Malware Targets Shortcut Flaw In Windows, SCADA

tsu doh nimh writes "Anti-virus researchers have discovered a new strain of malicious software that spreads via USB drives and takes advantage of a previously unknown vulnerability in the way Microsoft Windows handles '.lnk' or shortcut files. Belarus-based VirusBlokAda discovered malware that includes rootkit functionality to hide the malware, and the rootkit drivers appear to be digitally signed by Realtek Semiconductor, a legitimate hi-tech company. In a further wrinkle, independent researcher Frank Boldewin found that the complexity and stealth of this malware may be due to the fact that it is targeting SCADA systems, or those designed for controlling large, complex and distributed control networks, such as those used at power and manufacturing plants. Meanwhile, Microsoft says it's investigating claims that this malware exploits a new vulnerability in Windows."

Windows for SCADA? WTF?!

[quanticle]

Seriously, anyone using Windows for SCADA in this day and age has to get their head checked. With the wealth of proprietary and free embedded operating systems available today, the use of Windows in any sort of embedded device should have ended a long time ago.

Realtek

[StikyPad]

and the rootkit drivers appear to be digitally signed by Realtek Semiconductor, a legitimate hi-tech company.

For very loose values of "legitimate." Realtek is the Yugo of hi-tech.

Re:Windows for SCADA? WTF?!

[kb1]

The target here is likely the HMI [ge-ip.com] side of things. Many (most?) of the HMIs are Windows based and often built, installed and then ignored. The implementers routinely expect them to be running inside air-gapped networks, so vulnerability patching is not performed and sometimes even actively discouraged. Yes, there are open-source HMI projects [sourceforge.net] available, but try convincing someone to deploy a life-critical system using one of them.

Re:Realtek

[fuzzyfuzzyfungus]

They may be pretty chintzy; but they are downright ubiquitous. Things are going to get comedic if every Realtek-equipped PC that also gets Windows updates suddenly starts throwing "unsigned driver" warnings because Microsoft revokes their trust of the Realtek signing key(which they might chicken out of; but they really should do if there are signed rootkit drivers floating around)...

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Windows for SCADA? WTF?!

[bloodhawk]

really you are asking the wrong questions. They failed to correctly patch windows, they would just as likely fail to correctly patch linux or any other OS too. The question isn't "why were you using windows", vulnerabilities exist in all OS's. The question is "Why the fuck were they not patching known vulnerable systems that are mission critical?" Patch for sasser worm was available well before the worm, secondly "why the fuck if they had a reason to not patch vulnerabilities were they leaving their mission critical devices exposed?".

What you describe is a massive failure on the part of the IT staff.

Re:Windows for SCADA? WTF?!

[Bigjeff5]

Somebody obviously doesn't know what SCADA is used for in this day and age.

And how...

[Securityemo]

This is awesome. A major 0day? They stole the signing key from realtek? And it's not like you can instantly invalidate those keys without major hassle. I wonder how many other such "cert" keys have been stolen over they years.
Besides that, why code an interface specifically for Siemens SCADA? One question you'd have to ask is, does that system have marketshare for the control systems of any specific type of thing, or is it generally just popular in industrial automation? I can't find anything specific online, besides advertising writeups about factory control.

Re:Interesting

[h4rr4r]

Are you brain damaged?
USB drives are the new floppies. If the OS cannot handle them in a secure way the OS is the problem.

Re:Anti-virus researchers

[Anonymous Coward]

More like anti-virus scaremongers.

Only because so many people don't want to understand the computers they use and it is easy to make them buy into the fear of what they do not understand, especially when you have the credentials of expertise. On their shallow level the anti-virus people are technically correct. It is their approach that is systemically flawed. They have no interest in removing the suscpetibility to viruses so they continue using technically correct ways to advance the arms race of malware creators vs. anti-virus companies.

It's like the pharmaceutical companies - they have no interest in promoting natural, drug-free remedies even when these are available because they make more money in a nation of sick people. Antivirus companies make more money when over 90% of PCs use a platform that continues to suffer from the same kinds of flaws that plagued it 15 years ago. You do not trust untrustworthy content and that doesn't change whether it's ActiveX, automatically running scripts in remote e-mails, floppy drives of yesteryear, or USB drives of today. How many iterations of the same principle does Microsoft need before they get it? The code that handles such data needs to be some of the most security-hardened code in the system, against both design flaws like deciding to trust remote e-mails and against implementation flaws like buffer overflows.

They don't get it because they don't want to get it. This helps them sell the next version of Windows that promises to be more secure than ever. This helps the anti-virus companies sell the next version of their arms race. You think they're helping you? They're helping themselves to you.

Posted anon to preserve moderations.

Re:Windows for SCADA? WTF?!

[PPH]

The actual consoles where the operators sit are about 90% Windows though, if not higher, and that's most likely where you're going to see this virus come into play in the first place because of some stupid user plugging in an infected USB device.

And then the virus rootkits the control console. It can then issue commands to the SCADA systems that appear to be from legitimate operator input.

Back when I worked for Boeing, we fought a loosing battle trying to keep Windows systems off the shop floor. In an ideal world, we would have a secure subnet within the company Intranet behind its own firewall to keep the Windows systems from seeing shop equipment. In the real world, lots of the factory equipment was running Windows. Worse yet, some of the people responsible for loading firmware into avionics used Windows laptops to do so. And then they'd take them home at night where the kids would use them to log on to Facebook, or download kewl stuff from unknown sources.

You can't fire people fast enough to keep Windows out of misson critical areas.

Re:Windows for SCADA? WTF?!

