Stuxnet Targeting Specific SCADA Configurations

Friday, November 05, 2010

Contributed By:
Danny Lieberman

The debate on whether or not the Israelis wrote the Stuxnet malware rages on – but it seems pretty clear from the research from ESET and Siemens own findings – here that the virus is apparently only activated in plants with a specific configuration.

To be exact – the target is not the SCADA system itself but rather the Siemens WinCC visualization and process monitoring software – WinCC which runs on standard Windows platforms as I pointed out in a previous post, and not on a hardened version of Windows as Shai Blitzblau seems to think.

Note also – that standard anti-virus programs with updated signatures as of August 2010 remove Stuxnet, so the continued propagation of the malware is either via a mutation or on Windows systems not running an anti-virus, which would not be too surprising, since apparently most Siemens WinCC installations are still using default admin passwords.

Analysis of virus and status of investigations

• The virus has been isolated on a test system in order to carry out more extensive investigations. Previously analyzed properties and the behavior of the virus in the software environment of the test system suggest that we are not dealing with the random development of one hacker, but with the product of a team of experts who must have IT expertise as well as specific know-how about industrial controls, their deployment in industrial production processes and corresponding engineering knowledge.
• As far as we know at the moment, industrial controls from Siemens are affected. The Trojan is activated whenever WinCC or PCS7 software from Siemens is installed.
• Further investigations have shown that the virus can theoretically influence specific processes and operations in a very specific automation environment or plant configuration in addition to passing on data. This means that the malware is able, under certain boundary conditions, to influence the processing of operations in the control system. However, this behavior has not yet been verified in tests or in practice.
• The behavioral pattern of Stuxnet suggests that the virus is apparently only activated in plants with a specific configuration. It deliberately searches for a certain technical constellation with certain modules and certain program patterns which apply to a specific production process. This pattern can, for example, be localized by one specific data block and two code blocks.
• This means that Stuxnet is obviously targeting a specific process or a plant and not a particular brand or process technology and not the majority of industrial applications.

This conclusion also coincides with the number of cases known to Siemens where the virus was detected but had not been activated, and could be removed without any damage being done up to now.

This kind of specific plant was not among the cases that we know about. 

Cross-posted from Israeli Software

via infosecisland.com