Havex from an OPC Perspective

Wednesday, July 23, 2014 @ 06:07 PM gHale

By Thomas Burke
OPC has been a target of the Havex malware and it is time the OPC Foundation took a look what this means for the industry.

First off, this remote access Trojan goes out and communicates with a command and control server. This command and control server communicates identification and enumerates connected network resources and uses the OPC Classic Enumeration Server (opcenum).

Havex an ICS Game Changing Threat
Havex Varient Brings Attack via OPC
Malware Analysis from ICS-CERT
Energy Sector Alert: Dragonfly Attack
Update to ICS Malware Alert
Feds: Malware Focusing on ICS

There is some good news here and that is OPC Unified Architecture (UA) does not fall victim to this virus. In addition, if a company has a solid security plan that remains vigilant, there is protection against this exploit through good defense in depth policies that prevent malware from getting installed on systems.

From an overall architecture and design perspective, the functionality of this virus is by design the OPC mechanism that provides the services of enumeration and discovery. In short, the malware is a rogue OPC client that looks for what is out there on a user’s network. It is using OPC enumeration and can get a list of all the servers on a user’s network. The function of the malware is it can actually only browse the tags the user is viewing on a read only basis. In this case, there is no real threat.

The problem is while this malware is acting as a OPC application, it is doing this search and reconnaissance mission in secrecy.

OPC is based on a client /server architecture. An OPC classic server provides a rich set of functionality for communicating to underlying data sources inclusive of devices or applications. An OPC Client uses enumeration services to identify the OPC servers in a network environment. Once that happens, the client could connect and get data/information via the rich set of OPC classic data access services. So in a nutshell, the malware is taking advantage of exactly what OPC is designed to do: Provide connectivity between computers for industrial applications.

The OPC enumeration service known as opcenum, is the service open to anyone and provides a convenient way for clients to discover the set of OPC servers in a network environment available to provide the data the client needs. Furthermore, once you connect to an OPC server, the OPC client is able to discover through the browse services the set of devices the OPC server connects to, including the data available that you can read and write from a client perspective.

The exploit is specifically using OPC just it was designed to do.

Protection against this exploit needs to come from policies that prevent malware from getting installed on systems. The standard set of things that people should start looking at is how to disable USB devices/drives in an industrial environment as well as restricting access to inappropriate web sites.

There really is not much that can be done once the malware has been installed, and is enumerating and discovering the OPC servers. The best thing to do once malware has been installed (assuming you didn’t have the tools in place to stop it from being installed to begin with), is to uninstall the malware via the malware security identification and anti-virus protection tools.

The classic OPC architecture builds on the security provided in the Microsoft operating system, and specifically the DCOM technology. If DCOM security is on, the only thing you can get to with the Havex malware is the list of OPC servers. If DCOM security is off, then it will be able to connect up to the OPC server, then the attacker will be able to browse all of the OPC tags in the address space of the OPC server.

The real protection against this malware is to stop the virus from getting installed in the first place. Good practices are to disable or remove USB ports, and to restrict who is allowed to install applications.

The complication is once the malware is on the system it is essentially impersonating an OPC client who is then running in a valid user account that gets full access to the underlying OPC servers.

Again, the components of the identified Havex payload do not appear to target devices using the newer OPC Unified Architecture (UA) standard.

The bottom line is good, solid security practices can keep malware like Havex out of your system, even the type that has been created to impersonate an OPC client application.
Thomas Burke is the president and executive director of the OPC Foundation.

Leave a Reply

You must be logged in to post a comment.