Date: 20 July 2010
Click here for printable version
Updated 21/07/2010 - see  information from Siemens
Updated 22/07/2010 - see What is the potential impact for SCADA and other Microsoft
Updated 23/07/2010 - New information from Symantec about malware functionality. See
reference reference 22. Siemens has released a Simatic security update and a
tool to detect the Stuxnet malware. See updated reference 19.
Updated 29/07/2010 - New information from Symantec about malware functionality. See
references reference 12 and reference 22 .
Updated 3/08/2010 - Microsoft has released an out of band patch to correct the .LNK
vulnerability today (AEST). See new reference 23.
Updated 16/09/2010 - Microsoft has released a patch to correct a second 0 day
vulnerability that was exploited by the Stuxnet malware and advised of two further less serious 0 day
vulnerabilities which remain unpatched. See new reference 24. Siemens has now advised of 15 known cases of its platform being compromised by this malware (at 7 September 2010).
This blog has been updated on many occasions since it was first published on 20 July 2010 as new and interesting developments have emerged. These developments demonstrate that the attacker is well-resourced, sophisticated and may herald the emergence of new more ominous cyber threats. Key points which support this assessment are:
the use of four zero day vulnerbilities, of which two have since been patched, and at least one other older vulnerability indicates considerable investment of research time and/or dollars to find effective methods of exploitation;
the use of software digital certificates which appear to have been stolen from two Taiwanese based companies for the purpose of "signing" parts of the malware code;
the malware has been around for about 12 months prior to it becoming well-known publicly demonstrating long-term activity by the attacker. Industries with the affected Siemens software should assess whether they may have already been exposed to harmful system interference by the malware, prior to knowledge of the malware being made public in June 2010;
the functionality of the malware indicates a high level of knowledge of the Siemens systems themselves;
functionality of the malware to steal and exfiltrate configuration and database information and control and modify the function of the software's programmable logic controllers indicates that espionage and/or sabotage was the goal. Also worthy of further consideration by the industries that deploy the targeted Siemens software, is what the potential is for harm to public safety and health in the event the malware was able to modify critical system processes?
- Although there have been other cases of attackers compromising SCADA systems with both intended and unintended consequences, this appears to be the second case of a targeted attack on a SCADA system, using malware built for that purpose. 
Siemens has recently confirmed that malware is targeting two of its SCADA products. 
On 17 June 2010, a Belarus anti-virus company, VirusBlokAda, reported
that it discovered a previously unknown bug in the Microsoft Windows 7
operating system, which was being actively exploited by malware.
. At the time, AusCERT was unable to confirm the
credibility of the report made in relation to Microsoft or
the malware itself.
Since then, Microsoft has confirmed this vulnerability exists and released a Security Advisory
At the time, AusCERT reported that some SCADA products may be affected by this vulnerability,  but until
recently only a few of
the AV vendors that had analysed the malware confirmed this.
Information about the malware has been passed to anti-virus companies
and detection of the malware, commonly referred to as Stuxnet ,
improved considerably since it was first discovered in June. Although,
the malware contains a rootkit, Microsoft and other AV vendors report it
will still be able to detect the malware.
Which products are affected?
The vulnerability in the Windows Shell (explorer.exe) affects the following operating systems:
- Windows XP
- Windows Vista
- Windows 7
- Windows Server 2003
- Windows Server 2008
Note that unsupported Microsoft Operating systems are also affected, such as Windows 2000.
Once installed, the malware looks for specific Siemens
Supervisory Control and Data Acquisition (SCADA) applications.
A security researcher, Frank Boldewin, reported that the malware targets SIMATIC WinCC. Symantec
 has confirmed from its analysis that the malware targets Siemens’ SIMATIC Step7  and now
Siemens has confirmed the malware targets both its WINCC and PCS7.
Microsoft has since advised (13 September 2010) of three further vulnerabilities that are exploited by the malware — one of which has since been patched and two local privilege escalation vulnerabilities which are currently (16 September 2010) unpatched.  The fact that the attackers were aware of, and were able to exploit, so many 0 day vulnerabilities is a further indication that the attackers had considerably planning resources at their disposal.
