Findings from the Field

The Stuxnet situation seems to have settled down recently. Industrial Defender has published an update to our whitepaper “The Stuxnet Worm and Options for Remediation” to reflect the latest findings. The bottom line: Stuxnet is a “rootkit” for Siemens S7 PLCs. That is, the worm contains some 70 PLC function blocks and can send some or all of them to PLCs connected to a compromised WinCC host. Further, the worm is able to hide the modified PLC programs from users of compromised WinCC hosts. (more…)

A follow-up webinar on the topic of the Stuxnet worm is coming up on August 19, to be presented by Walt Sikora, Industrial Defender’s VP of Security Solutions. Walt will be discussing the worm’s impact on the future of automation systems security. He’ll also walk through a demo of Industrial Defender’s new whitelisting / Host Intrusion Prevention technology. Register for this webinar here.

And from the first Stuxnet webinar – here are the rest of the questions submitted to our panelists and their responses. (more…)

Symantec has confirmed my theory that Stuxnet is able to hide PLC function blocks from people using PLC programming tools on compromised WinCC hosts. Symantec has dubbed Stuxnet as “the first SCADA rootkit.” The more we dig into this piece of malware, the worse it looks. Siemens reports that, to date, five sites running their PCS 7 control system have been compromised. Siemens reports having discovered no reprogrammed PLCs or other ill effects on those compromised control systems thus far. (more…)

A batch of questions at the recent Stuxnet Webinar had to do with what the worm was capable of, among other topics. In researching those questions I came across a post from last week by Symantec.

Symantec reports that the worm contains a wrapper for the Siemens “s7otbxdx.dll.” The wrapper exports exactly as many functions as the real DLL. Some of these functions simply pass control directly into the real DLL without changing any data, and other functions either manipulate inputs before passing them on to the real DLL, or manipulate the outputs of the real DLL. The set of functions which manipulate inputs or outputs is listed below: (more…)

The recording of yesterday’s Stuxnet webinar has been posted. I thought there was some interesting debate as to the authors of the worm and their intent. All such debate was of course speculation, since no concrete evidence as to the authors of the worm has been published. Eric Byres of Tofino Security suggested the authors may have been looking for competitive intelligence and trade secrets embodied in the physical processes the control systems operate. Dale Peterson, Digital Bond, suggested it might be someone trying to “prove it could be done,” frustrated by how little attention industrial security issues were receiving. But, he observed, if this were the motive, it seems unusual to use a USB key as a propagation mechanism — physical media seems a slow and inefficient method to distribute a worm that someone wants to draw attention to.

(more…)

It has been a busy week for people analyzing the Stuxnet worm. Recent developments include:

• The Windows shortcut / “.LNK” vulnerability affects all Windows versions back to Windows 2000.
• Microsoft has issued a prevention tool which disables the display of all file shortcuts. However, reports from people who have tried the tool are unanimous in that it renders the Windows GUI nearly unusable.
• Siemens has issued a remediation tool to remove Stuxnet from compromised computers. However, Siemens advises customers to contact their support organizations before running the tool, because PCS 7 systems are routinely very customized and it is the support organizations for each site that can tell you whether application of the Siemens tool to a system is safe.
• Sophos has issued a tool to prevent the Windows shell from interpreting malicious shortcuts but still display benign shortcuts.
• Most anti-virus vendors, including unified threat manager manufacturers like Fortinet, have issued signatures for Stuxnet and/or the compromised file shortcuts.

(more…)

Reports are circulating on Heise Online, VirusBlokAda and  KrebsonSecurity of a new virus that targets control systems. The virus is spread on USB drives via a zero-day vulnerability in Windows 7. Worse, the code involved shows a RealTek signature. Frank Boldewin found that the malware uses the PCS vendor-default password to extract a small amount of data from a control system database. Commentators are pointing to this virus as evidence of a professional espionage effort of some sort.

The reliability of these reports is not clear at this time. Apparently Microsoft is having trouble reproducing the zero-day vulnerability and there is little detail on what else the malware does. Is this an account/password harvesting tool with dozens of vendor passwords in the component? Or something more sinister targeted specifically at control systems? (more…)

Last week I attended the IQPC Critical Infrastructure Summit in Alexandria VA. In spite of the great content, the event was less well attended than the last summit in Dec/09. The presenters were a mix of vendors, government/standards speakers, and “experience” presentations from representatives of critical infrastructure industries. The subject matter spanned the entire spectrum of security programs, from security incidents, vulnerabilities and technologies, to incident response team training, risk assessment and business case development. The highlights were as follows: (more…)

Our dev team has been working long hours and yesterday saw results: they released the new Compliance Manager product. I’m not really happy with the name, since it evokes the whole “compliance vs. security” dichotomy that, for example, Dale Peterson posted an update for a couple days ago. Really, the new product is about helping reduce the cost of security programs, and while security programs are required for compliance, programs have real security benefits as well.

The dev team worked closely with our customers to come up with a product that automates a lot of the housekeeping that you would otherwise need to do manually. Every standard describing a security program requires you to: (more…)