Analysis of the Siemens SCADA and Windows Shortcut Vulnerabilities

As you’re probably well aware, there has been a lot of news over the past month regarding a new Malware that is impacting Siemens WinCC SCADA systems. The Malware is known as Stuxnet.

Looking closer at this Malware, there are really three key vulnerabilities that are exposed.

  • Siemens SCADA systems using the hardcoded default passwords for internal inter process communication. Siemens claims that changing the default password will result in the SCADA systems perhaps being inoperable
  • Rootkit that the Stuxnet trojan installs
  • A zero day flaw within all Windows OS that is exposed by improper validation of shortcut links (.LNK & .PIF). This is known as Microsoft Windows Shortcut ‘LNK/PIF or Win32/CplLnk.A, This vulnerability is what the SCADA Malware exploits. This is classified as a critical vulnerability by Microsoft

Windows Shortcut Vulnerability

I’ll begin with the most serious which is the Microsoft shortcut flaw which is documented under Microsoft Security Advisory 2286198.

What is this vulnerability? Here is a bit of background information.  A .LNK file is a shortcut to a local file and a .PIF file is a shortcut to an MS-DOS application that are both represented by icons in Windows Explorer. When we click on these icons, it’ll launch the application associated with the shortcut.  Everyone uses shortcuts in Windows. The Windows Shell  automatically loads these icons when you browse to the desired folder (for example, the Desktop).  The threat exposes a vulnerability in the way these shortcuts are handled. When Windows attempts to load the icon of the shortcut, Windows Shell doesn’t correctly parse specific parameters of the shortcut. An attacker can easily exploit this by embedding Malware within the shortcut and is executed as soon as the icon is displayed(i.e. remote code execution).  It doesn’t require the user to click on the icon, as soon as it is displayed it will execute. Once someone exploits this vulnerability, they could gain the same user rights as the user. If one had administrative rights, think of the damage that could occur.  This is what the Stuxnet Malware exposed.

The issue is really exposed by external devices such as USB or SMB shares. When a USB device containing a Malware is connected, the Malware will instantaneously be installed once the USB device is connected (Autoplay is enabled). Even if you had Autoplay disabled, if you were to browse to the location of the icons, Windows Shell will load the Malware

Microsoft has classified the severity as a Critical vulnerability and has issued an emergency patch for it out-of-band from it’s normal patching process (second Tuesday of every month).  A patch was issued on Monday, August 2nd.  Oh yes, it impacts all supported Windows OS versions.

If you have automatic updates enabled, you will pick up the patch.  If not, it’ll require manual retrieval. MS is requesting that this patch be installed immediately. If you are using an unsupported version, you will need to follow the manual steps to implement the countermeasure (requires registry changes).

Another approach to reducing the risk of Malware being exposed by the Windows shortcut vulnerability is to use Software Restriction Policies which is part of Microsoft’s security and management strategy. With SRP, you can set restrictions to only execute applications and programs from a well known directory (ex. c:\program files). You define which locations you allow programs to run from.  This would restrict Malware from running from external drives or any location that you haven’t explicitly allowed. For more information on SRP, see http://technet.microsoft.com/en-us/library/bb457006.aspx

SCADA & Stuxnet Vulnerability

Supervisory Control and Data Acquisition Systems (SCADA) are used to monitor our critical infrastructure and resources such as Water facilities, Electricity, Oil & Gas, etc… I don’t need to divulge the importance of these systems and what could possibly occur if one of these systems were exposed to Malware.

Stuxnet is a worm that exposes the Windows shortcut vulnerability. When it runs, it installs itself as a rootkit and has the ability to hide itself.   Another key component is that the rootkit was digitally signed first by Realtek Semiconductor Corp and then JMicron Technology Corp, thus passing Windows Authenticode requirements.  It appears that the certificates had been stolen from both vendors (using a module known as Zeus that is capable of capturing digital signatures).  VeriSign, who are the issuer of the certificates have issued a revocation for these certificates. It was revoked as of July 31. Please see http://www.thetechherald.com/article.php/201029/5921/VeriSign-working-to-mitigate-Stuxnet-digital-signature-theft for more information.

The two main components that the rootkit installs are:

<System>\drivers\mrxcls.sys
<System>\drivers\mrxnet.sys

These will also be registered as new services named MRxCls and MRxNet.

