Key Stuxnet LNK Spreading Mechanism Stops Working

Type threatpost
Reporter Dennis Fisher
Modified 2013-04-17T16:31:58


One of the key infection methods for the Stuxnet worm was hard-coded to stop working on June 24, removing one of its techniques for propagation. Researchers say that the date, which is found in coded form in the worm’s instructions, is nearly three years to the day from the date that the first version of Stuxnet was seeded.

Stuxnet contains several different methods for spreading and infecting new machines. One of those infection methods is through the use of LNK files that are copied to a USB storage device. This was among the first sections of Stuxnet to be identified and dissected by researchers.

“There are currently three known variants of Stuxnet – which were all seeded in waves, on different dates. The first known variant was seeded on June 23rd, 2009 at 4:40am GMT. The next wave took place on June 28th and then on July 7th.

So, on June 24th, 2012, we were roughly three years since the initial deployment of the worm that squirmed through carefully selected Iranian organizations,” Costin Raiu of Kaspersky Lab wrote in an analysis of the drop-dead date for the LNK mechanism.

One other bit of weirdness involved in this episode is that there’s another date that’s hard-coded into the Duqu code. That date, June 24, 1982, is the day that a British Airways flight from London to Auckland, New Zealand, flew through an ash cloud from a volcanic eruption and lost all four of its engines, eventually making an emergency landing in Jakarta. What that incident has to do with a piece of malware designed almost 30 years later is unclear.

“Of course, nobody outside of the project can say for sure why Stuxnet stopped spreading exactly 30 years from this incident, or why the date is also hardcoded in the Duqu decryption subroutine. In addition to June 24th, the Stuxnet MS10-061 exploit stopped working on June 1st, 2011. Moreover, the MS08-067 exploit checks dates before January 2030.

Nevertheless, all these checks probably indicate that the attackers were planning to have it long updated by June 1st, 2011 and retired or replaced by June 24th, 2012,” Raiu said.