Stuxnet malware exploiting Windows Shell vulnerability and targeting SCADA systems
Original Issue Date: July 23, 2010
Updated: October 22, 2010
Severity Rating: High
- Windows XP Service Pack 3
- Windows XP Professional x64 Edition SP 2
- Windows Server 2003 SP 2
- Windows Server 2003 x64 Edition SP 2
- Windows Server 2003 with SP2 for Itanium-based Systems
- Windows Vista SP 1 and SP 2
- Windows Vista x64 Edition SP 1 and SP 2
- Windows Server 2008 for 32-bit Systems and SP 2
- Windows Server 2008 for x64-based Systems and SP 2
- Windows Server 2008 for Itanium-based Systems and SP 2
- Windows 7 for 32-bit Systems
- Windows 7 for x64-based Systems
- Windows Server 2008 R2 for x64-based Systems
- Windows Server 2008 R2 for Itanium-based Systems
It is reported that a malware dubbed as Stuxnet family is exploiting a recently disclosed zero day vulnerability a (CIVN-2010-0169 ) in Microsoft Windows Shell that improperly handling shortcut files.
This allow attackers to automatically execute a malicious binary by tricking a user into opening(view the contents) in Windows Explorer from a removable drive (e.g. USB) or browsing a remote network or WebDAV share containing a specially crafted shortcut file.
Once successfully exploited , the malware installs a trojan that targeting SCADA's integral components SIMATIC WinCC and Siemens Step 7 software and makes queries to any discovered SIMATIC databases.
Additionally, the threat has been leveraging the outlined vulnerabilities;
SCADA stands for " supervisory control and data acquisition " is a category of software application program for process control, gathering data in real time from remote locations in order to monitor and control a plant or equipment in industries such as power plants, oil and gas refining, telecommunications, transportation, and water and waste control.
SIMATIC WinCC HMI is a scalable process-visualization system for monitoring automated processes.
SIMATIC STEP 7 is engineering software used in the programming and configuration of SIMATIC programmable controllers
The vulnerability is mostly exploited through removable devices. For systems that have autoplay disabled ,users have to manually browse the root folder in order to get infected.
When a user browses a folder that contains the malicious shortcut using an file manager like Windows Explorer that displays shortcut icons, the malware runs instead.
Besides being exploited locally through a malicious USB drive, the flaw also can be exploited remotely via network shares and a set of extensions that allow users to edit and manage files on remote web servers called web-based Distributed Authoring and Versioning (WebDAV).
The malware drops and execute two driver files mrxnet.sys and mrxcls.sys and appear to be digitally signed by Realtek Semiconductor Corp/ JMicron Technology Corp, which could help the code bypass controls that require drivers to be signed.
The dropped drivers are registered as Windows Services and are accountable for injecting code into other processes and stealing information from the system.
Once successfully exploited and installed, the malware searches for SCADA systems and if found, by leveraging the default credentials (WinCCAdmin and WinCCConnect account passwords for WinCC) hardcoded in into the application the malware can run command on the operating systems through SQL instructions executed using these credentials.
Primary indicators of Stuxnet infection
Infected machines with /without WinCC/STEP7 Installed
Infected machines with WinCC/STEP 7 installed
In view of massive scale of the attack and high damage website administrators and users are advised to implement the following countermeasures.
- Apply appropriate patches as mentioned in Microsoft security Bulletins MS10-046 ,
- Workarounds to address the Windows .LNK Vulnerability
Note : For detailed steps and impact of applying these workarounds refer to Microsoft Security Advisory 228619 b
- Disable the displaying of icons for shortcuts
- Disable the WebClient service
- Disable AutoRun
- Block outgoing SMB traffic
- Syscleanc tool from Siemens to detect and remove the malware.
- Apply SIMATIC software updated
- Refer Siemens Inc's recommendation Manualse to enhance SCADA systems overall security.
- Refer manualf for the administration of virus scanners in PCS 7 & WinCC.
- Refer ICS-CERT advisoryg
- Refer below outlined articles to use various virus scanners in SCADA environment.
- TrendMicro Office Scan V 8.0 Configuraionh
- Symantec Antivirus V10.2 configurationi
- Symantec Endpoint Protection 11.0 Configurationj
- McAfee VirusScan (V8.5; V8.5i; V8.7) Configurationk
- Refer CPNI's guidelines l for Process Control and SCADA security
b.Microsoft Security Advisory
c.Siemens Sysclean tool and latest signature files
d.SIMATIC software update
e.Siemens recommendation manuals
f.Siemens manual for administering virus scanners
g. ICS-CERT advisory
h. Trend Micro Configuration
i. Symantec Antivirus Configuration
j. Symantec Endpoint Protection configuration
k. McAfee Virus Scan Configuration
l. CPNI's Guidelines
The information provided herein is on "as is" basis, without warranty of any kind.
Email: firstname.lastname@example.org Phone: +91-11-24368572
Indian Computer Emergency Response Team CERT-In BR Department of Information Technology BR Ministry of Communications & Information Technology BR Government of India BR Electronics Niketan BR 6, CGO Complex, Lodhi Road, BR New Delhi - 110 003 BR India