Details of the first-ever control system malware (FAQ)
July 21, 2010 4:00 AM PDT
by Elinor Mills
India, Indonesia and Iran are getting hit the most by the Stuxnet worm.
The security world is aflutter over new malware that has been spreading via USB devices and is programmed to steal data from systems running specific software used in utilities and industrial manufacturing plants.
There are a lot of moving parts to this story so we've decided to break them down and tell you what is happening and how it impacts you.
What is the malware exactly?
The attack involves several components: a worm that spreads via USB drives and exploits a previously unknown vulnerability in Windows and a Trojan backdoor that looks to see if an infected machine is running a specific type of software created by Siemens used in control systems including industrial manufacturing, utilities and even nuclear powered aircraft carriers.
The worm, dubbed Stuxnet, propagates by exploiting a hole in all versions of Windows in the code that processes shortcut files, ending in ".lnk," according to a Microsoft Malware Protection Center blog post. Merely browsing to the removable media drive using an application that displays shortcut icons, such as Windows Explorer, will run the malware without the user clicking on the icons. The worm infects USB drives or other removable storage devices that are subsequently connected to the infected machine. Those USB drives then infect other machines much like the common cold is spread by infected people sneezing into their hands and then touching door knobs that others are handling.
The malware includes a rootkit, which is software designed to hide the fact that a computer has been compromised, and other software that sneaks onto computers by using a digital certificates signed two Taiwanese chip manufacturers that are based in the same industrial complex in Taiwan--RealTek and JMicron, according to Chester Wisniewski, senior security advisor at Sophos. (Sophos has posted a video showing how a computer is infected on YouTube.) It is unclear how the digital signatures were acquired by the attacker, but experts believe they were stolen and that the companies were not involved.
Once the machine is infected, a Trojan looks to see if the computer it lands on is running Siemens' Simatic WinCC software. The malware then automatically uses a default password that is hard-coded into the software to access the control system's Microsoft SQL database. The password has been available on the Internet for several years, according to Wired's Threat Level blog.
The malware is stealing industrial automation layout design and control files specific to control systems, said Kevin Haley, director of Symantec Security Response. Once the malware locates the data it is looking for it encodes it and attempts to upload it to a remote server. The malware waits for a response from the server, which may contain more commands, he said.
When did this problem arise?
Microsoft said it suspects that Stuxnet has been active for at least a month or more. An antivirus vendor in Belarus called VirusBlokAda said it discovered the malware in June. Researchers have provided technical details in this paper.
Microsoft released a security advisory on the issue on Friday, saying it had seen limited, targeted attacks using the exploit. Proof-of-concept exploit code for the Zero-Day Windows hole was publicly released over the weekend, and a tool to mitigate the attacks was then released by security researcher Didier Stevens.
The attack was first reported on the Krebs on Security blog.
Who is impacted?
The top countries being affected by this attack are India, Indonesia and Iran, while the U.S. is in the top 6, according to Symantec.
How widespread is it?
Siemens doesn't know how many systems have been affected but has learned of one infection at a Germany customer site that resulted in no damage, said spokesman Michael Krampe. "We do not have any indication that WinCC users in other countries have been affected," he said in a statement on Tuesday.
Since control systems are typically not connected to the Internet, USB drives are a logical way to try to infect them. However, plant operators tend to restrict access to critical control system data via USB drives to prevent security compromises, said Krampe.
Meanwhile, Symantec researchers said they are seeing between 8,000 and 9,000 infection attempts a day.
What does it mean for consumers?
Infected computers that are not running the Siemens software will merely spread the worm to USB devices that are plugged into the computer thereafter until the infection is cleaned up. However, there is the risk is that someone else will use the exploit to distribute malware that is more dangerous and which will target systems other than those running the Siemens software, Wisniewski said.
Is there a fix?
