There has been a great deal of nervousness in the security world regarding the spread of a malware via USB devices. This new malware is has been programmed to steal data from systems that run specific software used in industrial manufacturing plants.
Malware is an attack on components, a worm, that spreads via a USB drive and takes advantage of any unknown weakness in Windows and the Trojan backdoor looks to see if an the machine infected is running that particular software. This software was created by Siemens to control systems in manufacturing, utilities and yes, even in nuclear powered aircraft carriers.
This worm is being called, Stuxnet, and it makes the most of a hole that is in all versions of Windows code that is processing shortcut files that end in .lnk. Just by browsing the removable media drive using that application the application that shows the shortcut icons, as in Windows Explorer, will run this malware without even having a user click on the icons.
The worm infects the USB drives and or other removable storage devices that are connected to the machine that is infected. That USB drive will then infect the other machines.
Malware includes a root kit and this software is designed to hide the fact that the particular computer is being compromised as well as other software that sneaks onto computers by using digital certificates.
Once a machine is infected, this Trojan looks at the computer it landed on and checks for the Siemens’ Simatic WinCC software. This malware automatically uses a default password that seems to be hard coded into the software to access control of Microsoft SQL database. The even scarier part is that this password has been on the internet for years!
What is the malware does is steals industrial automation layout designs and control files that are specific to the control system. Once the malware locates this data it starts looking for encodes and attempts to upload it to the remote server.
This malware was discovered approximately a month ago from the antivirus vendor Belarus with its VirusBlikAda. Microsoft has released the security advisory on this and states that it shows that the targeted attacks are limited.
This is impacting countries such as India, Indonesia and Iran as well as the U.S. At this point Siemens has no idea how many systems are being or have been affected. It is advised that plant operators restrict access to critical control system data via USB drives to prevent any compromises.
Siemens is saying that they are hoping to have a fix for this worm to the major antivirus software companies sometime this week. Siemens is addressing the issues and will provide a software tool this week to its customers that they will be able to use to check for the virus on their PC’s, while for the moment, Microsoft is working on a patch and will provide instructions for a workaround.
IT staff’s will be able to handle the workaround and will be able to adopt other fixes so that it will not allow files to execute that are not on the C Drive, which would prevent a computer from running the software on the USB drives.
VeriSign as well as Microsoft have revoked the digital certificate that is used to sneak this root kit onto computers; however even with the tests going on this malware is still loading up and without warning despite the revocation.
In the meantime it is still being debated as to who is behind these attacks and actually why they are attacking, so there rush is on to get the fix to all that are being effected as quickly as possible.