Which of the following vulnerabilities did the Stuxnet worm exploit on target hosts? (Select 2 choices.)
A.
a buffer overflow vulnerability in the DCOM RPC service
B.
a buffer overflow vulnerability in IIS software
C.
a buffer overflow vulnerability in Microsoft SQL Server
D.
a remote code execution vulnerability in the printer spooler service
E.
a remote code execution vulnerability in the processing of .lnk files
Explanation:
Stuxnet exploited vulnerabilities in both the printer spooler service and the processing of .lnk files. Stuxnet was
used in an act of cyber warfare against Iranian industrial control systems (ICSs). It was written to target specific
ICSs by modifying code on programmable logic controllers (PLCs). Stuxnet initially exploited vulnerabilities in
the printer spooler service? however, later variants exploited a vulnerability in the way that Windows processes
shortcuts (.lnk files). Research from Symantec published in 2011 indicated that at the time, over 60% percent of
the Stuxnetaffected hosts had been in Iran. Symantec analyzed Stuxnet and its variants and discovered that
five organizations were the primary targets of infection and that further infections were likely collateral damage
from the aggressive manner in which the worm spreads throughout the network. Given the considerable cost in
resources and manhours that would have been required to craft the Stuxnet worm, it was theorized that it was
likely intended to sabotage highvalue targets such as nuclear materials refinement facilities.
The Blaster worm exploited a buffer overflow vulnerability in the Distributed Component Object Model (DCOM)
Remote Procedure Call (RPC) service on Microsoft Windows hosts. The worm carried a destructive payload
that configured the target host to engage in Denial of Service (DoS) attacks on Microsoft update servers.
Before Microsoft released a patch, several other worms exploited the vulnerability. For example, the Welchia
worm targeted the same vulnerability. Welchia was developed to scan the network for vulnerable machines,
infect them, and then remove the Blaster worm if present. It was even designed to download and install the
appropriate patch from Microsoft to fix the vulnerability that it and Blaster initially exploited to infect the target
machine. However, despite the goodnatured design intentions of the Welchia worm, its networkscanning
component inadvertently caused DoS attacks on several large networks, including those of the United States
armed forces.
SQL Slammer exploited a buffer overflow vulnerability in Microsoft Structured Query Language (SQL) server
software. SQL Slammer spread at a tremendous rate and was reported to have infected as many as 12,000
servers per minute. Its high scanning rate generated enough traffic on many networks to effectively produce
DoS effects as collateral damage to the infection.
Code Red exploited a buffer overflow vulnerability in Microsoft Internet Information Server (IIS) software.
Although not as efficient as SQL Slammer, Code Red still managed to infect as many as 2,000 hosts per
minute. The initial Code Red variant failed to infect more than a single set of IP addresses? however, a later
variant was reported to have affected over 350,000 hosts within the first 14 hours of its release into the wild.Cisco: Protecting Industrial Control Systems with Cisco IPS Industrial Signatures
Symantec: Security Response: W32.Stuxnet Dossier (PDF)