Malware Targets Shortcut Flaw In Windows, SCADA 214
Posted
by
timothy
from the thinking-big dept.
from the thinking-big dept.
tsu doh nimh writes "Anti-virus researchers have discovered a new strain of malicious software that spreads via USB drives and takes advantage of a previously unknown vulnerability in the way Microsoft Windows handles '.lnk' or shortcut files. Belarus-based VirusBlokAda discovered malware that includes rootkit functionality to hide the malware, and the rootkit drivers appear to be digitally signed by Realtek Semiconductor, a legitimate hi-tech company. In a further wrinkle, independent researcher Frank Boldewin found that the complexity and stealth of this malware may be due to the fact that it is targeting SCADA systems, or those designed for controlling large, complex and distributed control networks, such as those used at power and manufacturing plants. Meanwhile, Microsoft says it's investigating claims that this malware exploits a new vulnerability in Windows."
Re:Windows for SCADA? WTF?! (Score:5, Informative)
SCADA systems do not run in embedded boards but on full fledged computers. I worked in a company that designed a SCADA system long time ago using iRMX as operating system. The problem with Scada systems have always been its costs that increase when you use special operating systems. The trend now is to run Scada systems in windows machines, but the reliability is not the same.
Re:Windows for SCADA? WTF?! (Score:5, Informative)
Re:Windows for SCADA? WTF?! (Score:3, Informative)
Re:Windows for SCADA? WTF?! (Score:5, Informative)
The server end though is very often a Windows shop. However, forms of *nix are not uncommon at all either and in fact UNIX types used to be the norm for servers in SCADA, but that's been going away for quite a while now. I'd say it's about 50/50 these days between Windows and *nix. Most of the *nix stuff is now AIX or some flavor of Linux (RHEL being the big one). That's on the server side. The actual consoles where the operators sit are about 90% Windows though, if not higher, and that's most likely where you're going to see this virus come into play in the first place because of some stupid user plugging in an infected USB device.
Though a proper SCADA shop should have their SCADA system locked down. We certainly do. All USB ports are secured and thumbdrives are not allowed, and disabled from being attached. An operator that can just walk up and stick a USB drive onto a console is a big, big no-no.
Re:Windows for SCADA? WTF?! (Score:5, Informative)
Most of the IT your life in the Western world depends on runs on Windows.
Yes, you are right: it is not suited for the purpose. It says so in the EULA.
Again, you are right: they have higher down times, increased maintenance due to weekly patching to prevent security problems.
Uh-huh, I agree. In my experience supporting such systems, they are indeed slower than a good Unix box, harder to administer because you are constantly manually typing things in as opposed to automating them.
Why are they using them you ask? Because it's all the developers/admins know how to use. They hate using the Unix boxes here at my work, and they keep coming to me to hold their hand doing anything on them. They prefer Windows because everyone has Windows at home or on their desks, and it's a lot easier for my co-workers to understand and use. That's why your quality of life is in the hands of Microsoft.
BTW, my co-workers are currently plotting to do-UNIXify one our major systems. *groan* They point out how expensive the AIX box is, and how unreliable it is. Um, the same guys who maintain the AIX box are going to maintain the Windows boxes, and if you remember, they did a terrible job keeping them up! It's not AIX that's unreliable -- it's the quality of our admins.
Re:Windows for SCADA? WTF?! (Score:5, Informative)
They have an internal process to verify all patches on the systems they support their software on (RHEL, SuSE, Windows Server 2003, 2008, Windows XP and Vista, with Windows 7 certification coming) and ensure they do not break the SCADA servers or clients, and they release this information to their customers relatively quickly (we usually are about one month behind, implementing patches that've been vouched safe within about 30 days of the patch release, but this process is faster for zero-day and other such critical things).
They do not "assume" anything for their customers. However they do strongly encourage air-gap, and frankly so would I. A SCADA system controlling the power grid should never have an Internet connection. It should never need one. If it must have this, you have something seriously wrong with your design.
Furthermore, I would add that recent (within the last two to three years) updates to CIP [wikipedia.org] and NERC [wikipedia.org] compliance specifications actually require patches to be kept up to date, and also require you to full document the fact that you have patched your servers and workstations. If you have not applied a patch, you must have documentation explaining why (this is why our vendor has their patch vouching program, so you have documentation on why they said don't install something). There are very heavy fines for not implementing this, and can even lead to certification revocation, which means you can't do business.
Re:Windows for SCADA? WTF?! (Score:2, Informative)
I work in support for Wonderware, which unfortunately, is in 33% of production facilities worldwide. It only runs on Windows, then there's iFix, GE's HMI software, Autosol and Standard Automation products running on windows... A GE DCS may run 'nix, but it reports to and is queried by a WinPC. I think it's probably more 75%/25% in favor of Windows for SCADA systems.
Re:LNK files (Score:3, Informative)
Cool. Let's indulge in some nineties nostalgia with a good old OS war... :-)
When I first laid hands on Win95 I thought to myself, "This feels just like my Quadra Mac."
Yes, it looked much the same, except in Win95 I could format a floppy disk while copying files over the network and typing an email.
Re:LNK files (Score:5, Informative)
>>>Microsoft has had it's fair share of ideas copied too (Apple copied the popular 'right mouse click'...
Uh. No. I don't know who invented right button clicking first, but I know the Amiga in 1985 had the capability with context menus arriving in OS 2.0 (1989). Ditto the Atari ST. It was not a Microsoft invention.
In fact I honestly can't think of anything MS originally invented. Maybe MS-BASIC back in the distant disco decade (70s) but that's about it.
Default SQL username and password in HMI (Score:5, Informative)
So looking at some of the linked info it appears that this is targeting a Siemens SIMATIC WinCC Database. It appears that the database uses a hardcoded username and password combination that end users are told not to change. I found some forum postings from people who made the mistake of changing the password only to have the software fail.
Server=.\WinCC;uid=WinCCConnect;pwd=2WSXcder (+1 for what appears to be a reasonably random looking password, -1 for being short, -1 for not including symbols, -100 for hardcoding it into the app and forcing all users to have the same exploitable entry point into their embedded database that this worm can use to read and inject code into the database)
https://www.automation.siemens.com/forum/guests/PostShow.aspx?PostID=16127&Language=en&PageIndex=2 [siemens.com]
Product being targeted:
http://www.automation.siemens.com/w2/automation-technology-distributed-control-system-simatic-pcs-7-1075.htm [siemens.com]
Seems pretty clear that this was a targeted attack. (Launched by Competitor, former employee, etc)
Re:Windows for SCADA? WTF?! (Score:4, Informative)
I recently did installation work at one of the largest gas processing plants in Norway.
The control system HMI runs on OpenVMS, the controllers are on a redundant token ring network. (good old coax).
All the control room clients are winxp sp2 with almost no patches. This is required to have the HMI applications work. They also need to be set to 256 colors to get blinking effects (critical in such a system..).
Will the system be replaced with something newer? Not in a few years. Stopping the plant costs 23 million USD per day just in lost sale/production...
Now... have there been problems with these vulnerable machines? Nope. Not ever. Control room personell know not to fuck with the clients and behave... They are running a multimillion dollar plant and fucking up is not something you want to do.... You dont mess with the system.. EVER.
The story describes what I consider an HR issue, not a technical one...