copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

Malware targeting Siemens SCADA

Date: 20 July 2010

Click here for printable version
Untitled Document

Updated 21/07/2010 - see [19] information from Siemens

Updated 22/07/2010 - see What is the potential impact for SCADA and other Microsoft systems?

Updated 23/07/2010 - New information from Symantec about malware functionality. See reference reference 22. Siemens has released a Simatic security update and a tool to detect the Stuxnet malware. See updated reference 19.

Updated 29/07/2010 - New information from Symantec about malware functionality. See references reference 12 and reference 22 .

Updated 3/08/2010 - Microsoft has released an out of band patch to correct the .LNK vulnerability today (AEST). See new reference 23.

Updated 16/09/2010 - Microsoft has released a patch to correct a second 0 day vulnerability that was exploited by the Stuxnet malware and advised of two further less serious 0 day vulnerabilities which remain unpatched. See new reference 24. Siemens has now advised of 15 known cases of its platform being compromised by this malware (at 7 September 2010).[19]

Summary

This blog has been updated on many occasions since it was first published on 20 July 2010 as new and interesting developments have emerged. These developments demonstrate that the attacker is well-resourced, sophisticated and may herald the emergence of new more ominous cyber threats. Key points which support this assessment are:

  • the use of four zero day vulnerbilities, of which two have since been patched, and at least one other older vulnerability indicates considerable investment of research time and/or dollars to find effective methods of exploitation;

  • the use of software digital certificates which appear to have been stolen from two Taiwanese based companies for the purpose of "signing" parts of the malware code;

  • the malware has been around for about 12 months prior to it becoming well-known publicly demonstrating long-term activity by the attacker. Industries with the affected Siemens software should assess whether they may have already been exposed to harmful system interference by the malware, prior to knowledge of the malware being made public in June 2010;

  • the functionality of the malware indicates a high level of knowledge of the Siemens systems themselves;

  • functionality of the malware to steal and exfiltrate configuration and database information and control and modify the function of the software's programmable logic controllers indicates that espionage and/or sabotage was the goal. Also worthy of further consideration by the industries that deploy the targeted Siemens software, is what the potential is for harm to public safety and health in the event the malware was able to modify critical system processes?

  • Although there have been other cases of attackers compromising SCADA systems with both intended and unintended consequences, this appears to be the second case of a targeted attack on a SCADA system, using malware built for that purpose. [28]
Background

Siemens has recently confirmed that malware is targeting two of its SCADA products. [1]

On 17 June 2010, a Belarus anti-virus company, VirusBlokAda, reported that it discovered a previously unknown bug in the Microsoft Windows 7 operating system, which was being actively exploited by malware. [2]. At the time, AusCERT was unable to confirm the credibility of the report made in relation to Microsoft or the malware itself.

Since then, Microsoft has confirmed this vulnerability exists and released a Security Advisory (2286198) [3]. At the time, AusCERT reported that some SCADA products may be affected by this vulnerability, [4] but until recently only a few of the AV vendors that had analysed the malware confirmed this.

Information about the malware has been passed to anti-virus companies and detection of the malware, commonly referred to as Stuxnet [5], has improved considerably since it was first discovered in June. Although, the malware contains a rootkit, Microsoft and other AV vendors report it will still be able to detect the malware. [6]

Which products are affected?

The vulnerability in the Windows Shell (explorer.exe) affects the following operating systems:

  • Windows XP
  • Windows Vista
  • Windows 7
  • Windows Server 2003
  • Windows Server 2008

Note that unsupported Microsoft Operating systems are also affected, such as Windows 2000.

Once installed, the malware looks for specific Siemens Supervisory Control and Data Acquisition (SCADA) applications.

A security researcher, Frank Boldewin, reported that the malware targets SIMATIC WinCC.[7] Symantec [8] has confirmed from its analysis that the malware targets Siemens’ SIMATIC Step7 [9] and now Siemens has confirmed the malware targets both its WINCC and PCS7. [10]

Microsoft has since advised (13 September 2010) of three further vulnerabilities that are exploited by the malware — one of which has since been patched and two local privilege escalation vulnerabilities which are currently (16 September 2010) unpatched. [24] The fact that the attackers were aware of, and were able to exploit, so many 0 day vulnerabilities is a further indication that the attackers had considerably planning resources at their disposal.

