Stuxnet Worm Over One Year Old

Thursday, August 5, 2010 @ 02:08 PM gHale


The worm that hit Siemens’ Simatic WinCC and PCS 7 users has been around for over a year and at the beginning of the new year its creators made it more sophisticated, officials said.
A Symantec researcher said they identified an early version of the worm created in June 2009, but it wasn’t’ until early this year when the malicious software became much more intense.
This earlier version of Stuxnet acts in the same way as its current incarnation; it tries to connect with Siemens’s management systems and steal data, but it does not use some of the newer worm’s techniques to evade antivirus detection and install itself on Windows systems.
After analyzing the different types of samples observed to date, additional information has come out on how long this threat has been under development and/or in use, Symantic researchers said. The development of the threat dates back to June of 2009 at least. The threat has been under continued development as the authors added additional components, encryption and exploits.
The amount of components and code used is very large, in addition to this the authors ability to adapt the threat to use an unpatched vulnerability to spread through removable drives shows the creators of this threat have huge resources available to them and have the time needed to spend on such a big task; this is most certainly not a “teenage-hacker-coding-in-his-bedroom” type operation, Symantic researchers said.
After Stuxnet came to life, its authors added new software that allowed it to spread among USB devices with virtually no intervention by the victim. And they also got their hands on encryption keys belonging to chip companies Realtek and JMicron and digitally sign the malware so antivirus scanners would have a harder time detecting it.
Security experts said these targeted attacks have been ongoing for years now, but they only just started gaining mainstream attention, after Google disclosed that it had been targeted by an attack known as Aurora.
Aurora and Stuxnet used unpatched “zero-day” flaws in Microsoft products. But Stuxnet is more technically advanced than the Google attack.
On Monday, Microsoft issued a patch for the Windows vulnerability Stuxnet uses to spread from system to system.
To date, Siemens says six of their users have fallen victim to the attack, but nothing on the factory floor.
In the past week, four more fell victim to the attack as previously two German end users were able to detect the malware virus and remove it with no damage to their plants.
Of the four new victims, one more was from Germany, two were in Western Europe and one in Eastern Europe, a Siemens spokesperson said.
Siemens released a tool that can detect and remove the virus and so far more than 7,000 users have downloaded the virus scanner to date. It is available to download at http://support.automation.siemens.com/WW/llisapi.dll?func=cslib.csinfo&lang=en&objid=43876783&caller=view Siemens. In addition to the downloads, just about 50 end users have contacted us on the hotline to get general information, said Michael Krampe, director of media relations at Siemens Industry Inc. In addition, there have been over 30,000 page views to date on the Siemens site.
The company is continuing its investigation into the origination of the virus, Krampe said.
Siemens recommends the following for detecting and removing Stuxnet:
Determine whether your Microsoft Windows computer is infected by the virus:
• Use the Sysclean virus scan tool you can download from the Siemens web site or the anti-virus programs approved by Siemens from TrendMicro, McAfee or Symantec with the patterns from July 25, 2010.
• Deactivate the virus scanner function “Automatically Clean Infected Files.”
• WinCC-Projects, which are archived as ZIP-file without password, may be renamed by virus scanners – which could impede a later use respectively “Sysclean” erases the ZIP-file, if a virus has been detected.
If your computer is infected, ensure that you inform your Siemens Customer Support contact.
Immediately stop using an infected computer with administrator rights in a productive plant. Create a power user and remove the computer from the network.
Together with the Siemens Customer Support, check the next steps for your computer installation and/or plant:
• Clean the computer with Sysclean with the “Automatically Clean Infected Files” function activated
• Install the Siemens Security Update from the web site.
• Reboot the computer
• Log in as the main user
• Carry out another virus scan with your installed virus scanner and leave the virus scanner to run continuously
• Restore the computer back to the network
Siemens recommendations still apply:
• Do not use any USB sticks or any other mobile data carriers.
• Always check your security concepts: Deactivate/uninstall services that are no longer required, especially the connections to the Internet.
• Do not set up any online connection with automation devices from an infected engineering computer even after the malware has been removed. We will be informing you what to do with the engineering computer in such circumstances after further tests.



One Response to “Stuxnet Worm Over One Year Old”

  1. Stuxnet Worm Over One Year Old | isssource.com…

    I found your entry interesting do I’ve added a Trackback to it on my weblog :)…


Leave a Reply

You must be logged in to post a comment.