Byres update over Trojan attack on process control and SCADA system users

London – Byres Security Inc. has updated its recommendations for addressing the SCADA-focused Stuxnet software worm, which has been targeted particularly at Siemens PCS7 control systems. The update is in response to the development of a Microsoft patch for the Stuxnet vulnerability.

A revised white paper “Siemens PCS7 WinCC Malware” is available for download by all Tofinosecurity.com members now, said Eric Byres, chief technology officer of Byres Security. The industrial IT security firm has also started a blog called Practical SCADA Security.

The aim, said Byres, is to provide “clear and simple guidance to our friends and customers when situations like Stuxnet occur. For example, in my next post I will discuss why Stuxnet will infect ALL versions of Windows, including older Windows-NT and Windows 2000 systems.”

The CTO also advises process control systems operators to “check out the blog and tell me what you think of the idea and what topics you would like to see covered in future postings.’

Byres was among the first to warn operators of the process control and SCADA systems about the recent emergence of the potentially serious malware threat.

According to Byres, the malware was designed to steal intellectual property from SCADA and process control systems. Specifically, he said, the malware uses a Siemens default password of the MSSQL account WinCCConnect to log into the PCS7/WinCC database and extract process data and possibly HMI screens.

Byres Security team has been investigating “a new family of threats called Stuxnet that appear to be directed specifically at Siemens WinCC and PCS7 products via a previously unknown Windows vulnerability,” explained the CTO. 

The Canadian company also identified a concerted ’denial of service’ attack against a number of the SCADA information networks such as SCADASEC and ScadaPerspective mailing lists, knocking at least one of these services off line.

For its part, Siemens said it was notified about a Trojan security breach within Microsoft Windows, which could potentially affect its Simatic WinCC and PCS7 systems on 14 July.

According to a Siemens spokesperson, the Trojan, which spreads via USB sticks, can affect Windows computers from XP upward. Siemens recommends avoiding the use of a USB stick, as the Trojan can be activated just by viewing the contents.

As of 21 July, Siemens said it had registered one customer in Germany attacked by the malware. Siemens is taking all precautions to alert its customers to the potential risks of this virus.

The vendor has a team of experts now evaluating the situation. The Siemens team efforts include working with Microsoft and the distributors of virus scan programs Security Community, to analyse the likely consequences and the exact mode of operation of the virus.

Siemens has also started to develop a solution, which can identify and systematically remove the malware.

“We have reached out to our sales team and will also speak directly to our customers to explain the circumstances,” said a Siemens spokesperson. “We are urging customers to carry out an active check of their computer systems with WinCC installations.”

There are already three virus scan programs recommended for Siemens systems from Trend Micro, McAfee and Symantec, the latest versions of which can detect the Trojan. The effect of deploying these programs on the runtime environment are currently being analysed and an approval will be issued shortly, the company added.

Meanwhile, Siemens pointed out that Simatic WinCC is not managing its systems. As a SCADA system, it noted, Simatic WinCC is mainly used to monitor automated processes in applications range from car manufacture through the chemical and pharmaceutical industry to the food & beverage sector.

Back at Byres Security’s HQ in Lantzville, British Columbia, Byres says the attack seems to be “a zero-day exploit” against all versions of Windows, including Windows XP SP3, Windows Server 2003 SP 2, Windows Vista SP1 and SP2, Windows Server 2008  and Windows 7.

There are no patches available from Microsoft at this time, said the IT security expert, who added: “This malware is in the wild and probably has been for the past month.

“The known variations of the malware are specifically directed at Siemens WinCC and PCS7 Products. The malware is propagated via USB key. It may be also be propagated via network shares from other infected computers. Disabling AutoRun does not help. Simply viewing an infected USB using Windows Explorer will infect your computer.”

So far the only known work arounds are to avoid install any USB keys into any  Windows systems, continued Byres. This, he emphasised, is regardless of the OS patch level or whether AutoRun has been disabled or not Disable the displaying of icons for shortcuts (this involves editing the registry.

Meanwhile, Byres and his team has tried to extract and assemble all the available data into a short white paper called “Analysis of Siemens WinCC/PCS7 Malware Attacks.” This has been posted on a secure area within the Byres Security Inc. website.