Stuxnet May Represent New Trend In Malware

Trailrunner7 writes "As more information continues to come out about the Stuxnet worm and the vulnerabilities that it exploits, it's becoming increasingly clear that this kind of attack may be a preview of the attacks that are likely to become commonplace in the months and years ahead. The most interesting aspect of all of this is the fact that the attackers behind Stuxnet clearly knew about the vulnerability in the Siemens WinCC system before the malware was written. That implies the malware authors had some advance intelligence about the configuration of the Siemens software and knew exactly where there was a weakness."

More common?

[Spad]

Given that we have absolutely *no* idea how many similar attacks have been conducted in the past against really "niche" applications like this without being detected, I think it's a little naíve to assume that this is the start of a new trend.

We find out about most malware because it's so widely targeted and so many people are affected by it, but when you're targeting your malware at a handful of companies and probably directly delivering it via email or physically ("dropped" USB stick in the parking lot) with the aim of keeping it undetectable for as long as possible, it makes it much more difficult for the targets and security researchers to even know it exists.

Re:Uh - what?

[v1]

I see the article boiling down to a different point -- should vendors be held liable for exploitation of a bug that was brought to them some time ago? Article says they knew about a hardcoded pw two years ago and sat on their thumbs, and then it questions whether this is negligence. There is no question. That is negligence, they will be sued, and they will lose.

Since we keep seeing things like this come up over and over, it seems reasonable to assume that companies like this simple consider things a "calculated risk", and determine the chance of being caught x the cost of being caught is less than the cost of fixing it, and so they do nothing.

The only way to fix this is to increase the average cost so that it becomes greater than the cost of fixing it. To accomplish this, customers should be able to sue vendors that have been informed of critical security flaws in their software that have not fixed it in a timely manner, and there should be specific laws on the books for fines to be levied on companies that manage to not get sued until their refusal to fix their bug is being exploited and harming their customers, to make the resulting legal actions much more expensive than simple lawsuits from individuals. (why aren't these things considered "class action"?)

SCADA frustrations

[brxndxn]

My career is in industrial automation - and I am an IT guy who 'gets' both sides of things. There are not a lot of people like me and I constantly face an uphill battle when I try to explain computer security to people or try to explain why certain things are much more complicated than they believe. For example, you have an industrial network that is completely unnattached from the corporate network that is used for automating an exothermic chemical process on a large scale where you cannot just 'hit e-stops' and safely shut down the process. If you lose 'visibility' on the process at any time, there is potential for an explosion or chemical release. They think they're immune to viruses and they do not run virus-scanning software (imo, usually a good thing in an industrial network) so they do not even bother to completely lock down the computers. We're talking Windows boxes where everyone knows the admin password. After a virus or two, they usually pay me to lock everything down and put the operators on limited profiles. Then, the white-collar management wants to be able to connect into everything to see what is going on. Suffice it to say.. it's a damn headache. IT doesn't get it and the plant managers don't get it.. And usually one wins out over the others. If IT wins, expect a plant to randomly shut down because they push an incompatible Windows patch. If the plant wins, expect a laughably insecure network where an operator charging his cell phone can take the whole network offline.

Basically, if you ask an IT guy 'What is security?' it will be a lot different than an industrial plant manager's response. An industrial plant manager will say a SCADA system is most secure if the people on site always have control over the plant. If a man has his hand caught in a machine, should another person at the plant have to login to a terminal to turn the machine off?

I'm frustrated by this virus, though, because from what I've seen, there has been NO utilities released to detect if you have it. I have seen abnormal activity on multiple HMI computers and the people in charge of maintaining them plug their thumb drives in randomly thinking as long as their laptop doesn't detect a virus on it, they're safe. At least conficker was obvious to detect on a thumb drive or running computer.

If there is a utility, can someone link to it for me?

Re:SCADA frustrations

Full Ack.

I have worked for a well-known company who builds large plants for various industries (including food processing). The SCADA systems they set up were a real nightmare. Most plant-controlling computers were directly connected to the internet (no NAT), not even a personal firewall was used. Some had even activated the Windows default shares (C$ and such). The computers were never patched, and the software they used for remote administration transmitted login data unencrypted.

The people who configured and developed/extended the SCADA systems were mostly engineers coming from the machine industry or electrical engineers. They didn't know much about IT, and even less about IT security. I was never in a position to look at the source code (I was working for the internal IT department), but I bet it was full of holes.

Sometimes we had to fix software problems for customers, on plants that were installed a long time before I was working at the company. Some of these plants had computers still running on Windows NT 4.0 - because the SCADA system they used didn't work on any newer OS and they didn't want upgrade it (cost). I was amazed that this thing was still running (more or less).

I bet that even a medicore black hat could take most of these plants down within hours - this could be a real threat.
I guess the only reason this hasn't happened very often yet is that it doesn't give the attacker much profit.

-- AC

Re:SCADA frustrations

[tchuladdiass]

I've got a good way to deal with many root kits. What is the one thing that a root kit does well? When you read an infected file, it will give you the "clean" file's contents (by intercepting the OS read system call). So the way to deal with them is simple: You're enemies strength is its weakness.

While the OS is running (with root kit), make a copy of all OS files (c:\WINDOWS, system32, drivers, ...). The root kit will make sure you have clean versions, since that is what it wants you to see. Afterwards, boot off a live Linux CD, then cmp the OS windows directory with the copy you made. Any executable file that is different is likely to be a hiding place for the virus.

Now it is possible for the root kit to still write out infected files when you make copies of them, but this process has worked on the last several infections I've had to clean up. Follow up with a regular virus scan afterwards to catch any registry shenanigans and you should be golden.

Re:SCADA frustrations

[Runaway1956]

"Some of these plants had computers still running on Windows NT 4.0 - because the SCADA system they used didn't work on any newer OS"

Guilty as charged. Yep. A hard drive died recently, and a machine that is worth half a million sits idle because of it. "Don't we have a disk image? I can get this thing running in a few hours, if I can run to the store for a hard drive!" "Disk image? What the hell is THAT?"

Phhht. No backup, in any form. And, this expensive machine sits idle due to the failure of a ~$50 component.

Fortunately, MOST of our equipment runs on Linux, and MOST of our equipment just runs and runs and runs.

Fail

[PPH]

Right click My Computers > Properties > Hardware > Device Manager:

That's Windows you're working with. And if you are using Windows in an industrial environment, you've already screwed up. Forget about the usual /. nonsens of Windows Bad, Linux Good. Actually, you'll need a special RT version of Linux. According to Microsoft licensing terms Windows is NOT suitable for use where life or property loss may result from failure. Game over.