Home > Critical Infrastructure Security, Information Security, SCADA Security > SCADA Malware in the Wild – Updated

SCADA Malware in the Wild – Updated

I first came to hear about this new SCADA malware via mikko hypponen (CRO at F-Secure) twitter account. This is an interesting new malware that spreads via USB storage devices exploiting a previously unknown flaw in Windows shortcuts.

Source F-Secure blog

What’s particularly interesting is that this malware appears to be targeting SCADA systems specifically ( in this case Siemens SIMATIC WinCC).

The rootkit components are digitally signed by a valid yet expired Realtek Semiconductor Corp. signature.

You can see a screen shot of the certificate below (Source H-Secure)

Realtek Digital certificate -used in the malware

Realtek Digital certificate -used in the malware

The malware targeting the Siemens SIMATIC WinCC database appears to use a hardcoded admin username and password combination that end users are told not to change. (according to the F-Secure Blog).

I did some googling and found that the hard coded user name and password have been lurking online for at least 2 years now on siemens own forums (Russian forum Here)

Its only fair to say that any company infected with this attack is completely vulnerable to this compromise.

The payload source code (Available from Here) appears to be collecting descriptions of the installed controller variables (see below) as well as a scan on any other databases installed

view MCPVREADVARPERCON as select MCPTVARIABLEDESC.VARIABLEID,MCPTVARIABLEDESC.VARIABLETYPEID,MCPTVARIABLEDESC.FORMATFITTING,MCPTVARIABLEDESC.SCALEID,MCPTVARIABLEDESC.VARIABLENAME,MCPTVARIABLEDESC.ADDRESSPARAMETER,MCPTVARIABLEDESC.PROTOKOLL,MCPTVARIABLEDESC.MAXLIMIT,MCPTVARIABLEDESC.MINLIMIT,MCPTVARIABLEDESC.STARTVALUE,MCPTVARIABLEDESC.SUBSTVALUE,MCPTVARIABLEDESC.VARFLAGS,MCPTVARIABLEDESC.CONNECTIONID,MCPTVARIABLEDESC.VARPROPERTY,MCPTVARIABLEDESC.CYCLETIMEID,MCPTVARIABLEDESC.LASTCHANGE,MCPTVARIABLEDESC.ASDATASIZE,MCPTVARIABLEDESC.OSDATASIZE,MCPTVARIABLEDESC.VARGROUPID,MCPTVARIABLEDESC.VARXRES,MCPTVARIABLEDESC.VARMARK,MCPTVARIABLEDESC.SCALETYPE,MCPTVARIABLEDESC.SCALEPARAM1,MCPTVARIABLEDESC.SCALEPARAM2,MCPTVARIABLEDESC.SCALEPARAM3,MCPTVARIABLEDESC.SCALEPARAM4 from MCPTVARIABLEDESC

Microsoft released an advisory on the USB flaw Here

In a reference that this might be a serious case of corporate espionage (ZdNet said in a related article that Security company Sophos announced on Friday that it was aware of instances of the malware spreading in India, Iran and Indonesia. Sophos senior technology consultant Graham Cluley told ZDNet UK that the rootkit circumvents preventative measures such as disabling autorun and autoplay in Windows.) Source Here

My Comments:

Going through the facts, I can say that its just another attack that builds upon a long series of flaws (Technical and Non Technical):

Mistake # 1: Siemens Hard coded Admin passwords in Critical Infrastructure Systems, and to be honest the passwords are not that great either ( Only 7 character Long, and only alphanumeric !! )
Mistake # 2: The passwords wich are supposed to be confidential have been circulating the public forums and on Siemens very own forums for at least 2 years now. In some of the posts Siemens asks the operators who try to change those passwords – Not to do it !!
Mistake # 3: Dear Microsoft: When are you going to change your flawed concept of… It’s Signed, therefore it’s Clean. (Referencing the F-Secure Presentation)
Mistake # 4: I am really surprised with how easy for any one to find a good and Looong list of Famous companies using the WinCC , all you need now is to slip in a thumb drive.

— Update —

Siemens Official Update on the situation. (Source)
>
> —————————–
Immediately upon notification of the virus on July 14, Siemens assembled a team of experts to evaluate the situation and began working with Microsoft and the distributors of virus scan programs to analyze the virus. The Trojan/virus is spread via a USB stick, using a security breach in Microsoft Windows. The virus, which affects operating systems from XP upward, detects Siemens WinCC and PCS7 programs and their data.
Siemens has now established through its own tests that the software is capable of sending both process and production data via the Internet connection it tries to establish. However, tests have revealed that this connection is not completed because the communication partners/target servers are apparently inactive. As part of the ongoing analysis, Siemens is checking to see whether the virus is able to send or delete plant data, or change system files.
We are informing our customers and investigating how many systems could be affected. Currently, there is only one known case in Germany of infection which did not result in any damage. We do not have any indication that WinCC users in other countries have been affected.

What platforms are affected/may be affected?
Based on current information, the only platforms that may be affected are those where access to data or the operating system is possible via a USB interface. Normally every plant operator ensures, as part of his security concept, that non-restricted access to critical SCADA system data via a USB interface is not possible. Additional protective devices like firewalls and virus scanners can also prevent Trojans/ viruses from infiltrating the plant.
The following solutions are being developed:
• Microsoft will be offering an update (patch) that will close the security breach at the USB interface.
• Suppliers of virus scanning programs have prepared up-to-date virus signatures that are currently being tested by Siemens. The virus scanners will be able to help detect and eliminate the virus.
• Siemens is also developing a software tool that customers can use to check a Windows PC and determine if it has been infected by the virus. The tool will be distributed via the Siemens

Advisory:
http://support.automation.siemens.com/WW/view/en/43876783

What immediate action should customers take?
• Do not use any USB sticks
• Install updates as soon as they become available.

Advertisements
  1. February 21, 2012 at 2:24 pm

    i need a software to simulate plc’s of scada.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: