Posted by: Harold Ennulat | July 29, 2010

HMI Virus Attack

A Siemens WinCC HMI (Human Machine Interface = computer running the operator controls for a machine) was recently “attacked” by what appears to be a new computer virus.  I don’t believe anyone thinks these attacks are limited to Siemens, though this particular one appears to specifically target WinCC and Siemens databases.  This is causing concern about about “industrial espionage”. 

This is one of those things we don’t want to have to worry about.  However to best serve our clients and customers we need to be aware of new issues, such as this one, as they come up. 

I was impressed by how open Siemens has been about this and how quickly they have acted to address this in a very concerted way.  All HMI companies should be this open and responsive.  Exposing issues like this can only help to solve, address, or remediate such issues as they come up. 

What follows are some links with summary excerpts about this topic that provide additional details about this “new” virus. 

_________________________________________________________________ 

From Chris Merritt with Lumension at http://blog.lumension.com/?p=3214;bcsi-ac-B629CA1C54571346=1B4ED83000000004mJJzYkLengDU77avGrX93C1G7QdHAAAABAAAABP+EABBOAAAAAAAAAwDAAA

An excerpt from this article follows: 

News about a new attack via USB flash drive, known as Stuxnet.B, is surfacing. The Belarusian antivirus company VirusBlokAda recently discovered it and published a report on it. There are several points about this attack which make it both novel and unique, even though infection / propagation via USB flash drives is very common. To wit: 

  • Outwits Autorun – the malware exploits a previously unknown vulnerability with Windows link shortcut files (.lnk), thus circumventing Windows Autorun or Autoplay. This means that our usual fall-back advice of turning Autorun off does not help in this case.
  • Credentialed – it uses rootkit functionality to hide two drivers (“mrxnet.sys” and “mrxcls.sys”) which load without being detected because they are signed by RealTek Semiconductors, a legitimate chip manufacturer. This suggests a fairly sophisticated malware writer / organization.
  • Focused – according to the Frank Boldewin at Reconstructor.org, this malware uses a default password to extract some data from the Siemens SCADA WinCC + S7 control system database, indicating the Trojan may be meant for industrial espionage.

[If you’re interesting in more details, I can recommend this piece by the always reliable Brian Krebs or this post by Chester Wisniewski at Sophos. If you need to geek out on it, read this thread at Wilder Security.] 

So, we have the makings of a real potboiler – a Windows zero-day vulnerability that even impacts Win7, a cleverly disguised piece of malware, and a seemingly targeted attack. Zowie! 

_________________________________________________________________ 

From Gary Mintchell’s Feed Forward blog at http://www.garymintchellsfeedforward.com/feed-forward/2010/7/20/siemens-security-update-some-good-news.html 

An excerpt from this article follows: 

The following solutions are being developed: Microsoft will be offering an update (patch) that will close the security breach at the USB interface. 

  • Suppliers of virus scanning programs have prepared up-to-date virus signatures that are currently being tested by Siemens. The virus scanners will be able to help detect and eliminate the virus.
  • Siemens is also developing a software tool that customers can use to check a Windows PC and determine if it has been infected by the virus. The tool will be distributed via the Siemens Advisory: English; German.
  • Siemens will also be providing a Simatic Security Update with all the necessary functions.

_________________________________________________________________ 

From Siemens:  http://support.automation.siemens.com/WW/llisapi.dll?func=cslib.csinfo&lang=en&objid=43876783&caller=view 

Siemens includes specific recommendations for their WinCC product. 

_________________________________________________________________ 

My thanks to Doug Brock and Derek Bolton for posting and commenting in LinkedIns Industrial Automation and Controls Network group. 

Thanks also go to Francis Lovering for the following update about the Microsoft patch:

_________________________________________________________________ 

About the Microsoft patch:  an emergency patch was issued Monday Aug 2nd:  http://www.theregister.co.uk/2010/08/02/emergency_microsoft_update/

The article mentions that this vulnerability has now “been used to install general-purpose malware from Zeus and other do-it-yourself crimeware kits used to siphon credit card numbers and other sensitive data from compromised computers.”  Most users, with automatic updates turned on, should now already have this patch installed.  WinCC and other HMI users will likely need to update manually.

_________________________________________________________________ 

Update: October 18, 2010

There is still concern about this virus.  It has now been reported that a similar (if not identical) virus called W32.Stuxnet is targeting Siemens S7 based PLC systems from PC’s on the network.  Symantec blogger Nicolas Falliere has posted an article titled “Exploring Stuxnet’s PLC Infection Process”, which describes how this virus operates on Siemens S7 PLCs in rather precise detail.  For the additional detail on how this virus spreads and the risk Symantec has assigned th virus see: http://www.symantec.com/security_response/writeup.jsp?docid=2010-071400-3123-99.

It is this authors belief that this is in fact the same virus reported in this article and that a properly patched PC will be protected.  The issue for control environments is that Windows updates do not necessarily run automatically in industrial environments precisely due to security concerns.

Thanks go to Daniel Machado for posting this on the Automation Engineers Technical Group on LinkedIn

Updated:  October 18, 2010  9:10 pm CST ; September 16, 2010  5:05 am CST   

|    Published:  July 29th, 2010

Advertisements

Responses

  1. […] of such types of viruses. For background on this virus see this authors earlier blog article at https://hennulat.wordpress.com/2010/07/29/hmi-virus-attack/.  Originally it was only reported to have attacked winCC HMI’s.  Now the same virus has […]


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

%d bloggers like this: