Windows viruses and rootkits themselves are nothing new. The announcement from a SCADA product vendor that based their system on the Windows OS is notable because the attacker has targeted weak controls common to customers of the vendor.
InfoWorld uses a provocative article title: New ‘weaponized’ virus targets industrial secrets
After a lot of hype at the start of the article, they finally get down to the facts.
The virus targets Siemens management software called Simatic WinCC, which runs on the Windows operating system.
“Siemens is reaching out to its sales team and will also speak directly to its customers to explain the circumstances,” Krampe said. “We are urging customers to carry out an active check of their computer systems with WinCC installations and use updated versions of antivirus software in addition to remaining vigilant about IT security in their production environments.”
In other words, another Windows OS attack has been developed and released. Do not rely on antivirus alone. Patch, baseline critical systems (gold image, etc.) and monitor them.
The article says this attack spreads via USB because Siemens SCADA systems “are typically not connected to the Internet for security reasons”. That is sometimes the case but I wager we will find them connected to networks that are connected to the Internet with questionable segmentation. I discuss this in my Top Ten Breaches presentations.
Once the USB device is plugged into the PC, the virus scans for a Siemens WinCC system or another USB device, according to Frank Boldewin, a security analyst with German IT service provider GAD, who has studied the code. It copies itself to any USB device it finds, but if it detects the Siemens software, it immediately tries to log in using a default password. Otherwise it does nothing, he said in an email interview.
That technique may work, because SCADA systems are often badly configured, with default passwords unchanged, Boldewin said.
When someone implies that SCADA systems are often badly configured we also must ask whether they believe that includes the network and other aspects of security managed by a utility. Take for example another part of the story that discusses the misconfiguration of “whitelist” controls in SCADA based on a technical description of the virus:
To get around Windows systems that require digital signatures — a common practice in SCADA environments — the virus uses a digital signature assigned to semiconductor maker Realtek.
A signature that is simply duplicated is a badly configured security control.
At the end of the day, this is an odd exploit story. Someone clearly made a strange decision to connect what could have been a very valuable zero day attack with the lowly self-replication of a worm. That makes it seems like it was designed to make noise and force a reaction more than pinpoint and quietly exploit a specific target for ill-gotten gains.
Security company Sophos told ZDNet UK on Friday that it was aware of instances of the malware spreading in India, Iran and Indonesia.