[grcumb]

Why are they using them you ask? Because it's all the developers/admins know how to use. They hate using the Unix boxes here at my work, and they keep coming to me to hold their hand doing anything on them. They prefer Windows because everyone has Windows at home or on their desks, and it's a lot easier for my co-workers to understand and use.

I agree with the first part of that last sentence, and I suspect that if you asked people, they too would claim that Windows is easier to understand and use....

... But you'd all be wrong.

The plain fact is that Windows is simpler in places where simplicity actually hides essential knowledge. Say what you like about Linux/Unix being harder; the fact of the matter is that it's no harder than it should be. The Windows UI, on the other hand, definitely is simpler than it should be.

Every time someone takes the shortcut and runs a Wizard, the end result is that Microsoft, not the admin/developer, ends up making the majority of technical assumptions, most of which are driven by marketing, rather than actual technical needs.

The problem, in short, is not that Linux/Unix is too hard. The problem is that Windows pretends to be too easy.

Re:Interesting

[Runaway1956]

*cough*

Portable media should never be considered "secure". FFS, just think about the corporations that have distributed malware, intentionally or unintentionally, via their CD's and/or DVD's. From time to time, a story comes out about malware being distributed at the various conventions. Yeah, it's a joke, mostly, because the techies at the conventions SHOULD be savvy enough to watch for that crap. Still, the malware gets distributed, and it runs on any number of machines, before the techies get wise to it.

Re:Windows for SCADA? WTF?!

[Anonymous Coward]

Sorry buddy, but you got it wrong. This problem doesn't affect Linux based systems. I can plug my usb stick into my computer and I'm not affected by this. Everyone. EVERYONE using microsoft is affected by this. Its not a matter of proper patching or not. This is another newly discovered flaw. It was discovered because microsoft didn't test their software prior to shipping. No other operating systems are affected by this. Only microsoft. And not just 'whats a patch?' systems, but all of them. This affects every microsoft system, including yours (as someone defending them, I assume you are beholden to them for you income, and are rubbing patch disks between your legs right now). This problem affects microsoft. Not Linux, not solaris or aix or solaris or bsd or plan9 or system36 or ultrix or vms or vm/cms or mvs/xa. Even systems patched up to this very second with all the patches microsoft has are affected by this. Its a microsoft problem. Don't speculate or say 'just as likely'. Thats bullshit. I don't use microsoft, and I'm completely unaffected by this. Only microsoft is affected. They are the only ones. Quit blame shifting. Its a microsoft problem. Its not a linux problem. Its squarely a microsoft problem.

Re:Windows for SCADA? WTF?!

[Anonymous Coward]

Until they all reboot at the same time for some windows updates.......

Re:Windows for SCADA? WTF?!

[10101001 10101001]

They failed to correctly patch windows, they would just as likely fail to correctly patch linux or any other OS too.

Why do you presume an embedded system would even have an OS?

The question isn't "why were you using windows", vulnerabilities exist in all OS's. The question is "Why the fuck were they not patching known vulnerable systems that are mission critical?"

The company was shut down for a whole day, costing $20,000 per minute in lost revenue.

That probably had something to do with it. Yes, I'm sure you could have a second (or third) redundant machine on the assembly line so you could reboot each machine in serial as they're patched and verified to work--a procedure that'd have to be carried out on the order of monthly (and some times randomly on top of that) which seems unreasonably excessive for such a niche application. Or, you could use an embedded system that doesn't have an OS. Or you could use an OS that's small enough that no exploitable vulnerabilities exist because even if a vulnerability exist, you can do enough test cases (and hardware parity/checksum/crc) to verify that software always reacts properly under all possible valid inputs and always fails safe with all possible invalid input, provided the input size is forced to be limited enough.

Patch for sasser worm was available well before the worm, secondly "why the fuck if they had a reason to not patch vulnerabilities were they leaving their mission critical devices exposed?".

How about "why the fuck would you use a general purpose OS with millions of lines of code to do a task that ten thousand lines of audited code could do instead"? My guess? Management thought it was cheaper and some IT people thought firewalls were magic that would remove all patching concerns.

What you describe is a massive failure on the part of the IT staff.

No doubt. In management too. At best, they're responsible for hiring IT staff stupid enough to choose to rely upon Windows and a firewall. At worst, they're the ones who forced such a solution on IT staff and selected IT staff who believed it'd work.

Re:Interesting

[Lonewolf666]

Portable media should never be considered "secure".

Correct, and that is why "autorun" functions that are active by default are a bad idea. But convenience over security is typical for certain OS vendors, especially those from Redmond ;-)

The only instance when stuff from portable media is automatically executed should be at boot time, if the medium is selected as boot drive in the BIOS (or whatever your system uses in place of the BIOS).

failed to correctly patch windows

[viralMeme]

They failed to correctly patch windows, they would just as likely fail to correctly patch linux or any other OS too

Bullshit ..

Re:Windows for SCADA? WTF?!

[the_womble]

If they had Linux PCs correctly configured for assembly line work (i.e. only components necessary to that work installed, firewalls on PC as well as network, etc.) how many holes would have been left open by a failure to patch?

How many would have been left open on any other embedded device OS?

Re:Windows for SCADA? WTF?!

[sjames]

True enough as far as it goes. Not properly maintaining any system is a problem. The firewall should have actually prevented the spread.

However, Linux and a number of other OSes (NOT Windows) make it a lot easier to produce a dedicated install with a minimal attack surface (no ports you can't close or services that you can't shut off and uninstall.). The question is why would an industrial control system not be stripped down to essential services. Why was anything there even listening to port 445 or 139?