Details of the first-ever control system malware (FAQ)
India, Indonesia and Iran are getting hit the most by the Stuxnet worm.
(Credit: Symantec)The security world is aflutter over new malware that has been spreading via USB devices and is programmed to steal data from systems running specific software used in utilities and industrial manufacturing plants.
There are a lot of moving parts to this story so we've decided to break them down and tell you what is happening and how it impacts you.
What is the malware exactly?
The attack involves several components: a worm that spreads via USB drives and exploits a previously unknown vulnerability in Windows and a Trojan backdoor that looks to see if an infected machine is running a specific type of software created by Siemens used in control systems including industrial manufacturing, utilities and even nuclear powered aircraft carriers.
The worm, dubbed Stuxnet, propagates by exploiting a hole in all versions of Windows in the code that processes shortcut files, ending in ".lnk," according to a Microsoft Malware Protection Center blog post. Merely browsing to the removable media drive using an application that displays shortcut icons, such as Windows Explorer, will run the malware without the user clicking on the icons. The worm infects USB drives or other removable storage devices that are subsequently connected to the infected machine. Those USB drives then infect other machines much like the common cold is spread by infected people sneezing into their hands and then touching door knobs that others are handling.
The malware includes a rootkit, which is software designed to hide the fact that a computer has been compromised, and other software that sneaks onto computers by using a digital certificates signed two Taiwanese chip manufacturers that are based in the same industrial complex in Taiwan--RealTek and JMicron, according to Chester Wisniewski, senior security advisor at Sophos. (Sophos has posted a video showing how a computer is infected on YouTube.) It is unclear how the digital signatures were acquired by the attacker, but experts believe they were stolen and that the companies were not involved.
Once the machine is infected, a Trojan looks to see if the computer it lands on is running Siemens' Simatic WinCC software. The malware then automatically uses a default password that is hard-coded into the software to access the control system's Microsoft SQL database. The password has been available on the Internet for several years, according to Wired's Threat Level blog.
The malware is stealing industrial automation layout design and control files specific to control systems, said Kevin Haley, director of Symantec Security Response. Once the malware locates the data it is looking for it encodes it and attempts to upload it to a remote server. The malware waits for a response from the server, which may contain more commands, he said.
When did this problem arise?
Microsoft said it suspects that Stuxnet has been active for at least a month or more. An antivirus vendor in Belarus called VirusBlokAda said it discovered the malware in June. Researchers have provided technical details in this paper.
Microsoft released a security advisory on the issue on Friday, saying it had seen limited, targeted attacks using the exploit. Proof-of-concept exploit code for the Zero-Day Windows hole was publicly released over the weekend, and a tool to mitigate the attacks was then released by security researcher Didier Stevens.
The attack was first reported on the Krebs on Security blog.
Who is impacted?
The top countries being affected by this attack are India, Indonesia and Iran, while the U.S. is in the top 6, according to Symantec.
How widespread is it?
Siemens doesn't know how many systems have been affected but has learned of one infection at a Germany customer site that resulted in no damage, said spokesman Michael Krampe. "We do not have any indication that WinCC users in other countries have been affected," he said in a statement on Tuesday.
Since control systems are typically not connected to the Internet, USB drives are a logical way to try to infect them. However, plant operators tend to restrict access to critical control system data via USB drives to prevent security compromises, said Krampe.
Meanwhile, Symantec researchers said they are seeing between 8,000 and 9,000 infection attempts a day.
What does it mean for consumers?
Infected computers that are not running the Siemens software will merely spread the worm to USB devices that are plugged into the computer thereafter until the infection is cleaned up. However, there is the risk is that someone else will use the exploit to distribute malware that is more dangerous and which will target systems other than those running the Siemens software, Wisniewski said.
Is there a fix?
The worm is detected by the major antivirus software and update-to-date virus signatures are being tested by Siemens and should be approved for use by the end of the week, Siemens' Krampe said. Siemens is working on a security update for its Simatic software to address the issue and will provide a software tool this week that customers can use to check for the virus on their PCs. Customers should check the Siemens support site for updates.
