Six Fall Victim to Malware Attack

Tuesday, August 3, 2010 @ 06:08 PM gHale


There are now six victims of the malware attack worldwide on Siemens’ Simatic WinCC and PCS 7.
In the past week, four more fell victim to the attack as previously two German end users were able to detect the malware virus and remove it with no damage to their plants. To date, no production plant has been hit, Siemens officials said.
Of the four new victims, one more was from Germany, two were in Western Europe and one in Eastern Europe, a Siemens spokesperson said.
Siemens released a tool that can detect and remove the virus and so far more than 7,000 users have downloaded the virus scanner to date. It is available to download at Siemens. In addition to the downloads, just about 50 end users have contacted us on the hotline to get general information, said Michael Krampe, director of media relations at Siemens Industry Inc. In addition, there have been over 30,000 page views to date on the Siemens site.
The company is continuing its investigation into the origination of the virus, Krampe said.
It seems the software/malware had code that could detect Siemens WinCC and PCS 7 programs and their data, Krampe said.
Based on current information, the only platforms that may be affected are those where access to data or the operating system is possible via a USB interface, Krampe said.
Normally every plant operator ensures, as part of the security concept, that non-restricted access to critical SCADA system data via a USB interface is not possible, Krampe said. Additional protective devices like firewalls and virus scanners can also prevent Trojans/viruses from infiltrating the plant.
Siemens recommends the following for detecting and removing the Trojan “Stuxnet”:
Determine whether your Microsoft Windows computer is infected by the virus:
• Use the Sysclean virus scan tool you can download from the Siemens web site or the anti-virus programs approved by Siemens from TrendMicro, McAfee or Symantec with the patterns from July 25, 2010.
• Deactivate the virus scanner function “Automatically Clean Infected Files.”
• WinCC-Projects, which are archived as ZIP-file without password, may be renamed by virus scanners – which could impede a later use respectively “Sysclean” erases the ZIP-file, if a virus has been detected.
If your computer is infected, ensure that you inform your Siemens customer support contact.
Immediately stop using an infected computer with administrator rights in a productive plant. Create a power user and remove the computer from the network.
Together with the Siemens customer support, check the next steps for your computer installation and/or plant:
• Clean the computer with Sysclean with the “Automatically Clean Infected Files” function activated
• Install the Siemens Security Update from the web site.
• Reboot the computer
• Log in as the main user
• Carry out another virus scan with your installed virus scanner and leave the virus scanner to run continuously
• Restore the computer back to the network
Siemens’ recommendations still apply:
• Do not use any USB sticks or any other mobile data carriers.
• Always check your security concepts: Deactivate/uninstall services that are no longer required, especially the connections to the Internet.
• Do not set up any online connection with automation devices from an infected engineering computer even after the malware has been removed. We will be informing you what to do with the engineering computer in such circumstances after further tests.
Microsoft has offered a security patch that prevents the trojan from installing automatically on the system. If a user with admin-rights opens an infected LNK-file by mouse click, the computer will be infected if no virus scanner has been installed. In order to avoid such an infection it is strongly recommended users only come with power user rights. Power users don’t have the necessary rights in order to start code from another drive. Additional security gives the use of an actual virus scanner.
Siemens learned about the malware program (Trojan) targeting the Siemens software Simatic WinCC and PCS 7 on July 14. The company immediately formed a team to evaluate the situation and worked with Microsoft and the distributors of virus scan programs, to analyze consequences and the exact mode of operation of the virus.
The Stuxnet Trojan, which spreads via USB sticks and uses a Microsoft security breach, can affect Windows computers from XP upward.
Siemens established through its own tests the software is capable of sending process and production data via the Internet connection it tries to establish. However, tests revealed this connection is not completed because the communication partners/target servers are apparently inactive. As part of the ongoing analysis, Siemens is checking to see whether the virus is able to send or delete plant data, or change system files.
Three virus scan programs from Trend Micro, McAfee and Symantec can detect the Trojan.
The objective of the malware appears to be industrial espionage in an effort to steal intellectual property from SCADA and process control systems, said Eric Byres, chief technology officer at Byres Security. Specifically, the malware uses the Siemens default password of the MSSQL account WinCCConnect to log into the PCS7/WinCC database and extract process data and possibly HMI screens.
Microsoft has issued a security advisory which, it says, affects all versions of the Windows operating system, including Windows 7. The company has seen the bug exploited only in limited, targeted attacks, Microsoft said.



One Response to “Six Fall Victim to Malware Attack”

  1. […] This post was mentioned on Twitter by Industrial Defender and Industrial Defender, walter sikora. walter sikora said: There are now six victims of the malware attack worldwide http://bit.ly/8YJmJB #ICS, #DCS, #SCADA, who will be the next to fall? […]


Leave a Reply

You must be logged in to post a comment.