Stuxnet — Windows Shell LNK Shortcut Remote Code Execution (CVE-2010-2568)

Severity Assessment

• Exploitability: 8/10 — Requires physical proximity (USB insertion) or network share access; no user interaction beyond browsing to the directory containing the LNK file
• Impact: 10/10 — Arbitrary code execution leading to ICS/SCADA sabotage; demonstrated physical destruction of uranium enrichment centrifuges
• Weaponization Risk: 9/10 — Used as part of a multi-zero-day cyber weapon; LNK exploitation technique subsequently adopted by multiple threat actors
• Patch Urgency: 10/10 — Microsoft issued out-of-band patch MS10-046 due to active exploitation
• Detection Coverage: 6/10 — Detectable via AV signatures for malicious LNK files; more difficult to detect the PLC manipulation component

Executive Summary

CVE-2010-2568 is a remote code execution vulnerability in the Windows Shell’s handling of shortcut (.LNK) files. The vulnerability exists in the way Windows Explorer processes the icon resource of a specially crafted shortcut file: when a user browses to a directory containing a malicious LNK file (via Windows Explorer, a USB drive, or a network share), the Shell automatically attempts to load the icon, which triggers execution of attacker-specified code. No user interaction beyond viewing the folder contents is required.

This vulnerability was one of four Windows zero-day exploits used by Stuxnet, the first publicly identified cyber weapon. Stuxnet was a worm designed to sabotage Iran’s uranium enrichment program at the Natanz nuclear facility by manipulating Siemens SIMATIC S7-300 programmable logic controllers (PLCs) that governed gas centrifuge operations. CVE-2010-2568 served as Stuxnet’s primary initial access mechanism, enabling the worm to spread via infected USB drives — a necessary vector because the Natanz facility was air-gapped from the internet.

The vulnerability was first identified by Belarusian antivirus firm VirusBlokAda on 17 June 2010, when analyst Sergey Ulasen investigated reports of systems in Iran experiencing repeated crashes and blue screens. Microsoft released an out-of-band patch (MS10-046) on 2 August 2010, six weeks after public disclosure.

Exploit Chain

Stage 1: USB Drive Introduction

Stuxnet was introduced to target environments via infected USB drives. The worm placed malicious LNK files and associated DLL payloads on the removable media. The USB vector was essential for reaching air-gapped industrial control networks at facilities like Natanz.

Stage 2: LNK Icon Loading Exploitation

When a user inserted the USB drive or browsed to a network share containing the malicious LNK file, Windows Explorer automatically attempted to render the shortcut’s icon. The crafted LNK file specified a Control Panel applet (.CPL file) as its icon resource, causing the Windows Shell to load and execute the malicious DLL.

Stage 3: Rootkit Installation

Upon execution, Stuxnet installed a kernel-mode rootkit using two stolen digital certificates (from Realtek Semiconductor and JMicron Technology) to sign its drivers. The rootkit hid the malicious files on the USB drive and infected system from both Windows Explorer and antivirus scanners.

Stage 4: Network Propagation

Once on a networked system, Stuxnet used additional propagation mechanisms including the Windows Print Spooler vulnerability (CVE-2010-2729), the Windows Server Service vulnerability (CVE-2008-4250), and hardcoded Siemens WinCC database credentials to spread to systems running Step 7 SCADA software.

Stage 5: PLC Payload Delivery

When Stuxnet detected a system running Siemens SIMATIC Step 7 software communicating with S7-300 PLCs via Profibus, it injected modified control logic into the PLCs. The malicious code periodically altered the frequency of variable-frequency drives controlling centrifuge motors, cycling them between 1,410 Hz and 2 Hz (normal operating speed was 1,064 Hz). Simultaneously, Stuxnet replayed recorded normal telemetry data to the operator monitoring stations, concealing the sabotage.

