No Copy


No Right Click

Saturday, December 3, 2011

Virus inside S7-PLC, Step7, WinCC. DB 890 and DB 8062

http://www.langner.com/en/index.htm
Stuxnet logbook, Sep 16 2010, 1200 hours MESZ

With the forensics we now have it is evident and provable that Stuxnet is a directed sabotage attack involving heavy insider knowledge. Here is what everybody needs to know right now.

Fact: As we have published earlier, Stuxnet is fingerprinting its target by checking data block 890. This occurs periodically every five seconds out of the WinCC environment. Based on the conditional check in code that you can see above, information in DB 890 is manipulated by Stuxnet.

Interpretation: We assume that DB 890 is part of the original attacked application. We assume that the second DWORD of 890 points to a process variable. We assume that this process variable belongs to a slow running process because it is checked by Stuxnet only every five seconds.

Fact: Another fingerprint is DB 8062. Check for the presence of DB 8062 in your project.

Fact: Stuxnet intercepts code from Simatic Manager that is loaded to the PLC. Based on a conditional check, original code for OB 35 is manipulated during the transmission. If the condition matches, Stuxnet injects Step7 code into OB 35 that is executed on the PLC every time that OB 35 is called. OB 35 is the 100 ms timer in the S7 operating environment. The Step7 code that Stuxnet injects calls FC 1874. Depending on the return code of FC 1874, original code is either called or skipped. The return code for this condition is DEADF007 (see code snipplet).

The known variations of the malware are specifically directed at Siemens WinCC and PCS7 Products.
Over the weekend of July 17-18, news broke on the “Computerworld” technology Web site about a virus attacking industrial automation giant Siemens’ WinCC and PCS7 industrial control human-machine interface/supervisory control and data acquisition (HMI/SCADA) systems.
The virus exploited Microsoft Windows operating systems when Universal Serial Bus (USB) memory sticks are inserted in a host computer and automatically loaded.

In response to a query from Automation World, Siemens Industry Inc. (http://www.usa.siemens.com/industry) spokesperson Michael Krampe issued the following statement:

"Siemens was notified about the virus that is affecting its Simatic WinCC SCADA (Supervisory Control and Data Acquisition) systems on July 14. The company immediately assembled a team of experts to evaluate the situation. Siemens is taking all precautions to alert its customers to the potential risks of this virus.

"Siemens is reaching out to its sales team and will also speak directly to its customers to explain the circumstances. We are urging customers to carry out an active check of their computer systems with WinCC installations and use updated versions of antivirus software in addition to remaining vigilant about IT security in their production environments."

Well-known industrial cyber-security expert Eric Byres and his team conducted a weekend analysis, and Byres has issued a statement and is offering a White Paper analysis. Here is his analysis:

“Over the weekend my team has been investigating a new family of threats called Stuxnet that appear to be directed specifically at Siemens WinCC and PCS7 products via a previously unknown Windows vulnerability. At the same time I also became aware of a concerted Denial of Service attack against a number of the SCADA information networks such as SCADASEC and ScadaPerspective mailing lists, knocking at least one of these services off line.

“As best as I can determine, the facts are as follows:
• This is a zero-day exploit against all versions of Windows including Windows XP SP3, Windows Server 2003 SP 2, Windows Vista SP1 and SP2, Windows Server 2008 and Windows 7.
• There are no patches available from Microsoft at this time (There are work arounds which I will describe later).
• This malware is in the wild and probably has been for the past month.
• The known variations of the malware are specifically directed at Siemens WinCC and PCS7 Products and hardware PLC S7-315 and S7-417.
• The malware is propagated via USB key. It may be also be propagated via network shares from other infected computers.
• Disabling AutoRun DOES NOT HELP! Simply viewing an infected USB using Windows Explorer will infect your computer.
• The objective of the malware appears to be industrial espionage and sabotage; i.e. to steal intellectual property from SCADA and process control systems. Specifically, the malware uses the Siemens default password of the MSSQL account WinCCConnect to log into the PCS7/WinCC database and extract process data and possibly HMI screens.
• The malware is infected PLC S7-315 and S7-417 via modified S7 DLLs.

• The only known work arounds are:
• NOT installing any USB keys into any Windows systems, regardless of the OS patch level or whether AutoRun has been disabled or not
• Disable the displaying of icons for shortcuts (this involves editing the registry)
• Disable the WebClient service

“My team has attempted to extract and summarize all the relevant data (as of late Saturday night) and assemble it in a short white paper called “Analysis of Siemens WinCC/PCS7 Malware Attacks” which I have posted on my website in a secured area that can be accessed from http://www.tofinosecurity.com/professio ... cc-malware .

“If you would like to download the white paper, you will need to register on the web site and I will approve your registration as fast as I can. I have chosen to keep the whitepaper in a secure area as I do not want this information to be propagated to individuals that do not need to know and might not have our industries’ best interests at heart. People who are already http://www.tofinosecurity.com web members do not need to reregister.”

ttp://www.eset.com/press-center/article/eset-analysis-worm-win32stuxnet-targets-supervisory-systems-in-the-us-and-iran/7609
ESET Analysis: Worm Win32/Stuxnet Targets Supervisory Systems in the U.S. and Iran

0 Comments:

#