Jaime Blasco Blog

A new malware called Stuxnet is currently targeting Scada systems. This could be one of the thousands of pieces of malware used by criminals but I want to emphasize some of the characteristics that make this attempt important enough to think over.

The malware is designed specifically to attack Siemens WinCC systems. This software controls and monitors industrial processes such as water treatment, gas pipelines, electrical distribution systems and so son. The malware takes advantage of default system credentials and seems to steal schematics information. (http://www.securityfocus.com/bid/41753)

Stuxnet uses a previously unknown vulnerability that affects the current versions of Windows. The vulnerability affects the Windows Shell that incorrectly parses shortcuts letting malicious code being executed when the icon is displayed. This can be exploited through USB drives or network shares. (POC: http://www.exploit-db.com/exploits/14403/)

The drivers dropped by the malware are signed with a digital certificate belonging to Realtek so we can assume that the malware authors gained access to Realtek's private key.

A high number of infections have been reported in Iran, Indonesia, India, Azerbaijan and the United States. Coincidence?

Who is behind Stuxnet? Anyway, this is a successful attempt to attack high-value assets around the world and whoever did this is highly skilled, well funded and possibly motivated by political, economical or military reasons.

I've just published a snort rule to detect Scada Modbus Device fingerprinting tools like modscan:

alert tcp any any -> any 502 (msg:"ET SCAN Modbus Scanning detected"; content:"|00 00 00 00 00 02|"; depth:6; threshold: type both, track by_src, count 100, seconds 10; 
classtype:bad-unknown; reference:url,code.google.com/p/modscan/; reference:url,www.rtaautomation.com/modbustcp/; sid:2009286; rev:1;)

You caN find it at Emerging Threats