Microsoft is also working on a patch and has provided instructions for a workaround in a security advisory, in the meantime. The workaround includes disabling the display of icons for shortcuts and disabling the WebClient service. Microsoft is no longer providing support for Windows XP SP2 and Windows 2000 and therefore will not be providing patches for them. So computers running those versions of Windows will be vulnerable until they are upgraded to newer versions.
The Microsoft workaround protects computers from being infected by the worm, however it changes all the desktop icons into generic white paper icons which may cause confusion for many non-tech savvy users, Wisniewski of Sophos said. He goes into more detail and provides a screen shot in this blog post.
Businesses with IT staff will be better able to handle the workaround and can adopt other fixes, such as setting Windows to not allow any files to execute that are not on the C Drive, which would prevent the computer from running software on USB drives, Wisniewski said.
Microsoft and VeriSign have also revoked the digital certificate used to sneak the rootkit onto computers but Sophos' Wisniewski said in his tests the malware still loads up with no warning to the user despite the revocation.
How serious is this?
The attack poses greater risk for operators of control systems and moves such direct cyberthreats from the realm of theory into reality, experts say. "Finding an exploit in the wild is a major eye opener," one control system expert said. "This is a very well thought out exploit."
"This is the first case we know of where there is a very well-constructed intentionally targeted virus aimed at industrial control system applications," said Joe Weiss, author of "Protecting Industrial Control Systems from Electronic Threats" and a longtime control system security gadfly.
Meanwhile, this type of attack is not even addressed in the industry guidelines--called NERC CIP, which stands for "North American Electric Reliability Corp. critical infrastructure protection" standards, illustrating that the industry is ill-prepared to protect against such threats, Weiss said.
There has been malware that affected control systems previously, such as the 2004 SQL Slammer worm, but none that was written specifically to attack such systems, said Jonathan Pollet, founder of Red Tiger Security, a critical infrastructure consultancy.
"The attackers could be looking for installations where the Siemens software is present, or they could be looking to do a secondary attack on those systems," Pollet said. "The big question is who is funding this effort?"
The Internet Storm Center raised its Infocon threat level to "Yellow" on Monday because of the worm. "Although we have not observed the vulnerability exploited beyond the original targeted attacks, we believe wide-scale exploitation is only a matter of time," the group wrote in a blog post. "The proof-of-concept exploit is publicly available, and the issue is not easy to fix until Microsoft issues a patch. Furthermore, antivirus tools' ability to detect generic versions of the exploit have not been very effective so far."
The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) released its advisory (PDF) on the threat on Tuesday.
What about changing those default Siemens passwords?
Siemens spokesman Krampe says don't do it. Changing the password would interrupt communications between the WinCC software and the database and interfere with the operations. Siemens is examining ways to increase the security of the authentication procedures, he said.
Using hard-coded passwords is done across the control systems industry, said Weiss.
"What happens if you forget your password? It's the OnStar for control systems," he said. "You can't afford to just have the system totally locked up...vendors also want to be able to track their equipment in the field and provide remote maintenance."
Who is behind this and why are they doing it?
Industrial espionage appears to be the motivation because of the type of data being stolen, but it's unclear who is behind the attack. Industrial espionage has been a concern for years but intensity has ramped up since attacks on Google and other companies last year that Google said originated in China and targeted source code.
This screen shot shows how the malworm uses a fake digital signature to sneak past Windows authentication policies.
(Credit: VirusBlokAda)
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service, and the Associated Press. E-mail Elinor. 
%20%7C%20InSecurity%20Complex%20-%20CNET%20News&srcUrl=http://news.cnet.com/8301-27080_3-20011159-245.html){kind=small}
While yeah, Windows is (as usual) security swiss-cheese, even if the server/computer/whatever ran Linux, FBSD, or Solaris completely locked down, I damned sure wouldn't just stick in any old USB device, FFS...