Symantec has also reported that in addition to the four zero day vulnerbilities (two of which have since been patched), the malware also exploited some older vulnerabilities.[25]

How does it propagate?

The malware propagates by removable media and Windows file shares.

What is the potential impact for SCADA and other Microsoft systems?

The full capability of this malware and the attacker's objectives are continuing to emerge and be assessed as new analysis becomes available. While it is concerning that the malware reportedly targets specific Siemens SCADA products, the real impact — in the event the malware remained undetected — depends on the criticality and nature of the infected systems deployed and how the attacker chooses to manipulate the systems affected by the malware.

Fortunately, these impacts do not appear to have been realised and continue to be in the realm of assessment and speculation. Siemens has reported that to date (7 September 2010) it is aware of 15 cases of its software being affected by the malware but as yet with no adverse impact.[19].

Siemens has now confirmed (dated 21 July 2010) from its tests that the malware is capable of sending process and production data.[13]

Symantec (dated 22 July 2010) has announced that the malware "is able to alter any data that is being accessed or requested by the application", which we take to mean the Siemens WinCC or Step 7 applications. Symantec also states that some functions "appear to relate to reading, writing, finding, and deleting blocks" and that it is conducting further analysis "to determine the attacker’s intentions" based on the functionality of the malware. [22].

It appears, therefore, that the malware has a broad range of functions (including read and write). Utlimately which of these functions are utlised would depend largely on the attacker, once he/she has control of the system. Symantec has confirmed that the malware can "obtain files and run various queries to collect information. It may also gather other information relating to servers and the network configuration. " Symantec (29 July 2010) has also stated that the main goal of the malware is to:

to steal SCADA related design plans and to hook specific SCADA related functions to perform malicious tasks. [12]

While initial analysis indicated this is likely to be for industrial espionage purposes,[11] it is clear now that the malware allows for a range of possible actions - including espionage and sabotage. AusCERT supports assessments[14] that SCADA systems, being systems to control remote devices which control or monitor critical systems, are more likely to be used for sabotage, disruption and denial or service of critical services. Attacks on SCADA systems generally would not be regarded as an ideal method for gathering useful competitive intelligence, (ie espionage).

Further analysis reported by Symantec (14 September 2010) demonstrates that the malware's functions involve more than just industrial espionage. Symantec is has stated:

[...] the attackers are able to pick a target and actually reprogram the way it works. "They decide how they want the PLCs [programmable logic controllers] to work for them, and then they send code to the infected machines that will change how the PLCs work".

The threat's ability to control physical machinery is what sets it apart from any other threat we have seen to date and is the aspect of the threat that we find most concerning. [26]

Espionage, or intelligence gathering, is often a precursor to other operations which could potentially be more harmful than the espionage by itself. Sabotage can also have different objectives and levels of harm. It can be designed to simply disrupt the successful operation of a system for various reasons such as to gain competitive advantage, or for political motives to disrupt an activity perceived to be undesirable; or depending on the system being sabotaged, it may be intended to cause widespread physical harm to people or property. The deployment and use of Siemens Simatic WinCC and Step 7 software is diverse. For example, according to the Siemens, it can be used to manage industrial machines to build products, mix and manufacture food, drugs, cosmetics, and chemicals and monitoring energy use, amongst many other uses.[27] In the case of SCADA systems involving the manufacture of chemicals or pharmaceuticals, public health and safety could be jeopardised. In particular, the manipulation of food, chemical and pharmaceutical production by the malware could have harmful implications for public health and safety.

In a new analysis of the malware by Ralph Langner, he advises that the function of the malware points primarily to sabotage. [29]

Symantec reported (29 July 2010) that some less sophisticated variants of the malware have been developed by the attackers since 2009 [22] - well before the malware had been detected and analysed by VirusBlockA in June 2010.