Symantec has also reported that in addition to the four zero day vulnerbilities (two of which have since been patched), the malware also exploited some older vulnerabilities.
How does it propagate?
The malware propagates by removable media and Windows file shares.
What is the potential impact for SCADA and other Microsoft systems?
The full capability of this malware and the attacker's objectives are continuing to emerge and be assessed as new analysis becomes available. While it is
concerning that the malware reportedly targets specific Siemens SCADA products,
the real impact — in the event the malware remained undetected — depends on the criticality and nature of the infected systems deployed and how the attacker chooses to manipulate the systems affected by the malware.
Fortunately, these impacts do not appear to have been realised and continue to be in the realm of assessment and speculation. Siemens has reported that to date (7 September 2010) it is aware of 15 cases of its software being affected by the malware but as yet with no adverse impact..
Siemens has now confirmed (dated 21 July 2010) from its tests that the malware is capable of
sending process and production data.
Symantec (dated 22 July 2010) has announced that the malware "is able to alter any data that is
being accessed or requested by the application", which we
take to mean the Siemens WinCC or Step 7 applications. Symantec also states that some functions
"appear to relate to reading, writing, finding, and deleting
blocks" and that it is conducting further analysis "to determine the attacker’s intentions" based on
the functionality of the malware. .
It appears, therefore, that the malware has a broad range of functions (including read and write).
Utlimately which of these functions are utlised would depend
largely on the attacker, once he/she has control of the system. Symantec has confirmed that the
malware can "obtain files and run various queries
to collect information. It may also gather other information relating to
servers and the network configuration. " Symantec (29 July 2010) has also stated that the main goal of
the malware is to:
to steal SCADA related design plans and to hook specific SCADA related functions to perform malicious
While initial analysis indicated this is likely to be for
industrial espionage purposes, it is clear now
that the malware allows for a range of possible actions -
including espionage and sabotage. AusCERT supports assessments that
SCADA systems, being systems to control remote devices which control or monitor
critical systems, are more likely to be used for sabotage, disruption and
denial or service of critical services. Attacks on SCADA systems generally would
not be regarded as an ideal method for gathering useful competitive
intelligence, (ie espionage).
Further analysis reported by Symantec (14 September 2010) demonstrates that the malware's functions involve more than just industrial espionage. Symantec is has stated:
Espionage, or intelligence gathering, is often a precursor to other operations which could potentially be more harmful than the espionage by itself.
Sabotage can also have different objectives and levels of harm. It can be designed to simply disrupt the successful operation of a system for various reasons such as to gain competitive advantage, or for political motives to disrupt an activity perceived to be undesirable; or depending on the system being sabotaged, it may be intended to cause widespread physical harm to people or property. The deployment and use of Siemens Simatic WinCC and Step 7 software is diverse. For example, according to the Siemens, it can be used to manage industrial machines to build products, mix and manufacture food, drugs, cosmetics, and chemicals and monitoring energy use, amongst many other uses. In the case of SCADA systems involving the manufacture of chemicals or pharmaceuticals, public health and safety could be jeopardised. In particular, the manipulation of food, chemical and pharmaceutical production by the malware could have harmful implications for public health and safety.
[...] the attackers are able to pick a target and actually reprogram the way it works. "They decide how they want the PLCs [programmable logic controllers] to work for them, and then they send code to the infected machines that will change how the PLCs work".
The threat's ability to control physical machinery is what sets it apart from any other threat we have seen to date and is the aspect of the threat that we find most concerning. 
In a new analysis of the malware by Ralph Langner, he advises that the function of the malware points primarily to sabotage. 
Symantec reported (29 July 2010) that some less sophisticated variants of the
malware have been developed by the attackers since 2009
 - well before the malware had been detected and analysed by VirusBlockA in June 2010.
With the deregistration of the command and control server domains, the full intention of the
attacker may never be known. However, the development of
malware that specifically targets SCADA systems may herald a new, more ominous threat.
Siemens has also stated that it is still investigating if the malware is capable of sending,
modifying (or deleting) systems data.
