Welcome to Monday. If you are one of the hardy souls who check this site over the weekend, you know I’ve been following the story of a hack against Siemens WinCC and PCS7 platforms. I would suggest learning about this and taking precautions no matter whose system you use. Noted security expert Eric Byres has sent a statement and is offering a white paper analysis. Here is a recap of his analysis:

Over the weekend my team has been investigating a new family of threats called Stuxnet that appear to be directed specifically at Siemens WinCC and PCS7 products via a previously unknown Windows vulnerability.
At the same time I also became aware of a concerted Denial of Service attack against a number of the SCADA information networks such as SCADASEC and ScadaPerspective mailing lists, knocking at least one of these services off line.

Thus, I decided to create this email to let my friends and associates in the process control and SCADA world know what is happening. As best as I can determine, the facts are as follows:

  • This is a zero-day exploit against all versions of Windows including Windows XP SP3, Windows Server 2003 SP 2, Windows Vista SP1 and SP2, Windows Server 2008  and Windows 7.
  • There are no patches available from Microsoft at this time (There are work arounds which I will describe later).
  • This malware is in the wild and probably has been for the past month.
  • The known variations of the malware are specifically directed at Siemens WinCC and PCS7 Products.
  • The malware is propagated via USB key. It may be also be propagated via network shares from other infected computers.
  • Disabling AutoRun DOES NOT HELP! Simply viewing an infected USB using Windows Explorer will infect your computer.
  • The objective of the malware appears to be industrial espionage; i.e. to steal intellectual property from SCADA and process control systems. Specifically, the malware uses the Siemens default password of the MSSQL account WinCCConnect to log into the PCS7/WinCC database and extract process data and possibly HMI screens.
  • The only known work arounds  are:
  • NOT installing any USB keys into any  Windows systems, regardless of the OS patch level or whether AutoRun has been disabled or not
  • Disable the displaying of icons for shortcuts (this involves editing the registry)
  • Disable the WebClient service

My team has attempted to extract and summarize all the relevant data (as of late Saturday night) and assemble it in a short white paper called “Analysis of Siemens WinCC/PCS7 Malware Attacks” which I have posted on my website in a secured area.

If you would like to down load the white paper, you will need to register on the web site and I will approve your registration as fast as I can. I have chosen to keep the whitepaper in a secure area as I do not want this information to be propagated to individuals that do not need to know and might not have our industries’ best interests at heart. People who are already www.tofinosecurity.com web members do not need to reregister.

Share This