Worm targets Siemens industrial systems

Industrial sites from food factories to power plants are under threat from a worm targeting Siemens‘ industrial automation systems – and security experts are warning that part of the worm’s attack system could work against any Windows machine.

The W32/Stuxnet-B worm is spread via USB sticks, networked file-sharing PCs or CDs, and takes advantage of a flaw in Windows Shell to attack Siemens SCADA systems running its WinCC software. Simply viewing the contents of the USB stick is enough to trigger the worm, which seems to be being used to steal information rather than damage the systems themselves.

Siemens acknowledges the problem on its support website, and says it’s working on a solution. It says affected companies and organisations should not change their default passwords – which are exploited by the worm – as this could endanger their operations.

In the meantime, it says, “There are already three virus scan programs recommended for Siemens systems from Trend Micro, McAfee and Symantec, the latest versions of which can detect the Trojan. The effect of deploying these programs on the Runtime environment are currently being analysed, and an approval will be issued shortly.”

But while these attacks appear to be targeted particularly at infrastructure targets, the zero-day vulnerability which the worm exploits could apply to any Windows machine, says Graham Cluley of Sophos.

“What is of particular concern, of course, is that other malicious hackers might try to exploit the vulnerability – dubbed ‘CPLnk’ by Sophos – as it would certainly be a useful tool in any malware’s arsenal,” he says.

“The chance of that occurring has increased over the weekend, as a hacker called Ivanlef0u published proof-of-concept code onto the internet.”

Meanwhile, Microsoft has issued a security advisory on the worm.

“The vulnerability exists because Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the icon of a specially crafted shortcut is displayed,” it says. “This vulnerability is most likely to be exploited through removable drives.”

The company says that when AutoPlay functionality for removable disks is disabled – as it is automatically in Windows 7 – customers would have to manually browse to the affected folder of the removable disk for the vulnerability to be exploited.

But Cluley says this isn’t strictly acccurate, as an attack can be initiated automatically by viewing an affected USB storage device via Windows Explorer, even with AutoRun and AutoPlay disabled. Even the Microsoft Security Response Center (MSRC) admits that the security hole can also be remotely exploited via WebDAV and network shares.

“I’m sure they are feverishly working on a security update for this critical vulnerability,” says Cluley.