Sophisticated Malware Exploits Zero-Day Vulnerability, Targets Industrial Systems

We've previously posted (here and here) about the ongoing concern among experts surrounding the security of the critical infrastructure and the smart grid. These concerns have been made all the more important with the recent discovery of a sophisticated virus targeting computers that run certain industrial control systems -- potentially used to operate the critical infrastructure. As reported in Computerworld and BusinessWeek, the worm--known as "Stuxnet"--specifically targets Siemens industrial management systems.

According to Business Week,

The worm spreads via USB sticks, CDs or networked file-sharing computers, taking advantage of a new and currently unpatched flaw in Microsoft's Windows operating system. But unless it finds the Siemens WinCC [industrial management] software on the computer, it simply copies itself wherever it can and goes silent.

Because SCADA systems are part of the critical infrastructure, security experts have worried that they may someday be subject to a devastating attack, but in this case the point of the worm appears to be information theft.

If Stuxnet does discover a Siemens SCADA system, it immediately uses the default password to start looking for project files, which it then tries to copy to an external website....

"Whoever wrote the code really knew Siemens products," said Eric Byres, chief technology officer with SCADA security consulting firm Byres Security. "This is not an amateur."

By stealing a plant's SCADA secrets, counterfeiters could learn the manufacturing tricks needed to build a company's products....

Equally troubling is that Stuxnet uses seemingly valid digital signatures--belonging to the Taiwanese chipmaker Realtek--in its code. It is unknown at this time how the authors of the virus obtained these digital signatures, which allow it to get past security requirements within Windows.

Since the discovery of Stuxnet, Siemens has urged its customers not to change their passwords, as to avoid problematic disruptions in large-scale industrial systems. They have since, along with security vendors, provided customers solutions for blocking and eliminating the Stuxnet code.