Until such investigations by Siemens and Symantec are
completed, it is important for all operators that use these applications
to keep an
open mind about the potential impacts of the malware and make the final
assessment based on their particular knowledge of their systems, their
criticality, the nature of the information which may be captured (ie
process, production or systems data), or modified by
the malware and its associated consequences.
Similarly, the reported use of a hard-coded password in the
Siemens product, which the malware is reported to exploit, may also present opportunities for other
attackers, including trusted insiders. Siemens has reported that it
is investigating improving the authentication method which enables the
affected WinCC application to connect to the associated Microsoft SQL
There are of course, infected Microsoft systems which do not
have SCADA applications installed and the potential for these systems to be maliciously
exploited also remains, particularly now that other exploit code has been released,
which other attackers may seek to capitalise on.
How can it be detected and mitigated?
Currently, the malware is detected by most anti-virus products despite the rootkit functionality
within the malware.
The following registry keys and system files are created but will be hidden:
Look for outbound connections to the following domains:
Not all infections may necessarily attempt to connect to
these domains. These domains are now deregistered.
Microsoft recommends :
Manual removal is not recommended for this threat. To detect and remove this threat
and other malicious
software that may have been installed, run a full-system scan with an up-to-date antivirus product
Microsoft Security Essentials, or the Windows
Live OneCare safety scanner. For more information about using antivirus software, see http://www.microsoft.com/security/antivirus
Other anti-virus vendors, such as Sophos, Trend Micro, McAfee and Symantec, have provided tools for
detection and removal.
Users of the affected Siemens products should contact Siemens for
specific mitigation and product hardening advice and refer to its
announcement about this issue. Siemens has released (22 July 2010) a security update for its Simatic
product, and a malware detection tool, arising from this
The malware relies on the vulnerability in Microsoft Windows Shell (and other vulnerabilities outlined above).
Therefore it is important to mitigate the affected operating system
as soon as possible, as outlined in Microsoft Security Advisory
(2286198), published by AusCERT in its ESB-2010.0628.
In addition to the workarounds recommended by Microsoft,
Sophos recommends that corporate environments set up a Windows group policy
object which prevents executables from running from drives other than the C: drive.
The malware spreads by infected USB and Windows file
shares. Although, in this case, the USB does not rely on auto-run features of
the Microsoft operating system, disabling auto-run on critical systems is still
recommended to inhibit the free availability of the device to the end-user and
to prevent other auto-run-based malware from automatically executing.
More important, in the context of this particular
vulnerability and threat is to have established strict policies and procedures
for use of USBs on business critical systems.
Of course, it will be critical to patch these Microsoft
products as soon as Microsoft releases a patch.
Users of the Siemens products affected should contact
Siemens for specific mitigation and product hardening advice. Siemens has released (22 July 2010)
a security update for its Simatic product, and a malware
detection tool, arising from this matter.
http://www.symantec.com/connect/blogs/w32temphid-commonly-asked-questions (dated 16 July
http://www.symantec.com/connect/blogs/w32stuxnet-variants (dated 29 July 2010)
components (dated 22 July 2010)
http://www.symantec.com/connect/blogs/w32stuxnet-installation-details (dated 20 July
http://www.symantec.com/connect/blogs/w32stuxnet-network-information (dated 22 July
http://www.symantec.com/connect/blogs/w32stuxnet-network-operations (dated 25 July
http://www.symantec.com/connect/blogs/w32stuxnet-variants (dated 29 July 2010)
(dated 13 September 2010)
(dated 15 September 2010)
http://www.symantec.com/connect/blogs/stuxnet-using-three-additional-zero-day-vulnerabilities (dated 14 September 2010)
http://www.computerworld.com/s/article/9185419/Siemens_Stuxnet_worm_hit_industrial_systems (dated 14 September 2010)
Siemens product search
The first case
was of a trojan installed by the CIA in control software for a gas pipeline, which the CIA knew the USSR were planning to steal. Once deployed, the malware was programmed to change pressure in the gas pipeline which subsequently caused a major explosion of Trans-Siberian pipeline in 1982. See book by Thomas Reed in his book At the Abyss. For details see: http://pipelineandgasjournal.com/cyber-security-and-pipeline-control-system