How does the Stuxnet worm spread?

Question: How does the Stuxnet worm spread?

Stuxnet is a computer worm that targets the types of industrial control systems (ICS) that are commonly used in infrastructure supporting facilities (i.e. power plants, water treatment facilities, gas lines, etc). Often, these devices are not network or Internet connected. So how does Stuxnet get to these devices?

Answer:

Stuxnet can propagate via the autorun feature, as well as via malformed .LNK files that exploit a vulnerability in the Windows shell. This enables Stuxnet to spread easily on network devices, and more importantly, to piggy-back from machine to machine via removable drives such as USB thumb drives.

To guard against this type of spread, apply the patch described in Microsoft Security Bulletin MS10-046 and disable autorun on your computer.

Stuxnet can also propagate by exploiting a vulnerability in Windows Print Spooler Service. To guard against this type of spread, apply the patch described in Microsoft Security Bulletin MS10-061.

Additionally, Stuxnet exploits an older vulnerability in the Windows Server service (the same vulnerability used by the Conficker worm). To guard against this type of spread, apply the patch described in Microsoft Security Bulletin MS08-067.

Stuxnet can self-update through a P2P network installed by the worm. This network enables the Stuxnet worm to communicate with other infected hosts. To guard against this, check your firewall and IPS logs for signs of unexpected RPC traffic.

For additional information, see: What is Stuxnet?