Here's a better idea: disable AutoRun. You can stop USB AutoRun without stopping CD/DVD AutoPlay, in case you have a use for it. This is not a drive-by download, people. It doesn't take an ACL kernel lockdown to defend against something like this. I'm surprised people are still deliberating what to do about USB malware, as they've been telling us the solution since Conficker (and probably prior). Microsoft had said at one point that they were going to release a security patch to disable AutoRun; wonder what happened to that?
Here's my quick and easy registry hack (works for XP - W7, not tested on Server 2k3 or 2k8): http://disableautorunusb.blogspot.com/
As far as "security Swiss cheese" goes, the same can be said to an even greater degree for your platform, whose vendor is so "skilled" and so "tidy" that they borrowed someone else's kernel, failed twice to duplicate DEP, and have failed twice to date to duplicate ASLR. And while I don't have enough evidence to come right out and say that IIS is inherently tougher than Apache, I should remind you that, while Apache-powered sites outnumber IIS-powered sites by barely double, the number of successful attacks on Apache servers is triple that of successful attacks on IIS (at least as of 2007), making IIS statistically 1.4 times as secure as Apache. And unless you want to retract your argument that status quo makes your platform more inherently secure than the market leader - which would weaken your position even further - I would expect you to back off this lawn before your toes reach all the way to your soft pallet and gag you.
Bottom line: ANYONE can be the victim of a zero-day, even on OpenBSD itself. While I laugh at the poor, diddled, sitting ducks who belive so blindly that Apple has been protecting them all along; the truth is that even 64-bit Windows 7 or Vista are less than 100% secure. Even if it's been four years without a single, ItW drive-by download, and even if we never see one, even an expert could accidentally click the close (X) button on a popup and install a rogue antivirus. "As long as you can install software on your computer, you can install malicious software on your computer." Any platform that is not read-only is vulnerable. Racketing back and forth about which is more or less vulnerable than the other is something Kindergarteners do; I'd prefer to read suggestions from experienced users on how to defend oneself against known zero-days until SDL catches up to patch the vuln. That would be so much more productive.
http://www.zdnet.co.uk/news/security/2010/07/16/spy-rootkit-goes-after-key-indian-iranian-systems-40089564/?tag=mncol;txt
'Sophos senior technology consultant Graham Cluley told ZDNet UK that the rootkit circumvents preventative measures such as disabling autorun and autoplay in Windows.
"This waltzes around autorun disable," said Cluley. "Simply viewing the icon will run the malware."
Which sucks.
http://news.cnet.com/8301-1009_3-10154662-83.html
The Macintosh and base Linux kernel operating systems have dominated the top spots for vulnerabilities by operating system over the past three years
That's really funny, coming from you. Have you forgotten when you pasted a link for me, that talked about a flaw in Firefox "exposing users to drive-by malware?" That was nothing more than a vulnerability, and you thought it was an active exploit.
What's also funny is that you're looking at an exploit that affects control center software, and using it in your never-ending quest to convince yourself and the rest of the world that Windows is less secure than its alternatives. How many people do you know who are running Scada at home? And is Windows the only server OS that gets exploited in the wild? You say you're a network administrator; if so, then you should have seen plenty of Apache exploits. Apache is only twice as prevalent as IIS, and yet it is exploited three times as often.
Either you are a network administrator, or you're not. If you are, then your argument here was purely subjective, ignoring ever present Apache exploits in your desperate search for Windows exploits (especially drive-by downloads affecting post-XP consumer versions), and completely null and void. If you aren't, then a vast majority of your posts here at CNET are null and void (and you need a life). Which is it?
@redgrum:
Thank you for this information.
