IDG News Service - A sophisticated worm designed to steal industrial secrets and disrupt operations has infected at least 14 plants, according to Siemens.
Called Stuxnet, the worm was discovered in July when researchers at VirusBlokAda found it on computers in Iran. It is one of the most sophisticated and unusual pieces of malicious software ever created -- the worm leveraged a previously unknown Windows vulnerability (now patched) that allowed it to spread from computer to computer, typically via USB sticks.
The worm, designed to attack Siemens industrial control systems, has not spread widely. However, it has affected a number of Siemens plants, according to company spokesman Simon Wieland. "We detected the virus in the SCADA [supervisory control and data acquisition] systems of 14 plants in operation but without any malfunction of process and production and without any damage," he said in an e-mail message.
This is worrisome news because according to a new paper on the worm, set to be delivered at this month's Virus Bulletin conference in Vancouver, Stuxnet could be used to cause a significant amount of damage if it is not properly removed.
Researchers at Symantec have cracked Stuxnet's cryptographic system, and they say it is the first worm built not only to spy on industrial systems, but also to reprogram them.
Once installed on a PC, Stuxnet uses Siemens' default passwords to seek out and try to gain access to systems that run the WinCC and PCS 7 programs -- so-called PLC (programmable logic controller) programs that are used to manage large-scale industrial systems on factory floors and in military installations and chemical and power plants.
The software operates in two stages following infection, according to Symantec Security Response Supervisor Liam O'Murchu. First it uploads configuration information about the Siemens system to a command-and-control server. Then the attackers are able to pick a target and actually reprogram the way it works. "They decide how they want the PLCs to work for them, and then they send code to the infected machines that will change how the PLCs work," O'Murchu said.
As Wieland noted, there are no known cases of plant operations actually being affected.
However, that's certainly a possibility, according to O'Murchu. Stuxnet comes with a rootkit, deigned to hide any commands it downloads from operators of the Siemens systems. Because of that, Symantec warns that even if the worm's Windows components are removed, the Siemens software might still contain hidden commands. Symantec advises companies that have been infected to thoroughly audit the code on their PLCs or restore the system from a secure backup, in order to be safe.
- 2013 Cyber Risk Report The "Cyber risk report 2013 Executive summary" presents the major findings of HP Security Research's comprehensive dive into today's cyber vulnerability and threat...
- Binary Option: Neustar SiteProtect Case Study Learn how Neustar helped Top10optionbinaire.com protect against DDoS attacks with SiteProtect DDoS mitigation technology.
- Four Ways DNS Can Accelerate Business Growth This DNS eBook describes how DNS has developed over the years to support business growth as new needs have emerged, for example, advanced...
- Architecting the Network of the Future Networks need to change, as does the way IT thinks about and manages them. In addition to reliability, IT must now add higher...
- Ecommerce Site Needs Protection Against Cyber 'Pirate' Learn how a Neustar customer thwarted 'Blackbeard,' a self-styled DDoS Pirate. Using Neustar SiteProtect, a cloud-based DDoS mitigation service, this everyday IT hero...
- Tales from the Trenches - Industry Risks and Examples of DDoS Watch Neustar experts as they discuss how DDoS impacts technology companies including online gaming, e-commerce and more. All Network Security White Papers | Webcasts