{
	"id": "c3dc4724-a332-4f7a-83a1-eec8cff94ac2",
	"created_at": "2026-04-06T00:19:33.844352Z",
	"updated_at": "2026-04-10T03:20:18.488606Z",
	"deleted_at": null,
	"sha1_hash": "1bb7467ef63e6a0106898f4f8058a7f8e9f607f4",
	"title": "Stuxnet Malware Mitigation (Update B) | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 51483,
	"plain_text": "Stuxnet Malware Mitigation (Update B) | CISA\r\nPublished: 2014-01-08 · Archived: 2026-04-05 14:46:15 UTC\r\nOverview\r\nIn July, ICS-CERT published an advisory and a series of updates regarding the Stuxnet malware entitled “ICSA-10-201 USB Malware Targeting Siemens Control Software.” Since then, ICS-CERT has continued analysis of the\r\nStuxnet malware in an effort to determine more about its capabilities and intent. As the analysis has progressed,\r\nunderstanding of the malware sophistication has continued to increase.\r\nStuxnet makes use of a previously unpatched Windows vulnerability and a digitally signed kernel-mode rootkit.\r\nThere have been two digital certificates used to sign this rootkit. The original certificate was revoked.\r\nSubsequently, a second variant was discovered in which the same rootkit was signed with a different key, which\r\nhas also been revoked. With approximately 4,000 functions, Stuxnet contains as much code as some commercial\r\nsoftware products. The complex code is object oriented and employs many programming techniques that\r\ndemonstrate advanced knowledge in many areas, including the Windows operating system, Microsoft SQL Server,\r\nSiemens software, and Siemens PLCs. The malware also employs many advanced anti-analysis techniques that\r\nmake reverse engineering difficult and time consuming.\r\nICS-CERT has identified that while USB drives appear to be a primary infection mechanism, Stuxnet can also\r\ninfect systems through network shares and SQL databases. The Stuxnet malware stores dropped files in many\r\nlocations on a target system. The infection mechanism is complex, and the exact files that may be dropped will\r\nvary depending on the system it is infecting. After infecting a system, the malware gathers extensive data from\r\nMS SQL server, Windows registry, and application software.\r\nOnce the malware has installed itself on a system, it employs many evasive techniques, including bypassing\r\nantivirus software, advanced process injection, hooking useful functions by kernel-mode rootkits, and the quick\r\nremoval of temporary files. ICS-CERT is continuing to reverse engineer and analyze this malware. Because of the\r\nmalware’s complexity, this work is expected to take some time.\r\n--------- Begin Update B ----------\r\nAccording to reports and analysis, Stuxnet uses a total of five vulnerabilities; one previously patched (MS08-067)\r\nand four zero-days. Two of the four zero-day vulnerabilities have been patched since Stuxnet’s discovery.\r\nThe first zero-day was addressed in MS10-046b on August 24th, 2010. The second and most recent zeroday\r\nvulnerability was addressed in MS10-061c: Vulnerability in Print Spooler Service Could Allow Remote Code\r\nExecution (2347290), released on Sept 14th, 2010. According to Microsoft, “This vulnerability in the Print\r\nSpooler Service is rated Critical for Windows XP and Important on all other affected platforms and is used by\r\nStuxnet to spread to systems inside the network where the Print Spooler\r\nservice is exposed without authentication.”\r\nhttps://www.us-cert.gov/ics/advisories/ICSA-10-238-01B\r\nPage 1 of 3\n\nThe other two vulnerabilities are local escalation of privilege vulnerabilities that enable an attacker to gain full\r\ncontrol of an affected system. According to an MSRCd post, one the vulnerabilities affects Windows XP and the\r\nother affects Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2. Microsoft is\r\nevaluating these vulnerabilities and will be releasing updates in future bulletins.\r\nICS-CERT recommends that control system owners and operators review system upgrades and consider applying\r\navailable patches to mitigate the risks for Stuxnet infection. As with all system changes, administrators should\r\nconsult their control systems vendor prior to making any system changes. On Sept 7th, Siemens also updated their\r\nsupport site to indicate that they were aware of 15 infections worldwide. According to Siemens, in none of the\r\ncases did the infection cause an adverse impact to the automation system.\r\n---------- End Update B ----------\r\nImplementing security measures and properly cleaning an infected system will help to mitigate the effects of the\r\nmalware and overall risk of a successful Stuxnet infection. The following sections provide guidance that can be\r\nused by owners and operators to prevent or identify and remove the Stuxnet malware.\r\nPreventing Infection\r\nMicrosoft Windows Update\r\nMicrosoft Security Bulletin MS10-046Microsoft Security Bulletin,\r\nhttp://www.microsoft.com/technet/security/Bulletin/MS10-046.mspx, website last accessed August 24, 2010.