Bottom line, you are bashing Windows and don't know why. Your argument switches back and forth; we know that you WANT for OS X to be more inherently secure than Windows, and you go right ahead and make this claim every time you enter a new forum (hoping no one will show up who knows better), knowing full well that it is false. Then someone reminds you of Pwn2Own and/or Landon Fuller, and points out that Windows has defenses to complexify exploitation of its vulnerabilities, while Snow Leopard is no tougher than XP SP2 with a limited user account (yes, XP has had DEP since 2004). And what do you do? You drop the "Windows is Swiss cheese" argument, and revert to your whole spiel about status quo and active exploits vs vulnerabilities.
You came to this forum to bash Windows for having vulnerabilities, as if your platform does not. We remind you that it does, along with almost nonexistent defenses, and you start bashing it for being the market leader and consequently a bigger target. What's really sad is knowing that you'll be back soon for another security blog, posting again that Windows is insecure, and conveniently omitting the fact well-known to you that your platform is more insecure still. And when someone fills in that blank for you, of course you'll go right back to status quo. Do you have any idea how pathetic that is?
2) It's summer. Ask your mum to let you go play outside.
http://www.arcweb.com/Domains/Manufacturing_IT/Cyber-Security/Lists/Posts/Post.aspx?ID=26
http://www.wired.com/epicenter/2008/10/microsoft-peeve/
This sounds more like a warning shot across the bow to tell security lax people (I.E. Siemens, Microsoft, companies infected by this) to straighten up before a real attack happens (or, to prevent future attacks *that you should have detected previously*).
We moved all of our mission critical systems over to Xserve that control 4 reactors, and thousands atmospheric pressure systems.
It was not fiscally responsible to keep Windows in that loop any longer when we looked at the performance of the economy, it was the perfect time to truly evaluate where wasted money was going.
When we looked at Windows from a security point of view (for our needs) it came in last every time when compared to *nix.
The money that was allocated to procurement of the new systems has been saved 1.33 times now; due to maintenance reduction & we were able to layoff 80% of the pervious IT team that took care of that devision.
by n3td3v July 20, 2010 1:49 PM PDT
This proves there is no cyber terrorism threat, if there was the US
would be shut down by now. It would take two minutes with this exploit
to shut down the entire US's critical infrastructure.
by MD_Willington July 20, 2010 2:20 PM PDT
Not everyone uses this SCADA software, there are other vendors.
by n3td3v July 20, 2010 2:32 PM PDT
The Taliban et all could still do significant damage, and they
haven't, you've got to ask yourself why?
The answer is, there is no cyber terrorism threat and its just a
vector being ramped up politically by Washington to get more power and
profit vectors.
---
Andrew Wallace
Security consultant and industry expert
Founder of n3td3v Security
One thing that would be nice is a requirement on what needs to be done with media entering the ESP/PSP - kind of the opposite of CIP-007 R7 (disposal/redeployment). I'd suggest secure wiping of blank media and an A/V scrub of media with data on it. Unfortunately, if you need to move data from outside the ESP into the ESP via removable media, not even scrubbing the media would have been useful when this exploit first appeared - being a zero day exploit with no patch and no A/V signatures, nothing would have prevented it from infecting a system. Changing the passwords would have prevented it from being successful in stealing data though.
The fact that you can't change the passwords without breaking the control system is the real problem in this case, but it's not one that the standards can fix - only the vendor can do that.
- how is Symantec monitoring infection attempts
- how is any stolen data sent to the remote server
@Elinor - Any word from Verisign about this?
More details here:
https://blogs.verisign.com/ssl-blog/2010/07/code_signing_certificates_used.php
- by minnA8888 July 22, 2010 7:44 AM PDT
- Brian Krebs was NOT the first person to break this story. That was the lesser-known Belorussian firm VirusBlockAda who published their description on July 10. Quite a few Russian IT security publications picked it up after that (Webplanet for one), and he probably took it form there. Give credit where credit is due, please.
- Like this Reply to this comment 2 people like this comment
-
Showing 1 of 2 pages (40 Comments)http://anti-virus.by/press/viruses/3948.html
Google translate does an OK job