Brian Krebs reported last week on recently discovered malware that attempts to compromise Siemens SCADA (supervisory control and data acquisition) systems - the systems that run industrial processes and utilities like pipelines, refineries, chemical plants, and electrical systems.
The malware utilizes USB drives and takes advantage of previously unknown flaws in Windows operating systems. See Experts Warn of New Windows Shortcut Flaw. Network World has a follow up article: New virus targets industrial secrets that provides a good explanation of how the virus spreads.
SCADA systems run critical infrastructure and Siemens is a key manufacturer. This type of malware can't be dismissed lightly. We do not know how long the virus has been in the wild, where it has spread and what systems may be affected. If a virus has infiltrated control systems for the power grid or pipelines there is no telling how much damage could be caused.
Many in the security community have been concerned about this type of malware but it doesn't get much publicity (however, see this video: Sabotaging the System: 60 Minutes reports on our dismal Internet security, a report by 60 Minutes from last November).
I zeroed in on one paragraph from KrebsonSecurity:
Ulasen said the malware installs two drivers: “mrxnet.sys” and “mrxcls.sys.” These so-called “rootkit” files are used to hide the malware itself so that it remains invisible on the USB storage device. Interestingly, Ulasen notes that both driver files are signed with the digital signature of Realtek Semiconductor Corp., a legitimate hi-tech company.
Protecting digital signatures is critical for internet security. It's the "secret password" that makes cryptography work. Yet the hardware and general purpose operating systems that run Internet, consumer, and business software (and therefore all of their applications) are incapable of fully protecting critical cyptograghic signatures. They can only do a marginal job through obfuscation. We live with this compromise every day. DNSSEC will help with authentication, but without immunity to malware and rootkits we can never be secure.
I hope Siemens' customers are working overtime to determine that they have not been compromised.
Very informative blog.We need to find out a solution to the malware else it leaks the secrets and breaks all the security levels.
Posted by: rsa private key | 01/17/2011 at 08:29 AM
Hey Steve,the malware that attempts to compromise Siemens SCADA systems is quite threatening.I was shocked to read about it.Those in the security community need to find out a solution as so early as possible unless it destroys the security provided by digital signatures and leaks the industrial secrets.Thanks for such an informative post.
Posted by: e signature | 01/15/2011 at 09:44 PM