Windows bug used to spread Stuxnet remains world’s most exploited

Share this…

Code-execution flaw is triggered by plugging a booby-trapped USB into vulnerable PCs.

One of the Microsoft Windows vulnerabilities used to spread the Stuxnet worm that targeted Iran remained the most widely exploited software bug in 2015 and 2016 even though the bug was patched years earlier, according to a report published by antivirus provider Kaspersky Lab.

In 2015, 27 percent of Kaspersky users who encountered any sort of exploit were exposed to attacks targeting the critical Windows flaw indexed as CVE-2010-2568. In 2016, the figure dipped to 24.7 percent but still ranked the highest. The code-execution vulnerability is triggered by plugging a booby-trapped USB drive into a vulnerable computer. The second most widespread exploit was designed to gain root access rights to Android phones, with 11 percent in 2015 and 15.6 percent last year.

The Windows vulnerability was first publicly disclosed in July 2010, a few days before security reporter Brian Krebs was the first to report on the Stuxnet outbreak. The bug resided in functions that process so-called .LNK files that Windows uses to display icons when a USB stick is connected to a PC. By hiding malicious code inside the .LNK files, a booby-trapped stick could automatically infect the connected computer even when its autorun feature was turned off. The self-replication and lack of any dependence on a network connection made the vulnerability ideal for infecting air-gapped machines. Microsoft patched the vulnerability in August, 2010.

The first known exploit of the .LNK vulnerability occurred in 2008 in attacks carried out by Equation Group, a state-sponsored group Kaspersky Lab said ran the most advanced hacking operation ever uncovered. Equation Group combined the .LNK exploit with other attacks that were also zerodays at the time to propagate a worm dubbed Fanny. A computer support forum thread from 2010 shows a user infected by Fanny asking: “How do I stop this virus?” In 2009 or 2010, Stuxnet used the .LNK vulnerability to install itself on computers inside Iran’s Natanz uranium enrichment facility.

Staying power