Ancient Stuxnet flaw still being used to attack millions of Windows XP PCs

XP popularity and poor patching revealed

A software vulnerability exploited by cyberweapons including Stuxnet and Flame is still being used to attack millions of users around the world four years after it was patched, a Kaspersky analysis has suggested.

The firm's analysis looked at detections of malware trying its luck against CVE 2010-2658, an important flaw discovered to be affecting Windows XP, Vista, Windows 7, Server 2002 and Server 2008 in July 2010, and whose popularity remains strangely undimmed among cybercriminals.

Between November 2013 and June 2014, Kaspersky Lab detected 19 million systems encountering malware that appeared to be using exploits targeting it, 64 percent of which were running Windows XP.

The top country registering these exploits was Vietnam (42.4 percent), India (11.7 percent), Indonesia (9.4 percent), Brazil (5.5 percent) and Algeria (3.7 percent), with a clutch of other developing countries also showing high levels of XP use featuring on the list.

CVE 2010-2658 was first noticed in the Sality worm and Stuxnet attacks in 2010, and was eventually patched by Microsoft in early August. As it happens, the persistence of this flaw is probably explained by Sality, detections of which seem to coincide closely with its activity.

Conclusions? Kaspersky Lab is cagey about how many real-world attacks these 'detections' translate into (the exploit created malicious shortcuts that can in theory be created by other malware) but it does implies a large number of machines are probably vulnerable to it despite the widespread availability of a patch.

Many of these systems also run Windows XP and may never be properly patched against a range of known software flaws.

"Kaspersky Lab's experts presume that most of these stem from poorly maintained servers without regular updates or a security solution installed. These servers may also be inhabited by worms that use malware exploiting this vulnerability," said Kaspersky Lab researcher, Yuri Ilyin.

But according to Tim Erlin, security R&D director at security firm Tripwire, the figures may be an underestimate of the true scale of the problem.

"Kaspersky is only seeing part of the picture here. As a malware detection product, they have recorded and measured 'detections of exploits' rather than the vulnerability itself," he said.

"They can infer from the exploit activity that the vulnerability is present, but there may be many more systems that are vulnerable, but not yet being exploited."

Although impossible to prove, it seemed likely that the large number of detections in certain countries was related to the number of unpatched systems, he said.

Join the CSO newsletter!

Error: Please check your email address.

Tags Microsoftsecuritysoftwareoperating systemskaspersky lab

More about KasperskyTripwire

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place