Entry type: Product note, Entry ID: 43876783, Entry date: 04/01/2011
(4)
Rate

SIMATIC WinCC / SIMATIC PCS 7: Information about Malware / Viruses / Trojan horses

  • Entry
  • Associated product(s)

Here we provide information about the latest developments and the measures recommended by Siemens for handling Stuxnet.
 

Contents

 

Updated Current status of infected computers
11.03.2011 To date a total of 24 Siemens customers in the industrial sector worldwide have reported being infected with the Trojan horse. The malware was able to be removed in all cases. In none of these cases did the infection have an adverse impact on the automation solution.

 

Recommended procedure to identify and remove a Stuxnet infection

We recommend examining the following types of computers:

  1. Embedded systems (e.g. Microbox)
  2. Other computers
    • Infrastructure computers (file servers, domain controllers, other servers...)
    • Computers with and without WinCC installation
    • Virtual machines (e.g. VMWARE installations)

Proceed as below to implement the various measures.

Important
Always make a backup of ZIP files before scanning. ZIP files of > 1 MB should be unpacked before scanning to ensure that the data they contain is scanned.

A) Embedded systems
These systems must be scanned from a second computer (non-embedded system) over released drives.

  1. Update the second computer as described under "Other computer" to prevent mutual reinfection; connect drives of the embedded system to the second computer.
  2. Open the Windows Explorer on the second computer => select connected network drives with a right-click => start the relevant virus scan.

B) Other computers:

  1. Determine whether your Microsoft Windows computer is affected by the virus
     
    • Use the Sysclean virus scan tool or the antivirus programs released by Siemens from TrendMicro, McAfee and Symantec with the patterns as of 25.07.2010.
    • IMPORTANT:
      Disable the "Automatically Clean Infected Files" function of the virus scanners.

      ( 16 KB ) Please click the picture.
       

  2. If a virus is detected, please proceed as follows.
If your computer is infected, always inform your Siemens Customer Support and together work out the next steps for your computer installation and for your plant:
  • Install the Microsoft Patch.
  • Disconnect the computer immediately from the network.
  • Create a standard user, but remain logged on with administrator rights to execute the SYSCLEAN tool and the SIMATIC Security Updates. Clean the computer using "Sysclean" with the "Automatically Clean Infected Files" function enabled.

( 16 KB ) Please click the picture.

  • Install the SIMATIC Security Update.
  • Restart the computer. Log on as standard user.
  • Re-run the virus scan with the virus scanner you have installed and leave the virus scanner running permanently.
  • Please make sure that you unpack packed files, ZIP files, for example, into a separate directory before doing a virus check. With certain settings of the virus scanner it might be the case that packed files are not checked thoroughly for a virus infection. Unpacking packed files ensures that a complete check is made in each case by the scanning mechanism.
  • Reconnect the computer to the network.


The following safety precautions also apply:

  • All connections with the outside world must be checked and cleaned (customer data, USB devices, others).
  • If possible, do not use any third-party USB sticks and/or mobile data carriers. Always check the safety concepts. For example, disable/uninstall services that are not needed. Installation of the Microsoft Patch is recommended for the operating systems listed by Microsoft.

 

Further technical information
Important note on the use of virus scanners for packed files
Please make sure that you unpack packed files, ZIP files, for example, into a separate directory before doing a virus check. With certain settings of the virus scanner it might be the case that packed files are not checked thoroughly for a virus infection. Unpacking packed files ensures that a complete check is made in each case by the scanning mechanism.
 
Information about the SIMATIC controllers CPU 315-2 and CPU 417
The malware carries its own blocks (for example, DB890, FC1865,1874) and tries to load them into the CPU 315-2 and integrate them into the program sequence. If the above-mentioned blocks are already present, the malware does not infiltrate the user program. If the above-mentioned blocks were not present in the original program of CPU315-2 and are now detected, the virus has infected the system. In this case it is urgently recommended to restore the plant control system to its original state. When using the CPU 417 and a DB 8061 already in the project, the malware might possible change this when downloaded. If the DB8061 is not available in the project, there is no need to do anything.
 

Compatibility of the Microsoft updates with SIMATIC applications
The Microsoft Patch KB2347290 has been tested successfully for compatibility with SIMATIC WinCC and SIMATIC PCS 7.
The latest information about other Microsoft updates is available at this link:
/cs/document/18490004?caller=view&lc=de-WW

Security note to Siemens Tecnomatix FactoryLink

  Siemens_Security_Advisory_SSA-630126.pdf ( 70 KB )  

 

Downloads
Tool for identifying and removing Stuxnet
  • Using the Sysclean tool from TrendMicro you can easily detect whether your computer has been infected with the virus described and remove it accordingly.
  • If your computer is infected, please inform your Siemens Customer Support. Since each plant is unique, we cannot exclude the fact that removing the virus might have an impact on your plant.
  • Link to the download:

    sysclean.zip ( 4608 KB )    checksum ( 739 bytes )

    Please follow the installation and usage instructions below.

  • The message below is displayed when you start Sysclean:


     
  • Download the latest signature file from Trend Micro and unpack this file into the "Sysclean" folder in which you have installed "Sysclean":
    TREND MICRO Download Center
SIMATIC Security Update

Notes:

  • Please follow the installation and usage instructions - excerpt:
    "...If you perform the update according to the Microsoft Security Advisory "2286198", then the icons will be replaced with standard Windows icons. Make sure that you assign meaningful names to your desktop links and those in the Windows Start menu to easily recognize them later. After a Microsoft Security Update has been made available you will receive another SIMATIC Security Update to restore the icons...".
  • The SIMATIC Security Update checks whether the Microsoft Security Patch is installed:
    Microsoft Patch installed          => Microsoft Patch function "Delete icons" is reversed (so that it is possible to work with the computer)
    Microsoft Patch not installed  => Icon protection is activated; otherwise there would be no protection
     
  • Link to the download (updated: 24.01.2011, V1.0 SP1)

    SIMATIC_Security_Update_V1_0_SP1.exe ( 9562 KB ) ; checksum ( 755 bytes )
Microsoft Patch is available to close the Microsoft security gaps
Microsoft Updates