With the deregistration of the command and control server domains, the full intention of the attacker may never be known. However, the development of malware that specifically targets SCADA systems may herald a new, more ominous threat.

Siemens has also stated that it is still investigating if the malware is capable of sending, modifying (or deleting) systems data.[13]

Until such investigations by Siemens and Symantec are completed, it is important for all operators that use these applications to keep an open mind about the potential impacts of the malware and make the final assessment based on their particular knowledge of their systems, their criticality, the nature of the information which may be captured (ie process, production or systems data), or modified by the malware and its associated consequences.

Similarly, the reported use of a hard-coded password in the Siemens product, which the malware is reported to exploit,[15] may also present opportunities for other attackers, including trusted insiders.

Siemens has reported that it is investigating improving the authentication method which enables the affected WinCC application to connect to the associated Microsoft SQL database.[13]

There are of course, infected Microsoft systems which do not have SCADA applications installed and the potential for these systems to be maliciously exploited also remains, particularly now that other exploit code has been released, which other attackers may seek to capitalise on.[16]

How can it be detected and mitigated?

Currently, the malware is detected by most anti-virus products despite the rootkit functionality within the malware.

The following registry keys and system files are created but will be hidden:

  • HKLM\SYSTEM\CurrentControlSet\Services\MRxCls
  • HKLM\SYSTEM\CurrentControlSet\Services\MRxNet
  • %SystemRoot%\system32\drivers\mrxcls.sys
  • %SystemRoot%\system32\drivers\mrxnet.sys

Look for outbound connections to the following domains:

www.mypremierfutbol.com
www.todaysfutbol.com

Not all infections may necessarily attempt to connect to these domains. These domains are now deregistered.

Microsoft recommends [17]:

Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as Microsoft Security Essentials, or the Windows Live OneCare safety scanner. For more information about using antivirus software, see http://www.microsoft.com/security/antivirus /av.aspx.
Other anti-virus vendors, such as Sophos, Trend Micro, McAfee and Symantec, have provided tools for detection and removal. [18]

Users of the affected Siemens products should contact Siemens for specific mitigation and product hardening advice and refer to its announcement about this issue. Siemens has released (22 July 2010) a security update for its Simatic product, and a malware detection tool, arising from this matter. [19]

Prevention

The malware relies on the vulnerability in Microsoft Windows Shell (and other vulnerabilities outlined above). Therefore it is important to mitigate the affected operating system vulnerabilities as soon as possible, as outlined in Microsoft Security Advisory (2286198), published by AusCERT in its ESB-2010.0628.[20]

In addition to the workarounds recommended by Microsoft, Sophos recommends that corporate environments set up a Windows group policy object which prevents executables from running from drives other than the C: drive. [21]

The malware spreads by infected USB and Windows file shares. Although, in this case, the USB does not rely on auto-run features of the Microsoft operating system, disabling auto-run on critical systems is still recommended to inhibit the free availability of the device to the end-user and to prevent other auto-run-based malware from automatically executing.

More important, in the context of this particular vulnerability and threat is to have established strict policies and procedures for use of USBs on business critical systems.

Of course, it will be critical to patch these Microsoft products as soon as Microsoft releases a patch.

Users of the Siemens products affected should contact Siemens for specific mitigation and product hardening advice. Siemens has released (22 July 2010) a security update for its Simatic product, and a malware detection tool, arising from this matter.[19]

[1] http://www.sea.siemens.co m/us/News/Industrial/Pages/WinCC_Update.aspx

[2]  http://www.wilderssecurity.com/attachment.php? s=854d3dd5d172daa268b846ab706179c6&attachmentid=219888&d=1279012965

[3]  http://www.microsoft.com/techne t/security/advisory/2286198.mspx

[4]  http://www.auscert.org.au/render.html? it=13075

[5]  http://www.securelist .com/en/blog/272/Myrtus_and_Guava_Episode_3#readmore
       http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDropper %3AWin32%2FStuxnet.A