Detection Guidance

File-based detection for CVE-2010-2568:

• Scan for LNK files with icon resource references pointing to CPL or DLL files on the same removable media or network share
• Monitor for LNK files where the icon location contains path traversal sequences or references to non-standard icon sources
• Antivirus signatures for known Stuxnet LNK variants (multiple variants were used across different Stuxnet versions)

Host-based detection:

• Monitor for unsigned or unexpectedly signed kernel drivers being loaded (Stuxnet used stolen Realtek and JMicron certificates)
• Watch for modifications to Siemens Step 7 project files (S7P files) and OB1/OB35 organizational blocks on engineering workstations
• Detect anomalous DLL loading from removable media or network shares triggered by Windows Explorer (not by explicit user execution)
• Monitor for the creation of specific Stuxnet mutex names and registry keys

Network-based detection:

• Monitor for connections to Stuxnet command-and-control domains (www.mypremierfutbol.com and www.todaysfutbol.com)
• Detect anomalous Profibus/MPI communication patterns between engineering workstations and PLCs
• Alert on unexpected modifications to PLC programming via Step 7 protocols

Indicators of Compromise

Network indicators:

• DNS queries or connections to www.mypremierfutbol.com and www.todaysfutbol.com (Stuxnet C2 domains)
• Anomalous SMB traffic indicative of Windows Server Service exploitation (CVE-2008-4250)
• Unexpected Step 7 / Profibus communication to S7-300 PLCs from non-engineering workstations

Host indicators:

• Malicious LNK files on USB drives with icon resources pointing to local CPL/DLL files
• Kernel drivers signed with revoked Realtek (certificate serial: 7a563aca5765640bb0b0d0c13a1a5e97) or JMicron certificates
• Modified Siemens Step 7 S7P project files with injected OB1/OB35 organizational blocks
• Presence of Stuxnet-specific mutexes: Global\{b54ada82-6545-4f66-baaf-eb39533b1208}

Log indicators:

• Windows Security Event Log: driver loading events (Event ID 7045) for unexpectedly signed kernel drivers
• Siemens Step 7 audit logs showing unauthorized PLC program modifications
• Autorun/autoplay events triggered by USB insertion (Windows Event ID 1001)

Disclosure Timeline

2009-06 — Earliest Known Stuxnet Variant

The earliest confirmed Stuxnet variant (version 0.5) was identified in retrospective analysis. This version targeted Siemens S7-417 PLCs and used different propagation mechanisms.

2010-01 — Stuxnet 1.x Deployment

Stuxnet versions 1.001 through 1.100 were deployed, incorporating CVE-2010-2568 as the primary USB propagation vector. These versions targeted S7-300 PLCs controlling centrifuge operations.

2010-06-17 — Discovery by VirusBlokAda

Belarusian antivirus firm VirusBlokAda identified Stuxnet while investigating reports of system instability on Iranian computers. Analyst Sergey Ulasen identified the malicious LNK file exploitation mechanism.

2010-07-16 — Public Disclosure

Microsoft acknowledged the LNK vulnerability (CVE-2010-2568) and issued Security Advisory 2286198 with interim mitigations pending a full patch.

2010-08-02 — Microsoft Releases MS10-046

Microsoft released an out-of-band security update addressing CVE-2010-2568 across all supported Windows versions.

2010-09-29 — CISA ICS Advisory

CISA published ICS advisory ICSA-10-272-01 detailing the Stuxnet malware’s impact on Siemens SIMATIC industrial control systems.

2010-11 — Langner Confirms Centrifuge Sabotage

German industrial security researcher Ralph Langner published analysis confirming that Stuxnet’s payload was designed to sabotage uranium enrichment centrifuges by manipulating variable-frequency drive speeds.

Sources & References

• CISA: ICS Advisory ICSA-10-272-01 — Stuxnet Malware — CISA, 2010-09-29
• NIST NVD: CVE-2010-2568 — NIST NVD, 2010-07-22
• Microsoft: Security Bulletin MS10-046 — Microsoft, 2010-08-02
• Langner: To Kill a Centrifuge — A Technical Analysis of Stuxnet — Langner Communications, 2013-11-01