vobfus and Sality families of viruses, he said in a blog post last week.

Symantec's Hogan noted it was still "a little too early to tell" what impact the release of Microsoft's patch will have on the security hole. "While we did observe a slight decline in detections, it's difficult to determine if that is due to the patch or some other cause.

"It does take a while for new patches to be rolled out, especially in large organizations," he said. "In either case, this patch won't address users already infected with W32.Stuxnet."

However, Andrew Storms, director of security operations for nCircle, told ZDNet Asia's sister site CNET News that Scada systems typically run on older OS versions which are "not being patched today". As such, utility companies--the initial targets of the virus--and Scada vendors are "probably scrambling to find a resolution" to the problem as soon as possible, he said.

Microsoft ceased support for Windows 2000 and Windows XP service pack 2 on Jul. 13. The shortcut vulnerability affects these versions of the OS.

Editorial standards