Stuxnet only seems to target Siemens WinCC SCADA systems. It’s purpose is to log onto the SCADA database using the default password that is deployed with every Siemens WinCC SCADA device and steal critical information.  According to some publications, the default password has been posted on two blog sites as far back as two years ago (one in Germany which was instantly removed and another in Russia).

How can a system that is used for critical infrastructure use the same default password in all their deployments?  When you first learn about IT security, it’s one of the first rules that you learn: Always change the default passwords.  Siemens is recommending to its customers that they don’t change the default passwords as it’ll have a negative impact on functionality.  The reason is that Siemens has hard coded the default password for some communication between it’s internal processes and changing the default password would fail authentication and break functionality.  I am flabbergasted as to how this ever passed their system validation testing or how this was not a requirement as part of their security functional specification.  This is extremely bad design practice and Siemens needs to address this. According to Siemens vulnerability posted on their website, they are relying on Microsoft to address the issue.

Kudos goes to VirusBlokAda for first discovering it and working with Microsoft to correct it and to Sophos which has done an excellent job analyzing both vulnerabilities and providing the appropriate countermeasures.

For more information, please see the following links:
http://www.microsoft.com/technet/security/bulletin/MS10-046.mspx
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2568
http://www.kb.cert.org/vuls/id/940193
http://www.zdnet.co.uk/news/security-threats/2010/08/03/windows-shortcut-hole-gets-emergency-patch-40089709/?s_cid=165
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1517625,00.html

Add to DeliciousAdd to DiggAdd to FaceBookAdd to Twitter

About the author

jojo.maalouf -

8 Responses to "Analysis of the Siemens SCADA and Windows Shortcut Vulnerabilities"

  1. I’m glad that i found your site, there are a couple of cool articles

  2. This is a great post and may be one to be followed up to see what are the results

    A neighbor sent this link the other day and I am eagerly waiting your next article. Keep on on the brilliant work.

  3. Stumbled on your blog post via google the other day and absolutely like it so much. Carry on this fantastic work.

  4. I just had an excellent description of this SCADA malware at the RAID conference by the technical director at Symantec’s response center, Eric Chien. He indicated that this is the Biggest and most sophisticated malware that Symantec has ever seen. If there was ever a Hollywood movie plot on Malware, this would be the front runner. Imagine the headlines: “Stuxnet causes nuclear plant meltdown!!”

    From reverse engineering by Symantec, Stuxnet has 4 zero day vulnerability exploits embedded in it. In comparison, most malware uses 1 or at most 2 exploits. The first zero day discovered and patched was the infamous MS shortcut links. Another one on print spooler was patched around Sept 11th. The other 2 are undisclosed to the public as MS does not have a patch or known fix. They use escalation of privileges. The stolen certificates which were used to bypass MS security checks on software have been revoked. The malware distributes through USB key and self-destructs from the key after 3 plug in attempts. Speculation is that this was done to minimize collateral damage as the malware was targeted at Iran since 65% of infections are in Iran. USBs were selected as SCADA systems are not usually on the network.

    The malware used STEP7 software from Siemens to send unknown commands to the PLC controllers. Due to the complexity and sophistication, and that it seemed targeted at mainly Iran, Symantec believes that it is state driven or sponsored.

    The malware uses a command and control channel to connect out. It will connect out to (* becomes dot):
    www*mypremierfutbol*com
    www*todaysfutbol*com

    Please do NOT attempt to connect to these sites through a web browser.

    Here is some other into to verify whether you are infected:

    http://vil.nai.com/vil/Content/v_268468.htm

  5. Thanks for posting and sharing with all – Cheers

  6. Hey man, was just looking via the web searching for some information on this and came across your site. I am impressed by the information that you just have posted. It shows how well you realize this subject. Bookmarked this page for further reading, will come back for additional.

  7. This a fabulous post and may be one that can be followed up to see what happens

    A chum e-mailed this link the other day and I will be excitedly hoping for your next article. Keep on on the quality work.

  8. With thanks for taking the time to discuss this, I feel strongly about it and love learning more on this subject. If possible, as you gain expertise, would you mind updating your blog with more information? It is extremely helpful for me. My best wishes, Katrina.

Do you have something to say?

Your email is never published nor shared.
Required fields are marked *

WP-SpamFree by Pole Position Marketing