uncompiled.com

Computers in Iran have been hardest hit by a dangerous computer worm that tries to steal information from industrial control systems.

According to data compiled by Symantec, nearly 60 percent of all systems infected by the worm are located in Iran. Indonesia and India have also been hard-hit by the malicious software, known as Stuxnet.

Looking at the dates on digital signatures generated by the worm, the malicious software may have been in circulation since as long ago as January, said Elias Levy, senior technical director with Symantec Security Response.

Stuxnet was discovered last month by VirusBlokAda, a Belarus-based antivirus company that said it found the software on a system belonging to an Iranian customer. The worm seeks out Siemens SCADA (supervisory control and data acquisition) management systems, used in large manufacturing and utility plants, and tries to upload industrial secrets to the Internet.

Symantec isn’t sure why Iran and the other countries are reporting so many infections. “The most we can say is whoever developed these particular threats was targeting companies in those geographic areas,” Levy said.

The U.S. has a long-running trade embargo against Iran. “Although Iran is probably one of the countries that has the worst infections of this, they are also probably a place where they don’t have much AV right now,” Levy said.

Siemens wouldn’t say how many customers it has in Iran, but the company now says that two German companies have been infected by the virus. A free virus scanner posted by Siemens earlier this week has been downloaded 1,500 times, a company spokesman said.

Earlier this year, Siemens said it planned to wind down its Iranian business — a 290-employee unit that netted €438 million (US$562.9 million) in 2008, according to the Wall Street Journal. Critics say the company’s trade there has helped feed Iran’s nuclear development effort.

Symantec compiled its data by working with the industry and redirecting traffic aimed at the worm’s command and control servers to its own computers. Over a three-day period this week, computers located at 14,000 IP addresses tried to connect with the command and control servers, indicating that a very small number of PCs worldwide have been hit by the worm. The actual number of infected machines is probably in the 15,000 to 20,000 range, because many companies place several systems behind one IP address, according to Symantec’s Levy.

Because Symantec can see the IP address used by machines that try to connect with the command and control servers, it can tell which companies have been infected. “Not surprisingly, infected machines include a variety of organizations that would use SCADA software and systems, which is clearly the target of the attackers,” the company said in its blog post Thursday.

Stuxnet spreads via USB devices. When an infected USB stick is viewed on a Windows machine, the code looks for a Siemens system and copies itself to any other USB devices it can find.

A temporary workaround for the Windows bug that allows Stuxnet to spread can be found here.

Source

A sophisticated new piece of malware that targets command-and-control software installed in critical infrastructures uses a known default password that the software maker hard-coded into its system. The password has been available online since at least 2008, when it was posted to product forums in Germany and Russia.

The password protects the database used in Siemens’ Simatic WinCC SCADA system, which runs on Windows operating systems. SCADA, short for “supervisory control and data acquisition,” systems are programs installed in utilities and manufacturing facilities to manage the operations. SCADA has been the focus of much controversy lately for being potentially vulnerable to remote attack by malicious outsiders who might want to seize control of utilities for purposes of sabotage, espionage or extortion.

“Default passwords are and have been a major vulnerability for many years,” said Steve Bellovin, a computer scientist as Columbia University who specializes in security issues. “It’s irresponsible to put them in, in the first place, let alone in a system that doesn’t work if you change it. If that’s the way the Siemens systems works, they were negligent.”

Siemens did not respond to a request for comment.

Coding a password into software all but ensures that interested third-parties can retrieve it by analyzing the code, though software-makers can employ obfuscation techniques to make this more difficult.

It’s not known how long the WinCC database password has been circulating privately among computer intruders, but it was published online in 2008 at a Siemens technical forum, where a Siemens moderator appears to have deleted it shortly thereafter. The same anonymous user, “Cyber,” also posted the password to a Russian-language Siemens forum at the same time, where it has remained online for two years.

The password appears to be used by the WinCC software to connect to its MS-SQL back-end database. According to some of the forum posts, changing the password causes the system to stop working.

