The First Control System Malware

The First Control System Malware

There is a new Malware program (W32.Stuxnet) that is spreading via USB Devices. It is  programmed to steal data from computers and networks running specific software used in utilities and industrial manufacturing plants.

What does this Malware do?

It’s composed of a worm that spreads via USB Drives and exploits a previously unknown vulnerability in Windows.  A Trojan backdoor is installed that checks to see if the infected machine is running a specific type of software created by Siemens that is used in control systems for such things as industrial manufacturing, Utilities (Heating, Air-Conditioning, Lighting, etc.), and modern ship control systems.

The worm exploits a hole in all versions of Windows code that processes shortcut files that end in ".lnk" extensions.  Merely browsing the removable media with any application that processes shortcut files will activate the virus, even if it’s not clicked on.  Any USB media attached to the infected machine will become infected.

This software also installs a "rootkit", which hides that fact that the computer has been compromised.  It also sneaks in other software by using digital certificates signed by two Taiwanese chip manufacturers – RealTek and JMicron.  This digital signatures are believed to have been stolen.

The Trojan looks to see if the computer is running the Siemens Simatic WinCC software, and automatically uses the default password that is hard-coded into the software to access the MS SQL database.

The malware steals industrial automation layout designs and control files.  Once it locates the data that it wants, it encodes it and attempts to upload it to a remote server that my contain additional commands.

The top countries that are being attacked are India, Indonesia and Iran. The US is number 6 on the list.

Even if your company does not use the Siemens software involved, your computers can still be infected by and spread the virus.  Leading Anti-Virus software manufacturer, Symantec has indicated that they are seeing between 8,000 – 9,000 new infections a day.

Available Fixes.

Siemens is supposed to be working on a fix and is supposed to have a detection utility out this week.

Microsoft currently working on a patch.

Both Microsoft and Veri-sign have also revoked the digital certificate used in the exploit.

Even if your Anti-Virus and Malware Systems are up-to-date, if you think that any of your systems have been compromised, please contact the CCS Retail Systems Support Department immediately. No one A/V protection system can stop all viruses.  We have experience with many protection and removal tools for the special cases you can encounter.

Leave a Reply