\r\naddresses the vulnerability used by Stuxnet to infect a system from a USB drive. Organizations affected by\r\nStuxnet and running Siemens WinCC or Step7 software should follow Siemens recommendationsSiemens Product\r\nSupport, http://support.automation.siemens.com/WW/view/en/43876783, website last accessed August 23, 2010.\r\nfor applying the Microsoft update.\r\nStuxnet malware also references a Microsoft vulnerability that was addressed in MS08-067Microsoft Security\r\nBulletin, http://www.microsoft.com/technet/security/bulletin/MS08-067.mspx, website last visited August 25,\r\n2010. although it is not yet clear how this vulnerability is used. ICS-CERT recommends that control system\r\nowners and operators review system upgrades and consider applying this patch if it has not already been applied.\r\nAs with all system changes, administrators should consult their control systems vendor prior to making any\r\nsystem changes.\r\nUSB Policy and Usage\r\nBecause USB drives, sometimes known as thumb drives, are small, readily available, inexpensive, and extremely\r\nportable, they are popular for storing and transporting files from one computer to another. This convenience also\r\nposes a security concern. Stuxnet and other malware take advantage of USB drives to propagate. Organizations\r\nare encouraged to review internal company policies and establish protective technical measures to disable USB\r\ndrives. ICS-CERT recommends reviewing the Control Systems Analysis Report “USB Drives Commonly Used As\r\nan Attack Vector against Critical Infrastructure”  for additional information on removable media and best\r\npractices.\r\nhttps://www.us-cert.gov/ics/advisories/ICSA-10-238-01B\r\nPage 2 of 3\n\nIdentifying and Removing the Stuxnet Malware\r\nThe overall sophistication of the Stuxnet malware cannot be overstated. Because of this complexity, cleanup\r\nprocedures will vary. Some infections will be simple, while others involving Siemens products may be\r\nsignificantly more complex. Below are mitigation recommendations for two different system types:\r\n1. Systems running Siemens software\r\n2. Standard systems that are not running Siemens software.\r\nControl system owners and operators should exercise caution and consult their control systems vendor prior to\r\nmaking any changes or using antivirus software. In addition, proper impact analysis and testing should always be\r\nconducted prior to making any changes to control systems.\r\nWith this caveat in mind, if current antivirus software identifies a system as being infected with Stuxnet malware,\r\nthe following guidelines will aid in malware mitigation.\r\nInfection of Systems Running Siemens Software\r\nIf Siemens SIMATIC WinCC or STEP 7 software is running on an infected system, then Siemens Customer\r\nSupport and ICS-CERT should be contacted. Siemens recommends installing the Microsoft Patch running the\r\nSysClean tool , and installing the SIMATIC Security Update . The details of Siemens procedure are listed on\r\nthe Siemens Product Support website .\r\nA Stuxnet infection can be complicated and involve many changes to the infected system and possibly to attached\r\nPLC hardware. Control system owners and operators should be aware that although SysClean does remove a\r\nnumber of files, remnant artifacts may be left on a system after cleaning. Remnants can include new files,\r\nmodified files (including WinCC project files), registry changes, and new or modified database tables.\r\nSysClean appears to stop the malware from infecting USB drives. However, because of the complexity of this\r\nmalware, it is not yet understood if these remnants could pose future problems.\r\nICS-CERT recommends working closely with Siemens Customer Support to determine whether to completely\r\nrebuild a compromised system or to clean it through manual and/or automated means. ICS-CERT will also\r\nprovide support to organizations requesting additional guidance or analysis including onsite support where\r\nappropriate. ICS-CERT is continuing to collaborate with Siemens on this malware.\r\nBecause Stuxnet specifically targets Siemens’ systems, it will behave very differently on standard systems than it\r\ndoes on systems running Siemens software. Current analysis indicates that cleanup of standard systems will be\r\nless complicated than on a system with Siemens’ software installed.\r\nSource: https://www.us-cert.gov/ics/advisories/ICSA-10-238-01B\r\nhttps://www.us-cert.gov/ics/advisories/ICSA-10-238-01B\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.us-cert.gov/ics/advisories/ICSA-10-238-01B"
	],
	"report_names": [
		"ICSA-10-238-01B"
	],
	"threat_actors": [],
	"ts_created_at": 1775434773,
	"ts_updated_at": 1775791218,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1bb7467ef63e6a0106898f4f8058a7f8e9f607f4.pdf",
		"text": "https://archive.orkl.eu/1bb7467ef63e6a0106898f4f8058a7f8e9f607f4.txt",
		"img": "https://archive.orkl.eu/1bb7467ef63e6a0106898f4f8058a7f8e9f607f4.jpg"
	}
}