CG1007_Malware
CG1007_Malware
CG1007_Malware
CG1007_Malware
CG1007_Malware

Malware Hits Siemens Software

July 19, 2010
News of an Ugly Piece of Malware That Has the Potential to Affect SCADA Systems in Industrial Plants and Municipal Systems Is Making the Rounds on the Internet

News of an ugly piece of malware that has the potential to affect SCADA systems in industrial plants and municipal systems is making the rounds on the Internet.

In an email sent over the weekend, Eric Byres, chief technology officer with security consultancy Byres Security, said, "Over the weekend my team has been investigating a new family of threats called Stuxnet that appear to be directed specifically at Siemens WinCC and PCS7 products via a previously unknown Windows vulnerability.

"At the same time I also became aware of a concerted denial-of-service attack against a number of the SCADA information networks such as SCADASEC and ScadaPerspective mailing lists, knocking at least one of these services off line."

Byres' observations were confirmed by other sources.

Siemens has already notified customers, says spokesman Michael Krampe. "Siemens was notified about the virus that is affecting SCADA (Supervisory Control and Data Acquisition) systems, which include its Simatic WinCC, on July 14. The company immediately assembled a team of experts to evaluate the situation. Siemens is taking all precautions to alert its customers to the potential risks of this virus."

According to Krampe, "Based on the report issued from Heise Online on July 15, 2010, this Trojan horse for Windows 7 operating systems is activated by the insertion of a USB device into a PC."

ZDNet UK reports that Microsoft is also investigating the reports and has promised to "take appropriate action to protect users and the internet ecosystem."

The consensus of security experts at the moment is that the goal of the malware is to gather information from the infected machines' databases, leading to the conclusion that industrial espionage, rather than damaging of systems may be the motive.

Byres' email contains the following analysis of the situation at present.
"As best as I can determine, the facts are as follows:
•  This is a zero-day exploit against all versions of Windows including Windows XP SP3, Windows Server 2003 SP 2, Windows Vista SP1 and SP2, Windows Server 2008 and Windows 7.
• There are no patches available from Microsoft at this time (There are workarounds which I will describe later).
• This malware is in the wild and probably has been for the past month.
• The known variations of the malware are specifically directed at Siemens WinCC and PCS7 Products.
• The malware is propagated via USB key. It may be also be propagated via network shares from other infected computers.
• Disabling AutoRun DOES NOT HELP! Simply viewing an infected USB using Windows Explorer will infect your computer.
• The objective of the malware appears to be industrial espionage; i.e. to steal intellectual property from SCADA and process control systems. Specifically, the malware uses the Siemens default password of the MSSQL account WinCCConnect to log into the PCS7/WinCC database and extract process data and possibly HMI screens.
• The only known workarounds are

• NOT installing any USB keys into any Windows systems, regardless of the OS patch level or whether AutoRun has been disabled or not;
• Disabling the displaying of icons for shortcuts (this involves editing the registry);
• Disabling the Web Client service."


Joe Weiss, ControlGlobal blogger and principal at Applied Control Solutions (http://realtimeacs.com), adds what he calls "Big Picture Issues" raised by this event.

"Use of digital signatures: To get around Windows systems that require digital signatures—a common practice in control system environments, the virus uses a digital signature assigned to semiconductor maker Realtek. This key signature is not valid. This has significant ramifications for key management for Smart Grid, DNP, etc.

Applicability: The virus was 'tailored' to the Siemens SIMATIC PLC WINCC environment. However, as Eric Byres mentions in his white paper, '…Furthermore, any Windows systems can be infected by this malware, regardless of whether or not Siemens software is present.' This begs the question of whether other ICS HMI (Human Machine Interface) vendors have examined their systems to determine if this virus can impact their systems. This problem may be analogous to the GE XA21 SCADA latching problem that affected the 2003 Northeast Outage. How many other SCADA vendors had similar hidden software flaws?

Applicable testing: The NERC CIPs and NRC Regulatory Guide 5-71 have testing requirements. However, those testing requirements may be inadequate for this virus.

Lack of adequate ICS cyber forensics: What should an end user look for? Intrusion Detection Systems (IDs) are not meant to address USBs.

Disclosure process: US CERT is treating this as a Microsoft problem rather than a control system problem. The US CERT site has this identified as 'Microsoft Windows LNK Vulnerability,' with no mention of Siemens or control systems. It identifies the Microsoft Security Advisory 2286198 where Microsoft is treating this as a user privileges problem. Siemens is not identified in the Microsoft Advisory. As of July 19, this vulnerability is not shown on the US CERT Control Systems website.

Workarounds: Workarounds can have serious side effects. Disabling the displaying of icons for shortcuts will prevent shortcut files and Internet Explorer shortcuts from having an icon displayed. This can have unacceptable impacts for the end user. Disabling the Web Client service will prevent Web Distributed Authoring and Versioning (WebDAV) requests from being transmitted. In addition, any services that explicitly depend on the Web Client service will not start, and an error message will be logged in the System log. For example, WebDAV shares will be inaccessible from the client computer. This can also have unacceptable impacts for the enduser. Any SNMP connection can be a vector in. However, ICSs need these connections. Patching can be a problem as many ICSs cannot be patched for significant periods of time."

Additional information about this malware can be found here (requires site registration) and here.

Joe Weiss at the “Unfettered” blog has also started a discussion chain on the issue here.