Siemens Releases Virus Tool

Thursday, July 22, 2010 @ 11:07 AM gHale


By Gregory Hale
Siemens just released a tool that can to detect and remove the virus affecting some of its products.
It’s available for download at:
http://support.automation.siemens.com/WW/view/en/43876783
To date, there is only one known case of infection on the malware attack of Siemens’ Simatic WinCC and PCS 7and the company is trying to find out whether the virus caused any damage, a Siemens spokesman said Tuesday.
Siemens is continuing to ramp its investigation as to why and how this attack targeted only the Siemens products.
It seems the software/malware was coded to detect Siemens WinCC and PCS7 programs and their data, said Michael Krampe, director of media relations at Siemens Industry Inc. The company is also investigating who or what was behind the attack, he said.
To date, Krampe said, based on current information, the only platforms that may be affected are those where access to data or the operating system is possible via a USB interface.
Normally every plant operator ensures, as part of the security concept, that non-restricted access to critical SCADA system data via a USB interface is not possible, Krampe said. Additional protective devices like firewalls and virus scanners can also prevent Trojans/viruses from infiltrating the plant.
Siemens learned about the malware program (Trojan) targeting the Siemens software Simatic WinCC and PCS 7 on July 14. The company immediately assembled a team of experts to evaluate the situation and worked with Microsoft and the distributors of virus scan programs, to analyze consequences and the exact mode of operation of the virus.
The Trojan, which spreads via USB sticks and uses a Microsoft security breach, can affect Windows computers from XP upward.
Siemens has now established through its own tests the software is capable of sending process and production data via the Internet connection it tries to establish. However, tests have revealed this connection is not completed because the communication partners/target servers are apparently inactive. As part of the ongoing analysis, Siemens is checking to see whether the virus is able to send or delete plant data, or change system files.
Currently, there is only one known case in Germany of infection which did not result in any damage. Siemens officials said they do not have any indication that WinCC users in other countries have been affected.
Three virus scan programs from Trend Micro, McAfee and Symantec can detect the Trojan.
Based on current information, the only platforms that may be affected are those where access to data or the operating system is possible via a USB interface.
Normally every plant operator ensures, as part of his security concept, that non-restricted access to critical SCADA system data via a USB interface is not possible. Additional protective devices like firewalls and virus scanners can also prevent Trojans/ viruses from infiltrating the plant.
The following solutions are under development:
• Microsoft will offer an update (patch) that will close the security breach at the USB interface.
• Suppliers of virus scanning programs have prepared up-to-date virus signatures currently being tested by Siemens. The virus scanners will be able to help detect and eliminate the virus.
Siemens will also be providing a Simatic Security Update with all the necessary functions.
Siemens is saying users should not use any USB sticks and then install updates as soon as they become available.
The objective of the malware appears to be industrial espionage in an effort to steal intellectual property from SCADA and process control systems, said Eric Byres, chief technology officer at Byres Security. Specifically, the malware uses the Siemens default password of the MSSQL account WinCCConnect to log into the PCS7/WinCC database and extract process data and possibly HMI screens.
Microsoft has issued a security advisory which, it says, affects all versions of the Windows operating system, including Windows 7. The company has seen the bug exploited only in limited, targeted attacks, Microsoft said.



Leave a Reply

You must be logged in to post a comment.