[!]: Virus inside S7-PLC, Step7, WinCC. DB 890 and DB 8062

SIMATIC S7-200/300/400, Step7, PCS7, CFC, SFC, PDM, PLCSIM,
SCL, Graph, SPS-VISU S5/S7, IBHsoftec, LOGO ...
Post Reply
CoMod
Site Admin
Posts: 3992
Joined: Thu Feb 16, 2006 3:25 pm
Location: Russia
Contact:

[!]: Virus inside S7-PLC, Step7, WinCC. DB 890 and DB 8062

Post by CoMod »

You use DB 890 and DB 8062 in your project ?
This virus is specialy maded for you... Who are you ?
http://www.langner.com/en/index.htm
Stuxnet logbook, Sep 16 2010, 1200 hours MESZ

With the forensics we now have it is evident and provable that Stuxnet is a directed sabotage attack involving heavy insider knowledge. Here is what everybody needs to know right now.

Fact: As we have published earlier, Stuxnet is fingerprinting its target by checking data block 890. This occurs periodically every five seconds out of the WinCC environment. Based on the conditional check in code that you can see above, information in DB 890 is manipulated by Stuxnet.

Interpretation: We assume that DB 890 is part of the original attacked application. We assume that the second DWORD of 890 points to a process variable. We assume that this process variable belongs to a slow running process because it is checked by Stuxnet only every five seconds.

Fact: Another fingerprint is DB 8062. Check for the presence of DB 8062 in your project.

Fact: Stuxnet intercepts code from Simatic Manager that is loaded to the PLC. Based on a conditional check, original code for OB 35 is manipulated during the transmission. If the condition matches, Stuxnet injects Step7 code into OB 35 that is executed on the PLC every time that OB 35 is called. OB 35 is the 100 ms timer in the S7 operating environment. The Step7 code that Stuxnet injects calls FC 1874. Depending on the return code of FC 1874, original code is either called or skipped. The return code for this condition is DEADF007 (see code snipplet).
http://support.automation.siemens.com/W ... n/43876783
Via internet information is spread about a new malware, so called trojan, which affects at the visualization system WinCC SCADA. This malware is distributed via USB sticks. Just viewing the content of an USB stick could enable this trojan.
http://www.automationworld.com/news-7325
The known variations of the malware are specifically directed at Siemens WinCC and PCS7 Products.
Over the weekend of July 17-18, news broke on the “Computerworld” technology Web site about a virus attacking industrial automation giant Siemens’ WinCC and PCS7 industrial control human-machine interface/supervisory control and data acquisition (HMI/SCADA) systems.
The virus exploited Microsoft Windows operating systems when Universal Serial Bus (USB) memory sticks are inserted in a host computer and automatically loaded.

In response to a query from Automation World, Siemens Industry Inc. (http://www.usa.siemens.com/industry) spokesperson Michael Krampe issued the following statement:

"Siemens was notified about the virus that is affecting its Simatic WinCC SCADA (Supervisory Control and Data Acquisition) systems on July 14. The company immediately assembled a team of experts to evaluate the situation. Siemens is taking all precautions to alert its customers to the potential risks of this virus.

"Siemens is reaching out to its sales team and will also speak directly to its customers to explain the circumstances. We are urging customers to carry out an active check of their computer systems with WinCC installations and use updated versions of antivirus software in addition to remaining vigilant about IT security in their production environments."

Well-known industrial cyber-security expert Eric Byres and his team conducted a weekend analysis, and Byres has issued a statement and is offering a White Paper analysis. Here is his analysis:

“Over the weekend my team has been investigating a new family of threats called Stuxnet that appear to be directed specifically at Siemens WinCC and PCS7 products via a previously unknown Windows vulnerability. At the same time I also became aware of a concerted Denial of Service attack against a number of the SCADA information networks such as SCADASEC and ScadaPerspective mailing lists, knocking at least one of these services off line.

“As best as I can determine, the facts are as follows:
• This is a zero-day exploit against all versions of Windows including Windows XP SP3, Windows Server 2003 SP 2, Windows Vista SP1 and SP2, Windows Server 2008 and Windows 7.
• There are no patches available from Microsoft at this time (There are work arounds which I will describe later).
• This malware is in the wild and probably has been for the past month.
• The known variations of the malware are specifically directed at Siemens WinCC and PCS7 Products and hardware PLC S7-315 and S7-417.
• The malware is propagated via USB key. It may be also be propagated via network shares from other infected computers.
• Disabling AutoRun DOES NOT HELP! Simply viewing an infected USB using Windows Explorer will infect your computer.
• The objective of the malware appears to be industrial espionage and sabotage; i.e. to steal intellectual property from SCADA and process control systems. Specifically, the malware uses the Siemens default password of the MSSQL account WinCCConnect to log into the PCS7/WinCC database and extract process data and possibly HMI screens.
• The malware is infected PLC S7-315 and S7-417 via modified S7 DLLs.

• The only known work arounds are:
• NOT installing any USB keys into any Windows systems, regardless of the OS patch level or whether AutoRun has been disabled or not
• Disable the displaying of icons for shortcuts (this involves editing the registry)
• Disable the WebClient service

“My team has attempted to extract and summarize all the relevant data (as of late Saturday night) and assemble it in a short white paper called “Analysis of Siemens WinCC/PCS7 Malware Attacks” which I have posted on my website in a secured area that can be accessed from http://www.tofinosecurity.com/professio ... cc-malware .

“If you would like to download the white paper, you will need to register on the web site and I will approve your registration as fast as I can. I have chosen to keep the whitepaper in a secure area as I do not want this information to be propagated to individuals that do not need to know and might not have our industries’ best interests at heart. People who are already http://www.tofinosecurity.com web members do not need to reregister.”
http://www.eset.com/press-center/articl ... -iran/7609
ESET Analysis: Worm Win32/Stuxnet Targets Supervisory Systems in the U.S. and Iran
SAN DIEGO – July 19, 2010 – ESET has issued a warning against a worm dubbed Win32/Stuxnet, which threatens users around the globe.
Exploiting a vulnerability in Windows® Shell, this dangerous threat is detected by ESET as LNK/Autostart.A.
It is used in targeted attacks to penetrate SCADA systems, especially in the United States and Iran. SCADA are supervisory and monitoring systems used in many industries, for instance in power engineering...
The danger lies in the Windows® OS vulnerability connected with processing of LNK files.
Experts expect even more malware families to begin to exploit this security gap in the near future.
Russian
Известные вариации вредоносных программ этого типа, специально направленны на продукцию Siemens Step7, WinCC и PCS7 и контроллеры S7-315 и S7-417. Пока...
http://www.esetnod32.ru/.company/news/? ... &year=2010
Win32/Stuxnet представляет большую угрозу для промышленных предприятий.
Ты в своей программе используешь DB 890 и DB 8062 ?
Тогда этот вирус написан специально для тебя... Интересно кто ты ?

При запуске этой вредоносной программы используются ранее неизвестные уязвимости в обработке файлов с расширением LNK, содержащихся на USB-накопителе, работы сервиса печати.
Выполнение вредоносного кода происходит благодаря наличию уязвимости в Windows Shell, связанной с отображением специально подготовленных LNK-файлов.
Вредоносный код модифицирует библиотеки DLL пакетов программирования Step7/WinCC/PCS7 на инженерной станции
посредством которых, по возможности, записывает свои версии некоторых блоков OB, FC и DB в контроллеры S7-315 и S7-417.
CoMod
Site Admin
Posts: 3992
Joined: Thu Feb 16, 2006 3:25 pm
Location: Russia
Contact:

Re: [!]: Virus for WinCC and Рreventive medicine

Post by CoMod »

Рreventive medicine - disable LNK and PIF
http://support.microsoft.com/kb/2286198
or
http://www.youtube.com/watch?v=Gucn5xWZ1m8

Clear Registry LNK tools
HKEY_CLASSES_ROOT\lnkfile\shellex\IconHandle = [] (set empty)
Delete any value that it is specified (parameter should be "empty").
Result: Windows will not run LNK tools and not show LNK shortcut image for drive.

Start>Run>Regedit
Image

Stop and Disable WebClient
MyComputer>Manage>Service and Application>Service>WebClient
Stop + Disable + Apply
Image

Restart PC :(
Russia wrote:Профилактическое лекарство
1) отредактировать параметр по умолчанию для HKEY_CLASSES_ROOT\lnkfile\shellex\IconHandler
Удалить любое значение, которое там задано (параметр должен быть "пустым"). Таким образом для ярлыков Windows не будет показывать картинки.
Обнулить LNK
Пуск>Выполнить>Regedit

2) отключить (многим совсем не нужную) службу WebClient.
Отключить службу - значит, поставить её параметр запуска на "отключено" и потом остановить её.
апрет WebClient
МойКомпьютер>Управление>Службы и Приложения >Службы>WebClient
Стоп+ Отключена + Применить
Перезапуск компа
RESULT :(
CoMod
Site Admin
Posts: 3992
Joined: Thu Feb 16, 2006 3:25 pm
Location: Russia
Contact:

Re: [!]: Virus for WinCC and Рreventive medicine

Post by CoMod »

http://support.automation.siemens.com/W ... n/43877513
New info from Siemens wrote:Current information on malware in connection with Simatic Software
The software/malware detects WinCC and Step 7 programs from Siemens and their data and can also contact and communicate with certain websites/servers...
autho
Posts: 8
Joined: Thu Jun 08, 2006 6:10 am
Location: Iran

Re: [!]: Virus for WinCC and Рreventive medicine

Post by autho »

Hi
Instal MICROSOFT SECURITY ESSENTIAL and udate it from microsoft .it will remove trojans stuxnet.A and suxnet.B from your system.
CoMod
Site Admin
Posts: 3992
Joined: Thu Feb 16, 2006 3:25 pm
Location: Russia
Contact:

Re: [!]: Virus for WinCC and Рreventive medicine

Post by CoMod »

Update from Siemens
http://support.automation.siemens.com/W ... n/43876783
Product Information July 22, 2010:
* Tool now available to detect and remove virus
sysclean.zip

SIMATIC Security Update available
SIMATIC_Security_Update_20100722.exe
....
=========== Very bad news for Siemens ====================
Kaspersky wrote: Stuxnet for WinCC - Made in INDIA
http://translate.google.com/translate?j ... l=ru&tl=en
Image
The expert from Kaspersky Lab, July 15, 2010 wrote: If you look at these statistics, mapping the world, it becomes clear that the centers of the epidemic are the three countries - Iran, India and Indonesia (all three on the letter "I", funny).
In each of these countries the number of recorded incidents over KSN 5000.
Realtek is a hardware the company, and writing software for their devices - a by-process, for which the best of all - the use of outsourcers.
And which country is the world leader in the outsourcing programming?
Correct: India.
Can outsourcer, creating software for the company, have the means to "sign" the certificate program this company? Probably yes.
hus, one can assume that the malicious program was created precisely in India (see the map) and, perhaps, not without an insider among the developers of applications for Realtek.
Possible this indian insider also work for programming new Siemens WinCC/PCS7 :(


Kaspersky wrote: Stuxnet for WinCC - what it made
http://translate.google.com/translate?j ... l=ru&tl=en
Indeed, Stuxnet trying to connect to the visualization system WinCC SCADA, using "password default", which Siemens is laid in its program.

As part of the worm is a very interesting component, dll-file, which is a kind of "wrapper» (wrapper) around this, original DLL from Siemens.
This "wrapper" and tries to interact with WinCC, directing most of the features in the original dll.
Other functions he emulates yourself!

It features:
s7db_open s7db_open
s7blk_write s7blk_write
s7blk_findfirst s7blk_findfirst
s7blk_findnext s7blk_findnext
s7blk_read s7blk_read
s7_event s7_event
s7ag_test s7ag_test
s7ag_read_szl s7ag_read_szl
s7blk_delete s7blk_delete
s7ag_link_in s7ag_link_in
s7db_close s7db_close
s7ag_bub_cycl_read_create s7ag_bub_cycl_read_create
s7ag_bub_read_var s7ag_bub_read_var
s7ag_bub_write_var s7ag_bub_write_var
s7ag_bub_read_var_seg s7ag_bub_read_var_seg
s7ag_bub_write_var_seg s7ag_bub_write_var_seg

In addition, the module contains multiple encrypted blocks of data (an example of one of the decoded blocks):
Image
Russian wrote: http://www.securelist.com/ru/blog/34302 ... a_Epizod_3
Александр Гостев
Эксперт «Лаборатории Касперского»
опубликовано 15 июл 2010, 13:59 MSK
Таким образом, можно сделать предположение, что вредоносная программа была создана именно в Индии (смотрите на карту) и, возможно, не без наличия инсайдера среди разработчиков приложений для Realtek.
Значит он ещё и для Сименса программы пишет, раз написал заразу специально под WinCC/PCS7 :(

http://www.securelist.com/ru/blog/34310 ... d_5#c36364
Действительно, Stuxnet пытается подключаться к системе визуализации WinCC SCADA , используя «пароль по-умолчанию», который компания Siemens заложила в свою программу.

В состав червя входит весьма интересный компонент, dll-файл, который представляет собой своеобразную «обертку» (wrapper) вокруг настоящей, оригинальной DLL от Siemens.

Эта «обертка» и пытается осуществлять взаимодействие с WinCC, перенаправляя большую часть функций в оригинальную dll. Остальные функции он эмулирует самостоятельно!

Это функции:
s7db_open
s7blk_write
s7blk_findfirst
s7blk_findnext
s7blk_read
s7_event
s7ag_test
s7ag_read_szl
s7blk_delete
s7ag_link_in
s7db_close
s7ag_bub_cycl_read_create
s7ag_bub_read_var
s7ag_bub_write_var
s7ag_bub_read_var_seg
s7ag_bub_write_var_seg

Кроме того, в модуле содержится несколько зашифрованных блоков данных (пример одного из расшифрованных блоков)
CoMod
Site Admin
Posts: 3992
Joined: Thu Feb 16, 2006 3:25 pm
Location: Russia
Contact:

Re: [!]: Virus for WinCC and Рreventive medicine

Post by CoMod »

Download MS HotFix for your OS from http://www.microsoft.com/technet/securi ... 0-046.mspx
Vulnerability in Windows Shell Could Allow Remote Code Execution (2286198)
This security update resolves a publicly disclosed vulnerability in Windows Shell.
The vulnerability could allow remote code execution if the icon of a specially crafted shortcut is displayed.
An attacker who successfully exploited this vulnerability could gain the same user rights as the local user.
Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
CoMod
Site Admin
Posts: 3992
Joined: Thu Feb 16, 2006 3:25 pm
Location: Russia
Contact:

Re: [!]: Virus for WinCC and MS HotFIX KB2286198

Post by CoMod »

2010-08-04 Update info about MS HotFix
http://support.automation.siemens.com/W ... e/43876783
Siemens wrote:Important note on the Microsoft Patch
The Microsoft Patch only prevents that the trojan from being installed automatically on the system.
If a user with admin-rights opens an infected LNK-file by mouse click on a computer on which the Microsoft Patch is installed, the computer will become infected - if no virus scanner has been installed.
To avoid such an infection, it is strongly recommended that users only log in with power user rights.
Power users do not have the necessary permissions to start code from another drive.
For additional security use an approved virus scanner.
==== Russian ========
greg2008 wrote:http://www.securelist.com/ru/blog/32867 ... vypushchen
"Буду краток, но хотелось бы обратить ваше внимание — наконец выпущен бюллетень безопасности Microsoft MS10-046, представляющий заплату для уязвимости LNK, которая изначально эксплуатировалась вредоносной программой Stuxnet. Если вы еще не установили патч, обязательно сделайте это.
Эта критическая уязвимость активно эксплуатируется киберпреступниками"
Буду краток - эта заплата не спасёт вас от модификаций этого вируса:
- если вы обладаете правами администратора
- если вы сами кликните в заражённую иконку или PIF
- если, установленный антивирус не знает об новой модификации вируса.
А этот "патч" прикрывает только автозапуск при открытии носителя :( - а так это та же самая дырка, но с наклейкой "Думали, что защитили..."
sanruku
Posts: 66
Joined: Tue May 12, 2009 9:50 am

Re: [!]: Virus for WinCC and MS HotFIX KB2286198

Post by sanruku »

Hi

Take a look here:
http://www.langner.com/en/index.htm

& here:
http://www.digitalbond.com/index.php/20 ... g-picture/

for more info on the virus...
Stuxnet inside PLC !? wrote:Fact: Stuxnet intercepts code from Simatic Manager that is loaded to the PLC.
Based on a conditional check, original code for OB 35 is manipulated during the transmission.
If the condition matches, Stuxnet injects Step7 code into OB 35 that is executed on the PLC every time that OB 35 is called.
OB 35 is the 100 ms timer in the S7 operating environment.
The Step7 code that Stuxnet injects calls FC 1874.
Depending on the return code of FC 1874, original code is either called or skipped...
http://www.symantec.com/connect/blogs/e ... on-process
symantec wrote:Image
1. Determining which PLCs to infect.

Stuxnet infects PLCs with different code depending on the characteristics of the target system.
An infection sequence consists of PLC blocks (code blocks and data blocks) that will be injected into the PLC to alter its behavior.
The threat contains three infection sequences.
Two of these sequences are very similar, and functionally equivalent. We dubbed these two sequences A and B.
The third sequence was named sequence C.
Stuxnet determines if the system is the intended target by fingerprinting it.

It checks:

* The PLC type/family: only CPUs 6ES7-417 and 6ES7-315-2 are infected
* The System Data Blocks: the SDBs will be parsed, and depending on the values they contain, the infection process will start with method of infection A, B or none. When parsing the SDBs the code searches for the presence of 2 values (7050h and 9500h), and depending on the number of occurrences of each of these values sequence A or B is used to infect the PLC.

The code also searches for the bytes 2C CB 00 01 at offset 50h in the SDB blocks, which appear if the CP 342-5 communications processor (used for Profibus-DP) is present. If these bytes are not found then infection does not occur.

Infection conditions for sequence C are determined by other factors.

Image

2. Method of infection

Stuxnet uses the code-prepending infection technique. When Stuxnet infects OB1 it performs the following sequence of actions:

1. Increases the size of the original block
2. Writes malicious code to the beginning of the block
3. Inserts the original OB1 code after the malicious code

As well as infecting OB1, Stuxnet also infects OB35 in a similar fashion. It also replaces the standard coprocessor DP_RECV code block with its own, thereby hooking network communications on the Profibus (a standard industrial network bus used for distributed I/O).

The overall process of infection for methods A/B is as follows:

* Check the PLC type; it must be an S7/315-2
* Check the SDB blocks and determine whether sequence A or B should be written
* Find DP_RECV, copy it to FC1869, replace it with a malicious copy embedded in Stuxnet
* Write the malicious blocks (in total, 20 blocks) of the sequence, embedded in Stuxnet
* Infect OB1 so that the malicious code is executed at the start of a cycle
* Infect OB35, which will act as a watchdog

Image
Update
Forum Community
Forum Community
Posts: 381
Joined: Mon Apr 12, 2010 10:59 am

Re: [!]: Virus inside S7-PLC, Step7 and WinCC. MS HotFIX

Post by Update »

http://www.symantec.com/connect/blogs/s ... 7-projects
Stuxnet Infection of Step 7 Projects
Previous blog entries have covered several different Stuxnet propagation vectors, from autorun.inf tricks to zero-day vulnerabilities.
Our research has also uncovered another method of propagation that impacts Step7 project folders, causing one to unknowingly become infected when opening an infected project folder that may have originated from a third party.

Stuxnet monitors Step7 projects (.S7P files) being worked on by hooking CreateFile-like APIs of specific DLLs within the s7tgtopx.exe process (the Simatic manager). Any project encountered by the threat in this way may be infected. Analysis additionally shows that projects inside Zip archives may also be infected through the same method.

The infection process consists of several distinct steps:

First, Stuxnet creates the following files:

* xutils\listen\xr000000.mdx: an encrypted copy of the main Stuxnet DLL
* xutils\links\s7p00001.dbf: a copy of a Stuxnet data file (90 bytes in length)
* xutils\listen\s7000001.mdx: an encoded, updated version of the Stuxnet configuration data block
.....
http://www.symantec.com/connect/de/blog ... et-dossier
When looking through our archive, we were able to find a sample from June 2009. Therefore the attackers had been active for at least a year. We would not be surprised if they started even prior to that.

w32_stuxnet_dossier.pdf
http://www.symantec.com/content/en/us/e ... ossier.pdf
You use DB 890 and DB 8062 in your project ?
This virus is specialy maded for you... Who are you ?
greg2008
Posts: 54
Joined: Mon Jul 28, 2008 9:06 am
Location: Russia

Re: [!]: Virus inside S7-PLC, Step7, WinCC. DB 890 and DB 80

Post by greg2008 »

Oldman
Posts: 797
Joined: Tue Aug 21, 2007 7:05 am

Re: [!]: Virus inside S7-PLC, Step7, WinCC. DB 890 and DB 80

Post by Oldman »

Schneider Electric Industry Business’s Response to the Stuxnet Malware Issue
http://plcforum.uz.ua//S ... Citect.rar
or
http://narod.ru/disk/26682797000/Stuxne ... t.rar.html
Stuxnet malware was targeted at Siemens control systems and therefore will not directly impact Schneider Electric systems. However, as the cyber security landscape evolves, users should continuously reassess their security policies and protocols to mitigate against future attacks.

For more information on defense-in-depth strategies, you can review the PlantStruxure™ System Technical Note - How can I protect a system from cyber attacks?
http://www.citect.com/documents/STN_Ethernet.pdf
Update
Forum Community
Forum Community
Posts: 381
Joined: Mon Apr 12, 2010 10:59 am

Re: [!]: Virus inside S7-PLC, Step7, WinCC. DB 890 and DB 80

Post by Update »

http://www.symantec.com/connect/blogs/s ... eakthrough
symantec, 11/13/2010 wrote:However, we can now confirm that Stuxnet requires the industrial control system to have frequency converter drives from at least one of two specific vendors, one headquartered in Finland («Vacon») and the other in Tehran, Iran.
This is in addition to the previous requirements we discussed of a S7-300 CPU and a CP-342-5 Profibus communications module.
Image
...
Video
http://www.youtube.com/watch?v=cf0jlzVC ... r_embedded
Stuxnet Dossier v1.3 (13 November 2010)
http://www.symantec.com/content/en/us/e ... ossier.pdf
Stuxnet Dossier v1.3, p.42 wrote:The PLC is infected.
• Frequency converter slaves send records to their CP-342-5 master, building a frame of 31 records
• The CPU records the CP-342-5 addresses.
The frames are examined and the fields are recorded.
• After approximately 13 days, enough events have been recorded, showing the system has been operating between 807 Hz and 1210 Hz.
• The infected PLC generates and sends sequence 1 to its frequency converter drives, setting the frequency to 1410Hz.
• Normal operation resumes.
After approximately 27 days, enough events have been recorded.
• The infected PLC generates and sends sequence 2 to its frequency converter drives, setting the frequency initially to 2Hz and then 1064Hz.
• Normal operation resumes.
• After approximately 27 days, enough events have been recorded.
• The infected PLC generates and sends sequence 1 to its frequency converter drives, setting the frequency to 1410Hz.
• Normal operation resumes.
• After approximately 27 days, enough events have been recorded.
• The infected PLC generates and sends sequence 2 to its frequency converter drives, setting the frequency initially to 2Hz and then 1064Hz.
CoMod
Site Admin
Posts: 3992
Joined: Thu Feb 16, 2006 3:25 pm
Location: Russia
Contact:

Re: [!]: Virus inside S7-PLC, Step7, WinCC. DB 890 and DB 80

Post by CoMod »

Who's lying?
http://www.symantec.com/connect/blogs/s ... eakthrough
Image
(boom)
In the Symantec demo example = CPU S7-315 2DP (6ES7 315-2AF03-0AB0) + with Digital outputs modul,
with simple program = main organization block OB1 with simple code (1 timer and 1 output).
We see that the virus Stuxnet kills the simple control system immediately at startup!
The virus can destroy any control system S7 !?
It does not check the hardware configuration and program.
It starts immediately at startup.
And all that is written about the intelligence of the virus is a lie ?
No one can believe :(

To Langner
Not only Russian experts create automation objects in Asian countries.
For example, many Finnish companies operating in the region.

Distribution pattern and mass infection suggests that the virus is spread primarily on the domestic level - from hand to hand (from USB stick to USB stick) and not via the Internet.
How much time is necessary, in order to infect the area alone?
Image

Maybe easier to sell in the region, the party of cheap USB stick/photo memory cards with preinstalled virus?
This may explain the infection in Indonesia - there is no reactor.

According to the theory of probability it can be entered on the target object.
Therefore, one can not assert that the virus is spreading "stupid" Russian specialists from the ASE and "Power Machines".
Russian wrote:В демо примере = 1 ЦПУ с модулем ввода-вывода с наипростейшей программой, состоящей из блока ОВ1 с одной веткой кода, в которой имеется один таймер и один выход.
Мы видим, что вирус убивает простую систему управления сразу при старте = просто тупо включает единственный выход.
Получается, что вирус может уничтожить любую систему управления S7 ?!
Он не проверяет состав аппаратной конфигурации и программу управления.
Он запускается сразу при старте.
И всё что пишут про интеллект вируса есть ложь?
Никому нельзя верить.

Отповедь руссофобу Лангнеру.
Не только русские специалисты создают объекты автоматизации в азиатских странах.
Например многие финские фирмы работают в этом регионе.
Характер распространения и массовость заражения показывает, что вирус распространяется в первую очередь на бытовом уровне - из рук в руки, а не через интернет.
Сколько времени надо, чтобы заразить эту территорию в одиночку ?
Может проще продать в регионе партию дешёвых карт памяти с уже установленным вирусом ?
Этим можно объяснить заражении Индонезии - там то реакторов нет.
По теории вероятности он может быть занесён на целевой объект.
Поэтому нельзя утверждать, что вирус распространяли "тупые" русские специалисты из Атомстройэкспорта и Силовых машин.
sanruku
Posts: 66
Joined: Tue May 12, 2009 9:50 am

Re: [!]: Virus inside S7-PLC, Step7, WinCC. DB 890 and DB 80

Post by sanruku »

Hi

I was wondering if anyone has the Stuxnet PLC code?

Just the pure STL code that Stuxnet injects in the PLC(s ?), not the windows stuff (which I'm not gonna understand anyway)...

Anyone has testing Stuxnet PLC with S7 Doctor ?
viewtopic.php?f=1&t=3293&p=32534&hilit=s7+doctor#p32534

Update:

Found this: http://tuts4you.com/download.php?view.3011

It claims the .rar is Stuxnet, but I am not sure.
Anyway, I'll try to set up a test environment to check it.
Last edited by sanruku on Wed Nov 17, 2010 9:18 am, edited 1 time in total.
CoMod
Site Admin
Posts: 3992
Joined: Thu Feb 16, 2006 3:25 pm
Location: Russia
Contact:

Re: [!]: Virus inside S7-PLC, Step7, WinCC. DB 890 and DB 80

Post by CoMod »

It claims the .rar is Stuxnet, but I am not sure.
Yes this is Stuxnet. Very dangerous
KIS 2009 with last bases (17/11/2010) noting detect :(
KIS2011 detect all.
1. Test only on a single computer.
2. Will not embed the infected memory card.
3. USB flash drive becomes infected is not always. To check the USB stick/memory card can be viewed from DOS (Start from old CD) with Norton Commander (Show Hidden files)

Image
КИС 2009 с сегодняшними базами даже не крякнул :(
КИС 2011 задетектил.
1.Тестировать только на отдельном компьютере.
2. Никуда не вставлять заражённые карты памяти.
3. Флешка заражается не всегда. Для проверки карты памяти можно смотреть из под ДОС с Нортон Коммандер с показом скрытых системных файлов

About Gas Centrifuge
http://translate.google.com/translate?j ... ndex.shtml
Its essential element is a rotor (8) - a cylinder rotating at high speed in a gas with low blood pressure.
Here is a diagram of the so-called subcritical centrifuges, which means that the operating speed of the rotor below its first resonant frequency.
With increasing rotor speed consistently passes the frequencies at which the resonant vibrations caused by the mechanical properties of the rotating system. (* By the way turbine the power plant Sayano-Shushenskaya is precisely why we broke up - but it made with OMRON)
Centrifuge, operating at a frequency of rotation of the rotor above the resonance is called supercritical.
Image
Здесь приведена схема так называемой подкритической центрифуги, что означает, что рабочая частота вращения ротора ниже его первой резонансной частоты.
При увеличении оборотов ротор последовательно проходит частоты, на которых возникают резонансные колебания, обусловленные механическими свойствами вращающейся системы. (*Кстати турбина Саяно-Шушенской ГЭС именно поэтому и развалилась - но была сделана на Омроне).
Центрифуга, работающая на частоте вращения ротора выше резонансной, называется надкритической.
and
http://translate.google.com/translate?j ... sentrifuga
Update
Forum Community
Forum Community
Posts: 381
Joined: Mon Apr 12, 2010 10:59 am

Re: [!]: Virus inside S7-PLC, Step7, WinCC. DB 890 and DB 80

Post by Update »

SIMATIC Security Update (updated 24th January 2011)
SIMATIC_Security_Update_V1_0_SP1.exe
https://support.automation.siemens.com/ ... d=43876783
Info
Faq & Info
Faq & Info
Posts: 428
Joined: Wed Oct 05, 2005 9:00 am

Re: [!]: Virus inside S7-PLC, Step7, WinCC. DB 890 and DB 80

Post by Info »

Symantec W32.Stuxnet Dossier
Version 1.4 (February 2011)
http://www.symantec.com/content/en/us/e ... ossier.pdf
Oldman
Posts: 797
Joined: Tue Aug 21, 2007 7:05 am

Re: [!]: Virus inside S7-PLC, Step7, WinCC. DB 890 and DB 80

Post by Oldman »

http://translate.google.com/translate?j ... 5945.shtml
Russian wrote:видимо хорошо поработали израильские товарищи раз до сих пор наши спецы не уверены в безопасности объекта http://www.rbc.ru/rbcfreenews/20110226155945.shtml
CoMod
Site Admin
Posts: 3992
Joined: Thu Feb 16, 2006 3:25 pm
Location: Russia
Contact:

Re: [!]: Virus inside S7-PLC, Step7, WinCC. DB 890 and DB 80

Post by CoMod »

Oldman wrote:http://translate.google.com/translate?j ... 5945.shtml
Russian wrote:видимо хорошо поработали израильские товарищи раз до сих пор наши спецы не уверены в безопасности объекта http://www.rbc.ru/rbcfreenews/20110226155945.shtml
Do not be paranoid Langner style
And without Stuxnet there are many reasons (based on "security") for the discharge of fuel
June 3, 2002
http://translate.google.com/translate?j ... asp%3F6068
Не надо паранойи в стиле Лангнера
И без Стукнета есть много причин для выгрузки топлива по мотивам "безопасности"
3 июня 2002 года
http://nuclearno.ru/text.asp?6068
CHANt
Posts: 501
Joined: Tue Jun 27, 2006 5:52 am
Location: Russia

Re: [!]: Virus inside S7-PLC, Step7, WinCC. DB 890 and DB 80

Post by CHANt »

Symantec in RUSSIAN
Перевод доклада Symantec с анализом кода Stuxnet:
http://www.phocus-scada.com/rus/pub/Stu ... ys-rus.pdf

Спасибо фирме "NAUTSILUS" Ltd., Moscow

Принимают замечания по переводу:
http://asutpforum.spb.ru/viewtopic.php?f=13&t=1603
Info
Faq & Info
Faq & Info
Posts: 428
Joined: Wed Oct 05, 2005 9:00 am

Re: [!]: Virus inside S7-PLC, Step7, WinCC. DB 890 and DB 80

Post by Info »

Potential Password Security Weakness in SIMATIC Controllers = Potential external attack to passworded S7-PLCs
http://support.automation.siemens.com/W ... n/51401544

ICS-ALERT-11-186-01— PASSWORD PROTECTION VULNERABILITY IN SIEMENS SIMATIC CONTROLLERS S7-200, S7-300, S7-400, AND S7-1200
July 5, 2011
http://www.us-cert.gov/control_systems/ ... 186-01.pdf
Russian wrote:Потенциальная слабость Пароля безопасности в SIMATIC Контроллерах = Потенциальная внешняя атака на запароленные S7-PLC
CoMod
Site Admin
Posts: 3992
Joined: Thu Feb 16, 2006 3:25 pm
Location: Russia
Contact:

Re: [!]: Virus inside S7-PLC, Step7, WinCC. DB 890 and DB 80

Post by CoMod »

One year later
http://www.wired.com/threatlevel/2011/0 ... stuxnet/4/
Even the hard-coded Siemens database password had been previously exposed.
In April 2008, someone using the name “Cyber” had posted it online to German and Russian technical forums devoted to Siemens products.
This is not our Cyber
Total 2 posts about RSLogix in 2007
==============
but it exist
Russian http://iadt.siemens.ru/forum/viewtopic. ... ght=#32066
English http://translate.google.com/translate?j ... 3D%2332066
Posted: May 3, 2005 11:42 Post subject: User WinCCConnect
Found a password for the integrated user of the database WinCC 6 , who are interested, ask in private messages;)
Cyber wrote:Posted: April 11, 2008 19:27
login='WinCCConnect' password='2WSXcder'
login='WinCCAdmin' password='2WSXcde'
Russian wrote: Год спустя.
из статьи wrote:Даже трудно кодированный пароль базы данных Siemens был ранее представлен.
тот, кто использует имя "Кибер" разместил его в Интернете на немецком и русском технических форумах, посвященных продукции компании Siemens
Наш Кибер, не тот Кибер 2008.
Пытаются на Кибера 2008 (из официального форума) повесить проблему, хотя о ней было известно по крайней мере 3-мя годами раньше.
Вт Май 03, 2005 11:42 Заголовок сообщения: Пользователь WinCCConnect
Найден пароль для этого интегрированного пользователя БД WinCC 6, кому интересно
dolphinhusky
Posts: 4
Joined: Fri May 13, 2011 5:49 pm

Re: [!]: Virus inside S7-PLC, Step7, WinCC. DB 890 and DB 80

Post by dolphinhusky »

W32.Duqu = The precursor to the next Stuxnet
http://www.symantec.com/connect/w32_duq ... xt_stuxnet
http://www.symantec.com/content/en/us/e ... search.pdf
On October 14, 2011, we were alerted to a sample by a research lab with strong international connections that appeared very similar to the Stuxnet worm from June of 2010.
The threat was written by the same authors, or those that have access to the Stuxnet source code, and appears to have been created after the last Stuxnet file we recovered. Duqu’s purpose is to gather intelligence data and assets from entities such as industrial control system manufacturers in order to more easily conduct a future attack against another third party.
The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility.
CoMod
Site Admin
Posts: 3992
Joined: Thu Feb 16, 2006 3:25 pm
Location: Russia
Contact:

Re: [!]: Virus inside S7-PLC, Step7, WinCC. DB 890 and DB 80

Post by CoMod »

In last time Kaspersky says nasty message when you run Simatic EKB Install.
I do not know what the "store password".
Maybe it's a reaction:
1- to reading the registry key HKEY_LOCAL_MACHINE \ SOFTWARE \ Siemens - this is done to determine the installed Siemens software and fill the window "Required/installed keys".
2 - Using MS Crypt functions to decrypt crypted EKB keys.
An example of running an older version of the program and its results, depending on the choice of the type of trust.
Russian wrote:В последнее время Касперский пишет неприятное сообщение при запуске Simatic EKB Install.
Я не знаю, что такое "хранилище паролей".
Возможно это реакция:
1 - на чтение ветки реестра HKEY_LOCAL_MACHINE\SOFTWARE\Siemens - это делается для определения установленного программного обеспечения Siemens и заполнения окна "Требуемые/установленные ключи"
Использование функций MS Crypt для расшифровки установленных ключей.
Пример запуска старой версии программы и результаты её работы в зависимости от выбора типа доверия.
Image
Schtiel
Site Admin
Posts: 1122
Joined: Wed Sep 06, 2006 12:03 pm
Location: CIS

Re: [!]: Virus inside S7-PLC, Step7, WinCC. DB 890 and DB 80

Post by Schtiel »

CoMod wrote:I do not know what the "store password".
Kaspersky just detects reading from folders c:\Documents and Settings\User\Application Data\Microsoft\Crypto\ and c:\Documents and Settings\User\Application Data\Microsoft\Protect\, nothing more...
Russian wrote:Я не знаю, что такое "хранилище паролей".
Касперский просто отлавливает обращение к папкам c:\Documents and Settings\User\Application Data\Microsoft\Crypto\ и c:\Documents and Settings\User\Application Data\Microsoft\Protect\...
Info
Faq & Info
Faq & Info
Posts: 428
Joined: Wed Oct 05, 2005 9:00 am

Re: [!]: Virus inside S7-PLC, Step7, WinCC. DB 890 and DB 80

Post by Info »

Currently, this virus DuQu does not pose a direct threat to control systems.
It does not contain the module antiPLC.

Symantec
http://www.symantec.com/connect/blogs/d ... s-update-1
http://www.symantec.com/connect/blogs/d ... nformation
The latest version of Symantec white paper includes new information, such as details on further components we observed being downloaded onto a compromised machine.
http://www.symantec.com/content/en/us/e ... tuxnet.pdf

Gostev from Kaspersky about DuQu http://www.securelist.com/en/blog/20819 ... u_Part_One
Russian wrote:В настоящее время вирус DuQu не представляет прямой опасности для систем управления.
Он не содержит модуля антиPLC.

Гостев из Касперского о ДуКу http://www.securelist.com/ru/blog/40797 ... st_pervaya
http://www.securelist.com/ru/blog/40793/Duqu_FAQ
Info
Faq & Info
Faq & Info
Posts: 428
Joined: Wed Oct 05, 2005 9:00 am

Re: [!]: Virus inside S7-PLC, Step7, WinCC. DB 890 and DB 80

Post by Info »

http://www.symantec.com/connect/w32-duq ... ay-exploit
The DuQu installer file is a Microsoft Word document (.doc) that exploits a previously unknown kernel vulnerability that allows code execution.
CoMod
Site Admin
Posts: 3992
Joined: Thu Feb 16, 2006 3:25 pm
Location: Russia
Contact:

Re: [!]: Virus inside S7-PLC, Step7, WinCC. DB 890 and DB 80

Post by CoMod »

You still do not disable control your system from the Internet?
Then they come to you (boom)
http://www.washingtontimes.com/news/201 ... medium=RSS
Washington Times, Friday, November 18, 2011: Intrusion on water tower wrote:Hackers apparently based in Russia attacked a public water system in Illinois last week and damaged one of its pumps.
The “Public Water District Cyber Intrusion” report gives details about the attack, saying it had resulted in the “burn out of a water pump” and had been traced to an Internet address in Russia.
Federal officials said they were investigating the incident but played it down, implying that the report might be wrong.
Вы всё ещё не отключили вашу систему управления от интернета ?
Тогда они придут к вам (boom)
Washington Times, 18.11.2011: Вторжение на водокачку wrote:На прошлой неделе Хакеры, по-видимому, находящиеся в России, напали на общественную систему водоснабжения в штате Иллинойс и повредили один из насосов.
Доклад "Вторжение на водокачку" даёт подробную информацию о нападении и заявляет, что в результате "сгорел насос перекачки воды", и нападение было отнесено к действиям с конкретного Интернет-адреса в России.
Федеральные чиновники заявили, что расследуют инцидент, но отыграли его вниз, это означает, что отчет может быть неправильным (поддельным)
CatCesar
Posts: 82
Joined: Tue Oct 24, 2006 12:01 pm
Location: Ukraine

Re: [!]: Virus inside S7-PLC, Step7, WinCC. DB 890 and DB 80

Post by CatCesar »

Comparison of Antivirus Software for Detecting Various Types of Stuxnet

In This Article We Look at Security Products That Are the Main Tools of Disinfecting Malware.
We Compare Them With Each Other for Detecting Various Types of Stuxnet Malware for Seven Infected PCS7 Projects.
See the Results

http://www.controlglobal.com/articles/2 ... -view.html
Oldman
Posts: 797
Joined: Tue Aug 21, 2007 7:05 am

Re: [!]: Virus inside S7-PLC, Step7, WinCC. DB 890 and DB 80

Post by Oldman »

jpavic
Posts: 8
Joined: Fri Feb 16, 2007 5:53 pm
Location: Croatia

Re: [!]: Virus inside S7-PLC, Step7, WinCC. DB 890 and DB 80

Post by jpavic »

Virus Stuxnet

I know the Stuxnet is old subject but I have some questions:
1) How we can know the PC (programing PC not server) it's really infected by stuxnet??
2)Can or can't stuxnet attack OP panels type TP177B ??
3)For protection of stuxnet is enough have installed on PC antivirus program Microsoft Security Essentials??
4) How we can clean infected CPU?? Is enough to delete online program from memory card ??
5) Is possible to before start the plc and after download make control of all block and see if PLC is infected by stuxnet??
Please can you explain to me this questions.
Thanks in advance
CoMod
Site Admin
Posts: 3992
Joined: Thu Feb 16, 2006 3:25 pm
Location: Russia
Contact:

Re: [!]: Virus inside S7-PLC, Step7, WinCC. DB 890 and DB 80

Post by CoMod »

Old Stuxnet is dead by internal date limit [dead]
KIS2014 detect it (try KIS trial version)

after Stuxnet is released new virus - from Israel, USA and China :(

Use LINUX or MSDOS for testing USB flash stick - you can view HIDDEN files (place photo=screnshot for MSDOS )
Image

Microsoft Security Essentials??
= NSA/CIA and new Edward Joseph Snowden ?

Can or can't stuxnet attack OP panels type TP177B ??
Possible TP177B is selfdead without virus :)
Image
CoMod
Site Admin
Posts: 3992
Joined: Thu Feb 16, 2006 3:25 pm
Location: Russia
Contact:

Re: [!]: Virus inside S7-PLC, Step7, WinCC. DB 890 and DB 80

Post by CoMod »

ONLY https://plcforum.uz.ua PLACES ORIGINAL LINKS TO EKB INSTALL
WITHOUT BACKDOOR
Our project is not commercial
We do not earn money on the links
Romanians are making money on relinking our (your) links
And now they distribute modified EKB install - beware of backdoors and viruses in their "re-issued" version

Image

наш проект не коммерческий
мы не зарабатываем деньги на ссылках
поэтому если уж качаете, то качайте из проверенного временем первоисточника
румын делает бизнес на перелинковке наших(ваших) ссылок
а теперь ещё и подделывает "святое" - опасайтесь чёрных ходов и вирусов в перевыпущеном им

Image
CoMod
Site Admin
Posts: 3992
Joined: Thu Feb 16, 2006 3:25 pm
Location: Russia
Contact:

Re: [!]: Virus inside S7-PLC, Step7, WinCC. DB 890 and DB 80

Post by CoMod »

Wait new version of ObamaNet (h)
Obama Confronts Complexity of Using a Mighty Cyberarsenal Against Russia
http://www.nytimes.com/2016/12/17/us/po ... tions.html
Image

Russia, Ufa, 2016/07/16, 5 dead... Clintax64
Image

Stuxnet live anew (boom)
CoMod
Site Admin
Posts: 3992
Joined: Thu Feb 16, 2006 3:25 pm
Location: Russia
Contact:

Re: [!]: Virus inside S7-PLC, Step7, WinCC. DB 890 and DB 80

Post by CoMod »

Russian hackers... yes yes... Putin hacker... PocketPutin_v7
Image
Pucket Putin WinCC Server :)

Vault 7: CIA Hacking Tools Revealed
https://wikileaks.org/ciav7p1/cms/page_ ... 7BSGBSYBSk
CoMod
Site Admin
Posts: 3992
Joined: Thu Feb 16, 2006 3:25 pm
Location: Russia
Contact:

Fake news

Post by CoMod »

http://www.dw.com/en/reports-german-gov ... a-38506101
In government circles, for example, this would include an attack on an electricity grid or another hacking of the Bundestag - Germany's lower house of parliament. In this case, it would also be possible to remove the servers on which stolen parliament data is located.
Image
Image
CoMod
Site Admin
Posts: 3992
Joined: Thu Feb 16, 2006 3:25 pm
Location: Russia
Contact:

Re: [!]: Virus inside S7-PLC, Step7, WinCC. DB 890 and DB 80

Post by CoMod »

Backup to external HD/DVD and Update Antivirus !!!
Global attack (boom)
Image

Делайте резервные копии важных данных на внешних носителях
tem87
Posts: 31
Joined: Fri Feb 22, 2013 10:34 am

Re: [!]: Virus inside S7-PLC, Step7, WinCC. DB 890 and DB 80

Post by tem87 »

Зараза новая засветилась: зовется Triton, он же Trisis.
Говорят засветилась где то на Ближнем Востоке.
Сайты антивирусов молчат.
Обнаруживают ли уже в своих последних обновлениях, или нет? Непонятно.
Пока только на symantec нашёл упоминание.
CoMod
Site Admin
Posts: 3992
Joined: Thu Feb 16, 2006 3:25 pm
Location: Russia
Contact:

Numerous critical vulnerabilities have been found

Post by CoMod »

"Transneft" announced the refusal to cooperate with Schneider Electric, which supplied the corporation with automated process control systems/
"Numerous critical vulnerabilities have been found. Also, vulnerabilities were revealed in the built-in mechanisms for the protection of the automated process control system, "Maxim Grishanin said, adding that the data was sent to Schneider Electric, but the response from the supplier had to wait a very long time. "We tried to call them to order for six months, after many reminders the matter shifted. Now we are forbidden to use the equipment of this manufacturer in the Transneft system.
Transneft is the world's largest pipeline company, owns more than 69,000 kilometers of main pipelines, more than 500 pumping stations, about 23 million cubic meters of reservoir tanks, and the company also transports more than 85 percent of the oil produced in Russia.
The problem with Schneider is not just in ethereal "vulnerabilities," which, for self-advertisement purposes, are inventing fakers from "negative technologies", but in that the equipment stops for reasons unknown to anyone yet ... sometimes nod to the grid and communication cables :shock:
Image
«Транснефть» объявила об отказе от сотрудничества с компанией Schneider Electric, которая поставляла корпорации автоматизированные системы управления технологическими процессами (АСУ ТП).
«Были найдены многочисленные критичные уязвимости. Также были обнаружены уязвимости во встроенных механизмах защиты АСУ ТП, — уточнил Максим Гришанин, добавив, что полученные данные были переданы в Schneider Electric, но реакции от поставщика пришлось ждать очень долго. — Мы полгода пытались призвать их к порядку, после неоднократных напоминаний дело сдвинулось. Сейчас мы оборудование данного производителя запретили использовать в системе «Транснефти».
Проблема со Шнайдером не просто в эфимерных "уязвимостях", которые в саморекламных целях выдумывают трахеры из "негативных технологий", а в том что оборудование останавливается по неизвестным пока никому причинам... иногда кивают на сетку и кабели связи.
Info
Faq & Info
Faq & Info
Posts: 428
Joined: Wed Oct 05, 2005 9:00 am

Re: [!]: Virus inside S7-PLC, Step7, WinCC. DB 890 and DB 80

Post by Info »

(sfaq) https://support.industry.siemens.com/cs ... d-specter)
On the 3rd and 08th of January 2018 Microsoft has released updates for the Windows operating systems to close the vulnerabilities, which are grouped under the name Meltdown and Specter.
There are compatibility issues with these updates, see e.g. the notes in the Windows Server 2012 R2 Update
(https://support.microsoft.com/en-us/hel ... -kb4056895).
According to current knowledge, these compatibility problems also affect SIMATIC products.
For this reason, we recommend that you do not install these security updates.

As new information becomes available, this post will be updated.
Post Reply