Update: Malware affects Siemens WinCC and PCS7 equipment
UPDATE: Siemens Support Link for Stuxnet
Some malware, a so-called Trojan, is currently circulating which affects Microsoft Windows PCs with WinCC and PCS 7. The malware spreads via mobile data carriers, for example USB sticks, and networks. The Trojan is activated solely by viewing the contents of the USB stick.Find the latest information and help on Stuxnet from the Siemens Support Website.
UPDATE: Microsoft releases patch
Readers can become a member by signing up. There is no charge, and Byres has created a very complete program to ensure member privacy.Byres Security has also begun a blog called Practical SCADA Security. The intent is to provide clear and simple guidance when situations like Stuxnet occur.
The unwanted software's main purpose may be industrial espionage
At the same time Byres also reports a concerted Denial of Service (DOS) attack against a number of the SCADA information networks such as SCADASEC and ScadaPerspective mailing lists. At least one of these services, he says, was brought down and taken off line.
Byres has been able to determine the following:
- This is a zero-day exploit against all versions of Windows including Windows XP SP3, Windows Server 2003 SP 2, Windows Vista SP1 and SP2, Windows Server 2008 and Windows 7.
- There are no patches available from Microsoft at this time, although there are some work-arounds (see below).
- This malware is in the wild and probably has been for the past month.
- The known variations of the malware are specifically directed at Siemens WinCC and PCS7 Products.
- The malware is propagated via USB keys. It may also be propagated via network shares from other infected computers.
- Disabling AutoRun does not help! Simply viewing an infected USB key using Windows Explorer will infect your computer.
- The objective of the malware appears to be industrial espionage; i.e. to steal intellectual property from SCADA and process control systems. Specifically, the malware uses the Siemens default password of the MSSQL account WinCCConnect to log into the PCS7/WinCC database and extract process data and possibly HMI screens.
The only known work-arounds are:
- Do not install any USB keys into any Windows systems, regardless of the OS patch level or whether AutoRun has been disabled or not.
- Disable the displaying of icons for shortcuts (this involves editing the registry).
- Disable the WebClient service.