[6]  http://www.symantec.com/connect/blogs/w32temphid-commonly-asked- questions

[7]  http://www.wilderssecurity.com/showthread.php?p=1712146
       http://www.reconstructer.org/main.html

[8]  http://www.symantec.com/connect/blogs/w32temphid-commonly-asked- questions

[9]  https://www.automation.siemens.com/mcms/simatic-controller- software/en/step7/Pages/Default.aspx

[10]  http://www.sea.siemens.com/us/News/Industrial/Pages/WinCC_Update.aspx

[11] http://www.tofinosecurity.com/professional/siemens-pcs7-wincc-malware
http://krebsonsecurity.com/2010/07/experts-warn-of-new-windows-shortcut-flaw/? utm_source=feedburner&utm_medium=feed&utm_campaign=Feed: +KrebsOnSecurity+%28Krebs+on+Security%29

[12] http://www.symantec.com/connect/blogs/w32temphid-commonly-asked-questions (dated 16 July 2010)
http://www.symantec.com/connect/blogs/w32stuxnet-variants (dated 29 July 2010)

[13] http://support.automation.siemens.co m/WW/llisapi.dll? func=cslib.csinfo〈=en&objid=43876783&caller=view

[14] http://motherjones.com/kevin- drum/2010/07/scada-phobia

[15] http://www.wired.com/threatlevel/2010/07/siemens-scada/
http://www.f- secure.com/weblog/archives/00001987.html

[16] http://www.darkreading.com/vulnerability_management/security/attacks/showArticle. jhtml?articleID=226000012

[17]  http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDropper %3AWin32%2FStuxnet.A#techdetails_link

[18] http://www.sophos.com/security/analyses/viruses-and- spyware/w32stuxnetb.html
http://www.sea.siemens.co m/us/News/Industrial/Pages/WinCC_Update.aspx

[19] http://www.sea.siemens.co m/us/News/Industrial/Pages/WinCC_Update.aspx
http://support.automation.siemens.co m/WW/llisapi.dll? func=cslib.csinfo〈=en&objid=43876783&caller=view

[20] http://www.auscert.org.au/13075

[21] http://www.sophos.com/blogs/chetw/g/2010/07/16/windows-day-attack-works-windows-systems/? utm_source=feedburner&utm_medium=feed&utm_campaign=Feed: +ChetBlog+%28Chet%27s+Blog%29

[22] http://www.symantec.com/connect/blogs/distilling-w32stuxnet- components (dated 22 July 2010)
http://www.symantec.com/connect/blogs/w32stuxnet-installation-details (dated 20 July 2010)

http://www.symantec.com/connect/blogs/w32stuxnet-network-information (dated 22 July 2010)
http://www.symantec.com/connect/blogs/w32stuxnet-network-operations (dated 25 July 2010)
http://www.symantec.com/connect/blogs/w32stuxnet-variants (dated 29 July 2010)

[23] http://www.auscert.org.au/13138

[24] http://blogs.technet.com/b/msrc/archive/2010/09/13/september-2010-security-bulletin-release.aspx (dated 13 September 2010)
http://www.auscert.org.au/13335
(dated 15 September 2010)

[25]
http://www.symantec.com/connect/blogs/stuxnet-using-three-additional-zero-day-vulnerabilities (dated 14 September 2010)

[26]
http://www.computerworld.com/s/article/9185419/Siemens_Stuxnet_worm_hit_industrial_systems (dated 14 September 2010) http://www.virusbtn.com/conference/vb2010/abstracts/LastMinute7.xml

[27]
Siemens product search

[28]
The first case was of a trojan installed by the CIA in control software for a gas pipeline, which the CIA knew the USSR were planning to steal. Once deployed, the malware was programmed to change pressure in the gas pipeline which subsequently caused a major explosion of Trans-Siberian pipeline in 1982. See book by Thomas Reed in his book At the Abyss. For details see: http://pipelineandgasjournal.com/cyber-security-and-pipeline-control-system

[29]
http://www.langner.com/en/index.htm