No Silver Bullet for Stuxnet / Siemens WinCC Malware - White Paper
Last week, Rick Kaun in his blog “[In]security Culture”, blasted the “security vendors” who were claiming that if the ICS/SCADA world used their offering, we would have avoided the whole Stuxnet mess. As Rick very correctly points out, this is complete rubbish - there is no silver bullet for security in general, but in the Stuxnet case it is dangerously inaccurate.
You will notice that none of the major security vendors like Cisco, Juniper or Symantec have claimed that their product is the Stuxnet-killer. They are just too smart. They know Stuxnet is a very complex worm with no single solution.
Just how complex is this worm? Well to start with, it propagates using three completely different propagation mechanisms:
- Via infected Removable USB Drives;
- Via Local Area Network communications and
- Via infected Siemens project files
Within these three, it uses seven different vulnerability exploitation techniques for spreading:
- It infects computers via removable USB flash drives (even when autorun is disabled) via a previously undiscovered shortcut (i.e. *.lnk files) vulnerability (MS10-046).
- For versions of Stuxnet created prior to March 2010, it spread via removable USB flash drives using an autorun-based exploit rather than the *.lnk file exploit.
- It spreads over local area networks to computers with network shares by enumerating all user accounts of the computer and the domain. It then tries all available network resources in order to copy itself and execute on the remote share, thereby infecting the remote computer.
- It spreads over local area networks to computers offering print sharing via a Windows Print Spooler zero-day vulnerability (MS10-061).
- It spreads over local area networks via the MS08-067 Windows Server Service Vulnerability (MS08-067).
- It infects computers running Siemens WinCC database software by using Siemens “internal” system passwords (i.e. passwords that cannot be changed) to log into the SQL server, transfering a version of the worm and then executing it locally.
- It Propagates by copying itself to any discovered Siemens STEP 7 projects (*.S7P, *.MCP and *.TMP files) and then auto-executing whenever the user opens the infected project.
It also takes advantage of two other Windows vulnerabilities that allow escalation of privilege (i.e. upgrading its account privileges to Administrator). These still haven’t been patched.
It uses a special method of loading software designed to bypass behavior blocking and host intrusion protection-type technologies.
And to top it off, it detects and subverts most major anti-virus programs, loading itself into the anti-virus process itself and then executing as part of the AV product.
Get the point? The Stuxnet Siemens WinCC malware is one sophisticated piece of attack code. If you hear someone claim that their security solution is the ultimate answer to Stuxnet, just run the other way. They are selling you smoke and mirrors…
No single solution will block an attack like Stuxnet – as I stated in an earlier blog, the only answer is a true Defence-in-Depth strategy and I will discuss how companies might do this in a future blog. In the meantime, if you want to know more about what Stuxnet does and how you can deal with it today, check out:
- The Tofino Security Stuexnet White Paper Version 3 (which has major changes from the last version):
“Analysis of the Siemens WinCC/PCS7 'Stuxnet' Malware for Industrial Control System Professionals”
Add new comment