The unwanted software’s main purpose may be industrial espionage.

28 SEP 2010: Keep up to date by visiting the Siemens Support Website:

Some malware, a so-called Trojan, is currently circulating which affects Microsoft Windows PCs with WinCC and PCS 7. The malware spreads via mobile data carriers, for example USB sticks, and networks. The Trojan is activated solely by viewing the contents of the USB stick.

Find the latest information and help on Stuxnet from the Siemens Support Website.

UPDATE-Microsoft has released a patch for the Stuxnet vulnerability, and Byres Security has updated its recommendations for addressing this critical SCADA-focused software worm. A revised white paper “Siemens PCS7 WinCC Malware” is available for download by all Tofinosecurity.com members now.

Readers can become a member by signing up. There is no charge, and Byres has created a very complete program to ensure member privacy.

Byres Security has also begun a blog called Practical SCADA Security. The intent is to provide clear and simple guidance when situations like Stuxnet occur.

Eric Byres, industrial network security specialist and chief technology officer of Byres Security Inc., reports investigating a new family of threats called Stuxnet, which appears to be directed specifically at Siemens WinCC and PCS7 products via a previously unknown Windows vulnerability. 

At the same time Byres also reports a concerted Denial of Service (DOS) attack against a number of the SCADA information networks such as SCADASEC and ScadaPerspective mailing lists. At least one of these services, he says, was brought down and taken off line.

Byres has been able to determine the following:

• This is a zero-day exploit against all versions of Windows including Windows XP SP3, Windows Server 2003 SP 2, Windows Vista SP1 and SP2, Windows Server 2008  and Windows 7.
• There are no patches available from Microsoft at this time, although there are some work-arounds (see below).
• This malware is in the wild and probably has been for the past month.
• The known variations of the malware are specifically directed at Siemens WinCC and PCS7 Products.
• The malware is propagated via USB keys. It may also be propagated via network shares from other infected computers.
• Disabling AutoRun does not help! Simply viewing an infected USB key using Windows Explorer will infect your computer.
• The objective of the malware appears to be industrial espionage; i.e. to steal intellectual property from SCADA and process control systems. Specifically, the malware uses the Siemens default password of the MSSQL account WinCCConnect to log into the PCS7/WinCC database and extract process data and possibly HMI screens.

The only known work-arounds are:

• Do not install any USB keys into any Windows systems, regardless of the OS patch level or whether AutoRun has been disabled or not.
• Disable the displaying of icons for shortcuts (this involves editing the registry).
• Disable the WebClient service.

Byres extracted and summarized the relevant data, and has assembled it in a short white paper called “Analysis of Siemens WinCC/PCS7 Malware Attacks.” Registered site users can freely download the white paper, and new visitors may register. Byres screens every new registration, so there may be a delay in processing. Byres may be contacted at 250-390-1333.