The worm is detected by the major antivirus software and update-to-date virus signatures are being tested by Siemens and should be approved for use by the end of the week, Siemens' Krampe said. Siemens is working on a security update for its Simatic software to address the issue and will provide a software tool this week that customers can use to check for the virus on their PCs. Customers should check the Siemens support site for updates.
Microsoft is also working on a patch and has provided instructions for a workaround in a security advisory, in the meantime. The workaround includes disabling the display of icons for shortcuts and disabling the WebClient service. Microsoft is no longer providing support for Windows XP SP2 and Windows 2000 and therefore will not be providing patches for them. So computers running those versions of Windows will be vulnerable until they are upgraded to newer versions.
The Microsoft workaround protects computers from being infected by the worm, however it changes all the desktop icons into generic white paper icons which may cause confusion for many non-tech savvy users, Wisniewski of Sophos said. He goes into more detail and provides a screen shot in this blog post.
Businesses with IT staff will be better able to handle the workaround and can adopt other fixes, such as setting Windows to not allow any files to execute that are not on the C Drive, which would prevent the computer from running software on USB drives, Wisniewski said.
Microsoft and VeriSign have also revoked the digital certificate used to sneak the rootkit onto computers but Sophos' Wisniewski said in his tests the malware still loads up with no warning to the user despite the revocation.
How serious is this?
The attack poses greater risk for operators of control systems and moves such direct cyberthreats from the realm of theory into reality, experts say. "Finding an exploit in the wild is a major eye opener," one control system expert said. "This is a very well thought out exploit."
"This is the first case we know of where there is a very well-constructed intentionally targeted virus aimed at industrial control system applications," said Joe Weiss, author of "Protecting Industrial Control Systems from Electronic Threats" and a longtime control system security gadfly.
Meanwhile, this type of attack is not even addressed in the industry guidelines--called NERC CIP, which stands for "North American Electric Reliability Corp. critical infrastructure protection" standards, illustrating that the industry is ill-prepared to protect against such threats, Weiss said.
There has been malware that affected control systems previously, such as the 2004 SQL Slammer worm, but none that was written specifically to attack such systems, said Jonathan Pollet, founder of Red Tiger Security, a critical infrastructure consultancy.
"The attackers could be looking for installations where the Siemens software is present, or they could be looking to do a secondary attack on those systems," Pollet said. "The big question is who is funding this effort?"
The Internet Storm Center raised its Infocon threat level to "Yellow" on Monday because of the worm. "Although we have not observed the vulnerability exploited beyond the original targeted attacks, we believe wide-scale exploitation is only a matter of time," the group wrote in a blog post. "The proof-of-concept exploit is publicly available, and the issue is not easy to fix until Microsoft issues a patch. Furthermore, antivirus tools' ability to detect generic versions of the exploit have not been very effective so far."
The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) released its advisory (PDF) on the threat on Tuesday.
What about changing those default Siemens passwords?
Siemens spokesman Krampe says don't do it. Changing the password would interrupt communications between the WinCC software and the database and interfere with the operations. Siemens is examining ways to increase the security of the authentication procedures, he said.
Using hard-coded passwords is done across the control systems industry, said Weiss.
"What happens if you forget your password? It's the OnStar for control systems," he said. "You can't afford to just have the system totally locked up...vendors also want to be able to track their equipment in the field and provide remote maintenance."
Who is behind this and why are they doing it?
Industrial espionage appears to be the motivation because of the type of data being stolen, but it's unclear who is behind the attack. Industrial espionage has been a concern for years but intensity has ramped up since attacks on Google and other companies last year that Google said originated in China and targeted source code.
This could cause some pretty heavy damage to a country if directed against nuclear power plants or control systems managing the electricity or water grids. Do you see cyber warfare as a potential source of threat to global peace in the future? How will a country respond to a major attack when it usually takes a considerable amount of time to trace the whereabouts of the attacker.
Cyberwar: War in the fifth domain
The threat from the internet: Cyberwar