Malaysian Computer Emergency Response Team

Services

Advisories Cyber999 Help Centre Malware Research Centre Incident Statistics

MyCERT Statistic

Reported Incidents based on General Incident Classification Statistics 2010

Help Centre

Reporting Channels

MyCERT Advisories

MyCERT Advisories, Alerts and Summaries for the year 2010

MA-240.072010: MyCERT Alert – Malware Targeting Simatic WinCC and Simatic PCS 7 SCADA Systems

Date of publication: 2010-07-21

1.0 Introduction

MyCERT has observed a targeted attack carried out by a malware known as Stuxnet. The targeted softwares are Siemen’s Simatic WinCC and Simatic PCS 7 and according to other security analysts the attack had started on July 14th 2010 [1]

The malware is currently spreading via USB sticks and exploits a critical vulnerability in the Microsoft Windows operating system (CVE-2010-2568), which is connected with the database system of Simatic WinCC and Simatic PCS 7. MyCERT had previously released an advisory on the Microsoft critical vulnerability. [2]

2.0 Impact

The full impact of this malware is not yet clear. However, successful exploitation can allow the malware to remove and install other components, inject code into currently running processes, and allow backdoor access and control to the infected computer. While it is concerning that the malware reportedly targets specific Siemens SCADA products, the real impact depends on the criticality and nature of the infected systems deployed.

3.0 Affected Products

The vulnerability in the Windows Shell (CVE-2010-2568) affects the following operating systems:

Windows XP Service Pack 3
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista Service Pack 1 and Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows 7 for 32-bit Systems
Windows 7 for x64-based Systems
Windows Server 2008 R2 for x64-based Systems
Windows Server 2008 R2 for Itanium-based Systems

Siemens has confirmed the malware targets both of their products [3]:

Siemens Simatic WinCC
Siemens Simatic PCS 7

4.0 Recommendations

The malware relies on the vulnerability in Microsoft Windows Shell (CVE-2010-2568); therefore, it is important to ensure that workarounds are applied on the affected operating system as soon as possible. Please refer to our advisory MA-239.072010 for the mitigation steps:

http://www.mycert.org.my/en/services/advisories/mycert/2010/main/detail/764/index.html

MyCERT would like to inform users that most antivirus products can now detect and remove this malware. However, users must make sure that the antivirus signature is up to date. We would also like to recommend that users conduct a full computer scan.

Lastly, MyCERT would like to advise the users of Microsoft Windows operating sytems, Simatic WinCC and Simatic PCS 7 to be vigilant of the latest security announcements by the respective vendors and ensure that the software are up-to-date.

MyCERT can be reached through the following channels for further assistance:

E-mail : mycert@mycert.org.my
Phone : 1-300-88-2999 (monitored during business hours)
Fax : +603 89453442
Handphone : +60 19 2665850 (24x7 call incident reporting)
SMS : CYBER999 REPORT <EMAIL> <COMPLAINT> to 15888
Business Hours: Mon - Fri 08:30 -17:30 MYT
Web: http://www.mycert.org.my

5.0 References