Jaime Blasco Blog


Scada: New threat targets critical infrastructure systems
Mon, 26 Jul 2010

A new malware called Stuxnet is currently targeting Scada systems. This could be one of the thousands of pieces of malware used by criminals but I want to emphasize some of the characteristics that make this attempt important enough to think over.


  • The malware is designed specifically to attack Siemens WinCC systems. This software controls and monitors industrial processes such as water treatment, gas pipelines, electrical distribution systems and so son. The malware takes advantage of default system credentials and seems to steal schematics information. (http://www.securityfocus.com/bid/41753)

  • Stuxnet uses a previously unknown vulnerability that affects the current versions of Windows. The vulnerability affects the Windows Shell that incorrectly parses shortcuts letting malicious code being executed when the icon is displayed. This can be exploited through USB drives or network shares. (POC: http://www.exploit-db.com/exploits/14403/)

  • The drivers dropped by the malware are signed with a digital certificate belonging to Realtek so we can assume that the malware authors gained access to Realtek's private key.

  • A high number of infections have been reported in Iran, Indonesia, India, Azerbaijan and the United States. Coincidence?
  • Who is behind Stuxnet? Anyway, this is a successful attempt to attack high-value assets around the world and whoever did this is highly skilled, well funded and possibly motivated by political, economical or military reasons.

    posted at: 13:02 | path: /Scada Security | permanent link to this entry | 0 comments |



    Snort: Rule to detect Modbus device fingerprinting
    Tue, 21 Apr 2009

    I've just published a snort rule to detect Scada Modbus Device fingerprinting tools like modscan:

    alert tcp any any -> any 502 (msg:"ET SCAN Modbus Scanning detected"; content:"|00 00 00 00 00 02|"; depth:6; threshold: type both, track by_src, count 100, seconds 10; 
    classtype:bad-unknown; reference:url,code.google.com/p/modscan/; reference:url,www.rtaautomation.com/modbustcp/; sid:2009286; rev:1;)
    

    You caN find it at Emerging Threats

    posted at: 15:55 | path: /Scada Security | permanent link to this entry | 0 comments |



    Categories

    / (34)
        Attacks/ (2)
        Exploits/ (1)
        General/ (3)
        Lua/ (1)
        Malware/ (3)
        Nessus/ (6)
            cisco/ (1)
            plugins/ (3)
        Ossim/ (9)
        Scada Security/ (2)
        Security Visualization/ (6)
            Malware/ (2)
        Vulnerability Management/ (1)



    Jaime Blasco
    (feel free to get in touch)
    • Mail
    • Linkedin
    • Twitter
    • Linkedin
    • Forums

    Friend's blogs:
    • /blog/dk
    • /blog/juanma
    • /blog/santiago
    • /blog/pablo/




    RSS




    Lecture...





    < July 2010 >
    MoTuWeThFrSaSu
        1 2 3 4
    5 6 7 8 91011
    12131415161718
    19202122232425
    262728293031 




    Archives

    2010-Aug
    2010-Jul
    2010-Mar
    2010-Jan
    2009-Dec
    2009-Oct
    2009-Sep
    2009-Jul
    2009-Jun
    2009-Apr
    2009-Mar
    2009-Feb
    2009-Jan
    2008-Oct
    2008-Aug




    Tags




    Made with PyBlosxom