Skip to Content

Register Login

Industry Online Support

Technical Forum

Navigation

Question about detecting Stuxnet Virus

Created by: hdhosseini at: 10/6/2010 10:09 PM (8 Replies)

Rating (2)

Thanks 1

9 Entries

10/6/2010 10:09 PM	Rate (0)
hdhosseini Diamond Expert Joined: 1/28/2009 Last visit: 5/26/2023 Posts: 6802 Rating: (1345)	Dear experts The Stuxnet virus may change the user program.In offline project, it is possible to check any change in the source of program by block (code) checksum.Is it possible to monitor this value online? Splitted from What is the interaction that there could be between an Audit Trail tool or the Simatic Logon system to detect the Stuxnet virus?.
	Last edited by: O_Moderator at: 10/7/2010 11:26 AM new subject after splitting Demo Channel on Youtube
Suggestion To thank Quote Answer

10/7/2010 3:30 PM	Rate (2)
dmelliot Advanced Member Joined: 9/17/2008 Last visit: 2/20/2023 Posts: 49 Rating: (4)	you can check the checksum with SFC51 using SSL-ID W#16#0232 and index W#16#0004. It will return 80 bytes (for an h-system).

Suggestion To thank Quote Answer
This contribution was helpful to 1 thankful Users hdhosseini

10/13/2010 5:11 PM	Rate (0)
hdhosseini Diamond Expert Joined: 1/28/2009 Last visit: 5/26/2023 Posts: 6802 Rating: (1345)	Hi Dmelliot I tried SFC51 with the mentioned ID and INDEX.I got error 32898 in retval.I will upload the program today and will try another controller.As I checked the description in error meanings the ID and INDEX are not suitable for controller. Best regards hdhosseini
	Demo Channel on Youtube
Suggestion To thank Quote Answer

10/14/2010 6:17 PM	Rate (0)
dmelliot Advanced Member Joined: 9/17/2008 Last visit: 2/20/2023 Posts: 49 Rating: (4)	the error codes are in HEX. 8082h = 32898 in decimal. It means that your SSL-ID is wrong or is unknown to the CPU or SFC. Verify that you entered W#16#232 as the "SZL_ID" (it says SZL_ID on my block...but it is really SSL) Attachment sfc109.pdf (52 Downloads)

Suggestion To thank Quote Answer

10/14/2010 7:31 PM	Rate (0)
gre_m Posts: 947 Rating: (45)	see : /tf/WW/en/Posts/49538#top There is a view that Stuxnet intercepts the request and ensures the correct display of the checksum.
gre_m Posts: 947 Rating: (45)
Suggestion To thank Quote Answer

10/14/2010 8:02 PM	Rate (0)
hdhosseini Diamond Expert Joined: 1/28/2009 Last visit: 5/26/2023 Posts: 6802 Rating: (1345)	hi gre_m do think checking checksum will be helpful? dear dmelliot please check the attachment.job is done successfully. best regard Attachment 1.zip (54 Downloads)
	Demo Channel on Youtube
Suggestion To thank Quote Answer

10/16/2010 8:37 PM	Rate (0)
gre_m Posts: 947 Rating: (45)	hello hdhosseini! checksum to compare with the etalon. Where can you find the etalon, if it is corrupted? Need a "clean", not an infected computer. You can test your program in the presence of certain DB, which should not be in your program (see https: / / www.automation.siemens.com/tf/WW/en/Posts/49538 # top ). If they are, in your proramm they do not, this is strange - possible virus. Check DB can be done with SFC. exuse my english
gre_m Posts: 947 Rating: (45)
Suggestion To thank Quote Answer

10/16/2010 10:21 PM	Rate (0)
hdhosseini Diamond Expert Joined: 1/28/2009 Last visit: 5/26/2023 Posts: 6802 Rating: (1345)	Dear gre_m consider this scenario, the user program is totally static. No DB will be generated in runtime. The hardware and code Checksums are unchanged over a long period of time and comparison Do not return any error. When a system engineer modify the Codes and download it to CPU, the code checksum will alter. The virus injects codes into OB35, If the procedure is like download User codes to CPU the checksum will change. I am unhappy about OB1 and OB35 which are bridged by virus And finally what should be done after threat detection. Best regards hdhosseini
	Demo Channel on Youtube
Suggestion To thank Quote Answer

10/17/2010 10:22 AM	Rate (0)
gre_m Posts: 947 Rating: (45)	hello hdhosseini! If you have been working with the CPU, then you have 99.9% to obtain the correct checksum. 0.1% on the uncertainty - Symantec claims that finds traces Stuxnet in 2009. If I understand correctly Siemens, then if your computer does not WinCC and PCS7, the virus is not activated. Moreover, even if there is a virus and it works, that is, functions and DB with a certain number who simply can not exist in a particular model of the controller - this controller, the virus also are not activated. The presence of these functions and DB, if you did not create them, says the presence of the virus. In this case, Siemens recommends to refer to them. I, too, as you are not satisfied with the possible introduction of the virus in the cyclic OB, and I would like to be able to block unused cyclicOB at HW_config, nice to have the system function test kits address of the interrupt handler program - a self-test. Some steps you can take yourself, based on the evidence of the early posts in the forum. Given the rather exotic way of spreading the virus - via USB - stick, the measures taken "obsessed" with this issue is not worth it. I do treat this issue as an interesting event in the world of windows systems, so watch for it.
gre_m Posts: 947 Rating: (45)
Suggestion To thank Quote Answer

|

Share this page:

Share this page on...

Follow us on