Malware Found That Attacks Industrial Control Systems
For the first time since we’ve started following control system attacks, this is the first substantiated news we’ve found. It seems that this attack is carried out using a Trojan-Horse “back door” program that checks for an installation of WinCC, an HMI software product sold by Siemens. It is known to spread via USB devices, namely those little memory stick flash drive that we all seem to collect and use.
Microsoft said it suspects that Stuxnet, the name of this malware, has been active at least since June 1, 2010. An antivirus vendor in Belarus called Virus BlokAda said it discovered the malware in June.
The worm propagates by exploiting a hole in all versions of Windows in the code that processes shortcut files, ending in “.lnk,” according to a Microsoft Malware Protection Center blog post. Merely browsing to the removable media drive us ing an application that displays shortcut icons, such as Windows Explorer, will run the malware without the user clicking on the icons.
The worm infects USB drives or other removable storage devices that are subsequently connected to the infected machine. Those USB drives then infect other machines to which they are attached once those machines open the drive to browse the files.
The malware includes a rootkit, which is software designed to hide the fact that a computer has been compromised. It is also suspected to contain other software that is installed without detection us ing stolen digital certificates that have been authentically signed by two Taiwanese chip manufacturers (RealTek and JMicron). It is not known how the digital signatures were acquired, but it is rumored that they were stolen without the knowledge of the companies.
Once the machine is infected, the Trojan checks for Siemens’ Simatic WinCC soft ware. The malware accesses the Siemens MS-SQL backend database using a built-in pass word that has been circulating in German and Russian product forums since 2008. Since the password is hardcoded in the WinCC executable code, changing the password using MS-SQL tools simply causes the system to stop working.
Once the malware locates its target data, it attempts an upload to a remote server. Of course, without an Internet connection, the attempts would fail but there could be a time in the future where that same computer is deliberately connected to the Internet for updates, maintenance or even after decommissioning. And since this has been identified as a Trojan-Horse, there is the possibility that if a connection is ever established with the remote server, more commands could be downloaded from the server.
So the big question is “What’s at risk?” The malware seems to be stealing “industrial automation layout design and control files specific to control systems”. This was determined by Kevin Haley who is the director of Symantec Security Response. Based on the limited knowledge of control systems outside of the industrial control system industry, this statement is probably better understood as the stealing of screens and tag names, which could give a saboteur better understanding of how to create a disruption should access to the system be gained. If the saboteur’s inten tions are not destructive, the stolen data could reveal confidential industrial and process information; a kind of industrial espionage.
According to an article dated 7/19/2010 on Wired.com, Siemens reported that it learned of the malware on July 14 and assembled a team to evaluate the problem. Siemens explained that it had also alerted customers to the potential risk of being infected by the virus. The statement made no mention of the hard coded password.
But, hardcoded passwords aren’t a problem just for Siemens. According to industrial security experts, over half of the control system vendors use hardcoded passwords in their executable code or firmware. System efficiency, stability and safety have always been the paramount goals of a well im plemented control system and invasion security had always been a secondary issue. How ever, the SANS Institute, which trains security professionals, reported that it is expected that wide-scale exploitation of in dustrial control systems is only a matter of time.
This article was compiled from several industrial and commercial sources, including the CSIA (Control System Integrators Association) connected community forum and Wired.com website.