Last week, a security expert in Germany named Frank Boldewin found the password in a new and sophisticated piece of malware designed to spread through USB thumb drives to attack the Siemens system. The malware exploits a previously unknown vulnerability in all versions of Windows in the part of the operating system that handles shortcut files — files ending with a .lnk extension. The code launches itself when a file-manager program, such as Windows Explorer, is used to view the contents of the USB stick.

News of the malware was first reported last week by security blogger Brian Krebs who said that a security firm in Belarus named VirusBlokAda had discovered it in June.

Boldewin’s analysis showed that once the malware is launched, it searches the computer for the presence of the Simatic WinCC software and then applies the hard-coded password, 2WSXcder, to access the control system’s database.

Siemens indicated in a statement to reporters last week that it learned of the malware on July 14 and had assembled a team of experts to evaluate the problem. The company said it had also alerted customers to the potential risk of being infected by the virus. The statement made no mention of the hard coded password.

Hard-coded passwords aren’t a problem just for Siemens.

“Well over 50 percent of the control system suppliers” hard-code passwords into their software or firmware, says Joe Weiss, author of the book Protecting Industrial Control Systems from Electronic Threats. ”These systems were designed so they could be used efficiently and safely. Security was simply not one of the design issues.”

The emergence of malware targeting a SCADA system is a new and potentially ominous development for critical infrastructure protection. But for the average user, the Windows vulnerability the code uses to infect its targets is of much greater immediate concern.

Microsoft issued a workaround to address the Windows vulnerability that the malware exploits, suggesting that users modify their Windows registry to disable the WebClient service as well as the display of shortcut icons. Security experts have criticized the company for these suggestions, noting that they are not easy to do in some environments and that disabling the WebClient service would break other services.

In the meantime, a security researcher has published a working exploit for the Windows hole, making it more likely that someone will try to conduct such an attack.

The SANS Institute, which trains security professionals, indicated that it believed “wide-scale exploitation is only a matter of time.”

“The proof-of-concept exploit is publicly available, and the issue is not easy to fix until Microsoft issues a patch,” wrote Lenny Zeltser at the SANS Internet Storm Center blog. “Furthermore, anti-virus tools’ ability to detect generic versions of the exploit have not been very effective so far.”

Source

Governors and others frequently bemoan the lack of investment being made in crumbling infrastructure. Bridges, tunnels and the rest of the brick and mortar that enables our lives are in disrepair, and we’re told things are getting worse. Shrinking budgets insure that repairs will continue to fall behind. Pundits also say the electric grid is old and not capable of meeting 21st century needs.
I recently met with a control engineer who works for a large metropolitan water company. He’s concerned about another kind of infrastructure ” the digital one that monitors and controls factories and other large plants (including water plants, of course). These ubiquitous SCADA systems (supervisory control and data acquisition) often handle extremely high power actuators, like multi-thousand horsepower motors.

Industrial automation equipment often runs for decades or longer. Years ago, when working on a system in a steel mill, I came across a huge motor stamped with a manufacturing date of 1899. It was still in service. The electronics, too, often runs for decades.

That’s a testament to great engineering and manufacturing, and is also potentially a great hazard. These systems were largely designed before security became an important issue. Many have been almost haphazardly connected to the Internet in the intervening years, when management sees the ‘net as an easy way to monitor remotely and save money.

I have been told (by the NSA) that a Tylenol factory has been hacked. In 2003 a worm shut down all safety monitoring on an Ohio nuke plant for five hours. Vancouver’s traffic lights have been compromised. A 14-year-old turned the Polish city of Lodz’s trams into his own giant train set, derailing four cars and injuring at least a dozen people. There are many more instances.

Then there’s the famous Aurora experiment: in 2007 researchers from the Department of Energy hacked into a replica of a power plant and seriously damaged a generator. I’m told the hack was trivial. And that a lot of plants remain vulnerable.

Now wireless is infiltrating the infrastructure. There are plenty of good reasons to use RF instead of fiber or copper. But how secure are these transmission media? How many of us – the embedded engineers designing these systems – are security experts? Are we letting unintended vulnerabilities sneak into the code?

Some in the SCADA community are gathering in Chicago on May 14th and 15th to brainstorm about these issues at a special meeting. I plan to show up. The organizers are hoping for other embedded folks to show up. If infrastructure security concerns you, consider attending.

Source