Malware Affecting Siemens WinCC and PCS7 Products (Stuxnet )

Over the weekend my team has been investigating a new family of threats called Stuxnet that appear to be directed specifically at Siemens WinCC and PCS7 products via a previously unknown Windows vulnerability.

• This is a zero-day exploit against all versions of Windows including Windows XP SP3, Windows Server 2003 SP 2, Windows Vista SP1 and SP2, Windows Server 2008 and Windows 7.
• There are no patches available from Microsoft at this time (There are work arounds which I will describe later).
• This malware is in the wild and probably has been for the past month.
• The known variations of the malware are specifically directed at Siemens WinCC and PCS7 Products.
• The malware is propagated via USB key. It may be also be propagated via network shares from other infected computers.
• Disabling AutoRun DOES NOT HELP! Simply viewing an infected USB using Windows Explorer will infect your computer.
• The objective of the malware appears to be industrial espionage; i.e. to steal intellectual property from SCADA and process control systems. Specifically, the malware uses the Siemens default password of the MSSQL account WinCCConnect to log into the PCS7/WinCC database and extract process data and possibly HMI screens.
• The only known work arounds are:
• NOT installing any USB keys into any Windows systems, regardless of the OS patch level or whether AutoRun has been disabled or not
• Disable the displaying of icons for shortcuts (this involves editing the registry)
• Disable the WebClient service

Byres Security Inc.

Until Siemens and Microsoftprovide formal patches to address this vulnerability, there are several countermeasures that are worth mentioning to either eliminate or contain the worm from infecting your systems. Realize that each of your systems are unique, and that the following strategies are only provided as guidance. As with any production control system, extreme care should be taken when making modifications. Ideally, these changes should be implemented and tested on an offline system before moving to your production environment.

1) Make sure that all of your host-based firewalls and anti-virus/anti-malware applications are patched, and run a full-scan when convenient. MS is providing signatures with their Security Essentials, Forefront Client Security, Live OneCare, Forefront Threat Management Gateway, and Live Safety Platform product. Unfortunately, these are not typically installed in the PCS7/WinCC environment.

2) Disable all USB drive access on any computers connected to the control system network. I realize that this may be inconvenient, but at this time, it is important to eliminate the potential for infection. Once a computer has been scanned and determined to be free from infection, you can use network shares to exchange files/data instead of removable media. This is a 2 step process, requiring you to perform registry modifications to prevent (1) future USB storage devices from loading, and (2) prevent previously installed USB storage devices from loading.

3) Since this worm allows backdoor access and control, it is extremely important that you disable outbound connections on the Firewall that connects the control systems network/DMZ to any upper level business or corporate network. This worm appears to be targeted at control systems, so this countermeasure should be implemented immediately and discussed with your management. This is something that I discuss at lengths when presenting cyber security tactices, because many people only restrict "inbound" access from the corporate network to the control system’s network and do nothing with "outbound" traffic. If you deny all outbound traffic, you can prevent the worm from initiating its connection with an external server. This may cause some inconvenience, but again, until the patch is released, this is a critical feature.

4) If outbound connections are absolutely necessary, then make sure to limit the number of ports and protocols allowed to pass through the Firewall, and be sure to block all access to the following websites:
www.mypremierfutbol.com
www.todaysfutbom.com

5) Of course, I have to advocate least-privileged user account (LUA) on your systems. This can be very inconvenient at this time, but is something that should be done. One attack vector that is commonly used exploits the fact that most people log on to their Windows XP machines under an “administrator” account. This should be changed as part of a larger security program.

6) One additional countermeasure that has been proven to be effective is to deploy a GPO which disallows the use of executable files that are not on the system drive (C: in most cases). If you have to run executables from networks drives (this is quite rare), the GPO can be adjusted to allow execution from the specific network paths that you require.

7) There are additional countermeasures that are suggested for this vulnerability that add to the defense-in-depth strategy, including the disabling of icons on shortcuts (which also prevents the malicious code from initially executing), which can impact other functionality, and disabling the WebDAV services, whichI do not endorse the modfication of services within a control environment without further approval from Siemens Technical Support.

Hopefully, these suggestions are helpful until a more permanent solution is available.

Good luck,
JOEL
Security Consultant - CCNA, CEH
joel.langill@englobal.com

Hello all,

The patch is already available from Siemens:
https://support.automation.siemens.com/WW/llisapi.dll?func=cslib.csinfo&lang=en&objid=43876783&caller=view

The patch is not elegant. The patch will disable the icons from being displayed so I would suggest installing the patch on a test computer before installing it in production environment. During the patch installation you will get the following message:

Microsoft Security Advisory(2286198)
Do you want to apply the workaround for "Microsoft Security Advisory (2286198)"? (Vulnerability in Windows Shell Could Allow Remote Code Execution)
Impact of workaround:
Disabling icons from being displayed for shortcuts prevents the issue from being exploited on affected systems. When this workaround is implemented, shortcuts files and Internet Explorer shortcuts will not long have an icon displayed. Yes / No buttons.

I am not security expert but I thinkthis vulnerability is utilized by another Malware, Troj_VB.JUC (AVG). It usually gets installed on the USB Stick in the following hidden folder \ice\fire\traymgr.exe.

I would strongly test the patch on a test machine before installing it on PCS7 system in production environment.

Regards

Link: http://www.informit.com/articles/article.aspx?p=1636983

--Stuxnet Designed to Cause Damage to Specific Systems

(September 21 & 22, 2010)

Emerging analysis of the Stuxnet worm indicates it was designed to

attack supervisory control and data acquisition (SCADA) systems rather

than steal company secrets. Researchers have noted that Stuxnet was

created to attack specific configurations of Siemens Simatic SCADA

system software, leading some to speculate that the worm's creators had

specific targets in mind. In particular, some believe the worm was

created to cause damage at Iranian nuclear facilities.

http://www.wired.com/threatlevel/2010/09/stuxnet/

http://www.csmonitor.com/USA/2010/0921/Stuxnet-malware-is-weapon-out-to-destroy-Iran-s-Bushehr-nuclear-plant

http://www.theregister.co.uk/2010/09/22/stuxnet_worm_weapon/

http://www.pcworld.com/businesscenter/article/205827/was_stuxnet_built_to_attack_irans_nuclear_program.html

[Editor's Note (Paller): Gary McGraw describes what he learned about the

internal workings of Stuxnet in a briefing he called "Stunning. And

awful." Stunning. And awful."

http://www.informit.com/articles/article.aspx?p=1636983

(Honan): Symantec has a good write up of this worm at

http://www.symantec.com/connect/blogs/exploring-stuxnet-s-plc-infection-process.]

CS Moderator

Dear Users,

allow me to call your attention to the following articel published within the Product Support: Current information on malware in connection with Simatic Software

Best regards
CS Moderator

JasonSmith

I've also read the news here: Duqu virus uses Stuxnet DNA to mine industrial data and it is really alarming because the virus was intended to mine information from European commercial computers.