As you’re probably well aware, there has been a lot of news over the past month regarding a new Malware that is impacting Siemens WinCC SCADA systems. The Malware is known as Stuxnet.

Looking closer at this Malware, there are really three key vulnerabilities that are exposed.

  • Siemens SCADA systems using the hardcoded default passwords for internal inter process communication. Siemens claims that changing the default password will result in the SCADA systems perhaps being inoperable

  • Rootkit that the Stuxnet trojan installs

  • A zero day flaw within all Windows OS that is exposed by improper validation of shortcut links (.LNK & .PIF). This is known as Microsoft Windows Shortcut ‘LNK/PIF or Win32/CplLnk.A, This vulnerability is what the SCADA Malware exploits. This is classified as a critical vulnerability by Microsoft

Windows Shortcut Vulnerability

I’ll begin with the most serious which is the Microsoft shortcut flaw which is documented under Microsoft Security Advisory 2286198.

What is this vulnerability? Here is a bit of background information.  A .LNK file is a shortcut to a local file and a .PIF file is a shortcut to an MS-DOS application that are both represented by icons in Windows Explorer. When we click on these icons, it’ll launch the application associated with the shortcut.  Everyone uses shortcuts in Windows. The Windows Shell  automatically loads these icons when you browse to the desired folder (for example, the Desktop).  The threat exposes a vulnerability in the way these shortcuts are handled. When Windows attempts to load the icon of the shortcut, Windows Shell doesn’t correctly parse specific parameters of the shortcut. An attacker can easily exploit this by embedding Malware within the shortcut and is executed as soon as the icon is displayed(i.e. remote code execution).  It doesn’t require the user to click on the icon, as soon as it is displayed it will execute. Once someone exploits this vulnerability, they could gain the same user rights as the user. If one had administrative rights, think of the damage that could occur.  This is what the Stuxnet Malware exposed.

The issue is really exposed by external devices such as USB or SMB shares. When a USB device containing a Malware is connected, the Malware will instantaneously be installed once the USB device is connected (Autoplay is enabled). Even if you had Autoplay disabled, if you were to browse to the location of the icons, Windows Shell will load the Malware

Microsoft has classified the severity as a Critical vulnerability and has issued an emergency patch for it out-of-band from it’s normal patching process (second Tuesday of every month).  A patch was issued on Monday, August 2nd.  Oh yes, it impacts all supported Windows OS versions.

If you have automatic updates enabled, you will pick up the patch.  If not, it’ll require manual retrieval. MS is requesting that this patch be installed immediately. If you are using an unsupported version, you will need to follow the manual steps to implement the countermeasure (requires registry changes).

Another approach to reducing the risk of Malware being exposed by the Windows shortcut vulnerability is to use Software Restriction Policies which is part of Microsoft’s security and management strategy. With SRP, you can set restrictions to only execute applications and programs from a well known directory (ex. c:\program files). You define which locations you allow programs to run from.  This would restrict Malware from running from external drives or any location that you haven’t explicitly allowed. For more information on SRP, seehttp://technet.microsoft.com/en-us/library/bb457006.aspx

SCADA and Stuxnet Vulnerability

Supervisory Control and Data Acquisition Systems (SCADA) are used to monitor our critical infrastructure and resources such as Water facilities, Electricity, Oil & Gas, etc… I don’t need to divulge the importance of these systems and what could possibly occur if one of these systems were exposed to Malware.

Stuxnet is a worm that exposes the Windows shortcut vulnerability. When it runs, it installs itself as a rootkit and has the ability to hide itself.   Another key component is that the rootkit was digitally signed first by Realtek Semiconductor Corp and then JMicron Technology Corp, thus passing Windows Authenticode requirements.  It appears that the certificates had been stolen from both vendors (using a module known as Zeus that is capable of capturing digital signatures).  VeriSign, who are the issuer of the certificates have issued a revocation for these certificates. It was revoked as of July 31. Please see http://www.thetechherald.com/article.php/201029/5921/VeriSign-working-to-mitigate-Stuxnet-digital-signature-theft for more information.

The two main components that the rootkit installs are:

<System>\drivers\mrxcls.sys
<System>\drivers\mrxnet.sys

These will also be registered as new services named MRxCls and MRxNet.

Stuxnet only seems to target Siemens WinCC SCADA systems. It’s purpose is to log onto the SCADA database using the default password that is deployed with every Siemens WinCC SCADA device and steal critical information.  According to some publications, the default password has been posted on two blog sites as far back as two years ago (one in Germany which was instantly removed and another in Russia).

How can a system that is used for critical infrastructure use the same default password in all their deployments?  When you first learn about IT security, it’s one of the first rules that you learn: Always change the default passwords.  Siemens is recommending to its customers that they don’t change the default passwords as it’ll have a negative impact on functionality.  The reason is that Siemens has hard coded the default password for some communication between it’s internal processes and changing the default password would fail authentication and break functionality.  I am flabbergasted as to how this ever passed their system validation testing or how this was not a requirement as part of their security functional specification.  This is extremely bad design practice and Siemens needs to address this. According to Siemens vulnerability posted on their website, they are relying on Microsoft to address the issue.

Kudos goes to VirusBlokAda for first discovering it and working with Microsoft to correct it and to Sophos which has done an excellent job analyzing both vulnerabilities and providing the appropriate countermeasures.

For more information, please see the following links:
http://www.microsoft.com/technet/security/bulletin/MS10-046.mspx
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2568
http://www.kb.cert.org/vuls/id/940193
http://www.zdnet.co.uk/news/security-threats/2010/08/03/windows-shortcut-hole-gets-emergency-patch-40089709/?s_cid=165
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci151