It could be lights out as USB worm Stuxnet attacks networks

21 Jul 2010

A new form of malware that began by being transmitted from USB devices is attempting to steal data from IT systems used in the utilities sector, in particular SCADA software (Supervisory Control and Data Acquisition), used to manage power grids.

IT security and data protection firm Sophos has issued new guidance and research on a Windows zero-day vulnerability that is already being used to target critical infrastructure systems, and for which exploit code has been made widely available.

Since first reporting on the vulnerability earlier this week, Sophos has now detected an additional variant of the malware payload, prompting concerns that further examples of the attack will materialise as the hackers attempt to avoid detection.

Termed the “CPLINK” vulnerability by SophosLabs, researchers have found that the vulnerability is present in all Windows platforms – including Windows 2000 and Windows XP SP2, both of which Microsoft ceased official support for last week.

Initially associated with removable USB storage devices, the CPLINK vulnerability requires no direct user interaction to deliver its payload, which Sophos has named the Stuxnet-B Trojan.

Early versions of the malware have been programmed to seek out SCADA software by Siemens Corporation, which is used in managing industrial infrastructures, such as power grids and manufacturing plants.

“The threat from the exploit is high as all a user has to do is open a device or folder – without clicking any icons – and the exploit will automatically run,” said Graham Cluley, senior technology consultant at Sophos.

“With an additional variant of the malware already on the loose, the potential for this exploit to become more widespread is growing rapidly.”

The need to change passwords

The issue has been compounded by the revelation that default passwords, hardcoded into the Siemens SCADA system, have been widely available on the Net since 2008 – and Siemens has issued guidance that operators should not now change passwords in response.

“Siemens is worried that if critical infrastructure customers change their SCADA password – to hinder the malware’s attempt to access their system – they could at the same time throw their systems into chaos,” continued Cluley.

“This is a horrible situation. Good security practice would be for the systems that look after critical infrastructure to not use the same password. Furthermore, the systems shouldn’t be hard-coded to expect the password to always be the same – which results in any change to the password resulting in a right royal mess.”

Sophos has updated its protection for customers, detecting the attacks that have already been seen and issuing proactive defences against future threats based upon the exploit. Microsoft, meanwhile, is believed to be working on an emergency patch to fix the vulnerability in their software.

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years