‘Stuxnet’ Trojan Targets Siemens WinCC

20 July 2010

Siemens is alerting its users in the USA that a malware program (Trojan) is targeting the Simatic WinCC and PCS 7. The Trojan is spread by USB memory sticks and takes advantage of Microsoft security vulnerabilities. First noticed on 14 July, the malware affects all Windows computers from XP on up.

Trojan target: WinCC
Trojan target: WinCC

Apparently, a simple viewing the contents of the USB stick can activate the Trojan. Siemens has recommended avoiding the use of a USB stick on all PCs running the WinCC software.

The malicious code has been designated W32/Stuxnet-B, and propagates using USB drives apparently infected with malformed shortcut (.lnk) files. It is activated when the user inserts the USB memory stick and views the contents with Windows Explorer or some application that displays the file icons. While specifically aimed at WinCC it could be used to target any Windows system that accepts removable media. It appears to rely on an undisclosed vulnerability in Windows .lnk file handling.

To bypass built-in Microsoft controls that require drivers to be digitally signed, the code contains the digital signature of Realtek Semiconductor Corp.

Siemens announced the following on its web site:

"Siemens is taking all precautions to alert its customers to the potential risks of this virus. We have reached out to our sales team and will also speak directly to our customers to explain the circumstances. We are urging customers to carry out an active check of their computer systems with WinCC installations.

"There are already three virus scan programs recommended for Siemens systems from Trend Micro, McAfee and Symantec, the latest versions of which can detect the Trojan. The effect of deploying these programs on the Runtime environment are currently being analyzed and an approval will be issued shortly."

Byres Security comments

Canadian security expert Eric Byres, of Byres Security Inc., put together a team over the weekend of 17 and 18 July to study the problem.

He says that at the same time his team became aware of Stuxnet, "I also became aware of a concerted Denial of Service attack against a number of the SCADA information networks such as SCADASEC and ScadaPerspective mailing lists, knocking at least one of these services off line."

Mr. Byres listed the following information he had determined about the malware:

1. This is a zero-day exploit against all versions of Windows including Windows XP SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 and Windows 7.

2. There are no patches available from Microsoft at this time (for work arounds see below).

3. This malware is in the wild and probably has been for the past month.

4. The known variations of the malware are specifically directed at Siemens WinCC and PCS7 Products.

5. The malware is propagated via USB key. It may be also be propagated via network shares from other infected computers.

6. Disabling AutoRun DOES NOT HELP! Simply viewing an infected USB using Windows Explorer will infect your computer.

7. The objective of the malware appears to be industrial espionage; i.e. to steal intellectual property from SCADA and process control systems. Specifically, the malware uses the Siemens default password of the MSSQL account WinCCConnect to log into the PCS7/WinCC database and extract process data and possibly HMI screens.

He says the only known work arounds at this time are

1. NOT installing any USB keys into any Windows systems, regardless of the OS patch level or whether AutoRun has been disabled or not;

2. Disable the displaying of icons for shortcuts (this involves editing the registry);

3. Disable the WebClient service.

Mr. Byres says his team has prepared a white paper on the malware called "Analysis of Siemens WinCC/PCS7 Malware Attacks" and has placed it in a secure area of his web site. He says the interested people can download the paper, but they must register for it and receive approval before they can do that. Mr. Byres says he does not want the material "propagated to individuals that do not need to know and might not have our industries’ best interests at heart."

The download link is here

Contact Details and Archive...

Print this page | E-mail this page