FYI Virus outbreak affecting Scada\Citect

Discussion in 'Business & Enterprise Computing' started by Bionic, Jul 16, 2010.

  1. Bionic

    Bionic Member

    Joined:
    Jun 27, 2001
    Messages:
    3,158
    Location:
    Shoalhaven - NSW
    Just letting everyone aware that look after Production Control systems that use Scada\Citect systems
    http://it.slashdot.org/story/10/07/15/1955228/Malware-Targets-Shortcut-Flaw-In-Windows-SCADA
     
  2. Glide

    Glide Member

    Joined:
    Aug 22, 2002
    Messages:
    1,151
    Location:
    Was: Sydney Now: USA
    ouch! not my industry but interesting none the less.
     
  3. biglolz

    biglolz Member

    Joined:
    Feb 14, 2007
    Messages:
    95
    I see half of my detections come from usb drives...this will hit you soon enough :)
     
  4. GTiRolla

    GTiRolla Member

    Joined:
    Apr 17, 2007
    Messages:
    352
    Location:
    Canberra :(
    Lucky for me, we deny access to all usb devices except a few...

    has been a godsend with casuals plugging shit in to try and charge their phones / ipods / etc
     
  5. QuakeDude

    QuakeDude ooooh weeee ooooh

    Joined:
    Aug 4, 2004
    Messages:
    8,435
    Location:
    Melbourne
    The exploit would have to use the cicode language, and its scary just what you can do with that.

    Glad I don't work for them anymore, helpdesk calls are going to be fucking nuts if this breaks out properly :(
     
  6. biglolz

    biglolz Member

    Joined:
    Feb 14, 2007
    Messages:
    95
    POC came out nice and quick. Hopefully this turns into something amusing, especially when it hits privileged users on a large network.

    bigkevIMEXCITED.jpg
     
  7. geniesis

    geniesis Member

    Joined:
    Aug 27, 2007
    Messages:
    190
    One method that may work is using Deep Freeze.

    http://www.faronics.com/en/Products/DeepFreeze/DeepFreezeCorporate.aspx

    Its literally runs a machine under a "non-persistent disk" mode.

    Hence, after every rebooted, any changes to the filesystem are lost.

    I have seen it run at a place that was hit by a virus. The virus didn't last very long.

    However, it did have a negative impact when another worm that came out quite while ago that whilst spreading caused WinXP to crash. This cause the frozen machines to reboot uninfected only to get infected again and crash. Ended up having to shutdown the entire network and patch the hole of each machine to get rid of it.
     
  8. FantoM_CircuiT

    FantoM_CircuiT Member

    Joined:
    Oct 21, 2002
    Messages:
    1,052
    Location:
    Melbourne
    Well great job at selecting a nice, secure stable OS to run those large complex high-risk systems. There isn't a :rolleyes: big enough.
     
  9. QuakeDude

    QuakeDude ooooh weeee ooooh

    Joined:
    Aug 4, 2004
    Messages:
    8,435
    Location:
    Melbourne
    Oh, you'd be surprised at just how Windows-inept alot of the contractors who implement such system are.

    In my 4 years of working at Citect, I was hard pressed to come across anyone who actually knew a fair bit about the underlying OS. You have to remember - they're engineers, not IT people :)
     
  10. CordlezToaster

    CordlezToaster Member

    Joined:
    Nov 3, 2006
    Messages:
    4,065
    Location:
    Melbourne
  11. GooSE

    GooSE New Member

    Joined:
    Jun 26, 2001
    Messages:
    6,679
    Location:
    Sydney
    Gotta love those self-professed engineers.

    I am a real engineer (B.Eng at uni) and I studied SCADA as well as OS development.
     
  12. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    36,261
    Location:
    Brisbane
    I wish Australia would take Canada's lead, and ban the use of the word "Engineer" unless the person is an honest-to-god true engineer.

    Much like you can't call yourself a doctor or architect in this country without a supporting qualification. I don't understand why such a high-impact field such as engineering is allowed to escape, and any fool can call themselves an engineer.
     
  13. AzzKikr

    AzzKikr Member

    Joined:
    Aug 25, 2002
    Messages:
    1,078
    Location:
    .au
    So what defines an "honest-to-god true engineer"?

    The Oxford Dictionary states that (amongst other things) the definition of 'Engineer' is "a skilful contriver or originator of something". Wikipedia defines an Engineer as "a professional practitioner of engineering, concerned with applying scientific knowledge, mathematics and ingenuity to develop solutions for technical problems" and Engineering as "the discipline, art and profession of acquiring and applying technical, scientific, and mathematical knowledge to design and implement materials, structures, machines, devices, systems, and processes that safely realize a desired objective or invention."

    I agree that the use of titles such as Civil Engineer, Structural Engineer, Electrical Engineer, etc, should be restricted - given what these Engineers do, there's no reason why Joe Citizen should have such a title without the appropriate degree.

    However, setting aside the simple fact that Engineers Australia doesn't like it, there's no reason why an appropriately qualified IT Professional shouldn't be allowed to call themselves an "IT Systems Engineer" or something similar. By the definitions listed above, they are in all respects an 'Engineer' in their chosen field, and should thus be given an appropriate job title in line with the work they perform and their level of qualification within their industry.

    *dons his flame-proof suit* :leet: :thumbup:

    -A.
     
  14. wazza187

    wazza187 Member

    Joined:
    Mar 3, 2003
    Messages:
    2
    Firstly, the Article states that it is targeting SIEMENS WinCC systems, which is not CitectSCADA and does not use CiCode.

    Secondly, Cicode cannot run outside of Citect itself, any Cicode needs to be compiled and run inside of a Citect project.

    Thirdly, if a system is not secured properly, and a Virus like this is installed on a machine, then any malicious code can do anything to any file belonging to any program... this is not due to a security flaw in any product other than the OS, although it is interesting to see that a particular case has been seen to target a specific Industrial product, to which we only have one person's experience, mentioned in one sentence on: http://www.reconstructer.org/main.html then reference by the online 'media'....

    *Edit*
    OK, after following 4 or 5 cross-referencing articles, it appears the original Forum where this was discussed is here: http://www.wilderssecurity.com/showthread.php?p=1712146
     
    Last edited: Jul 21, 2010
  15. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    36,261
    Location:
    Brisbane
    Put it this way:

    In Australia, if you study architecture at a university and graduate, at the very best you can only call yourself a "Graduate Architect". If you want to call yourself an "Architect", you have to go through interviews and certification with RAIA (Royal Australian Institute of Architects) before you can legally call yourself one.

    Considering what engineers are responsible for (often the safety of many lives, regardless of sub-discipline), I find it rather worrying that any fool can (and often does) throw around such a term without it really meaning anything.

    IMHO these trivially certified individuals touting the title of "engineer" are pushing the limits. At best, they're "technicians". Calling some guy who spends his career adminning an AD rollout an "engineer" is rot.

    And for the record: I am not an engineer. And nor would I ever call myself one.
     
  16. AthlonMan

    AthlonMan (Banned or Deleted)

    Joined:
    Oct 8, 2002
    Messages:
    11,416
    Location:
    QLD.
    x2

    It's pretty ridiculous and it's getting more and more silly every year. I'd like to see some IT Licenses sometime soon too (like builders/plumbers licenses).
     
  17. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    36,261
    Location:
    Brisbane
    Oh hells yes. This would knock the bottom 50% of IT hack and slashers out of the market overnight.

    To many cowboys out there. And sadly it's still an industry that bamboozles most people, which attracts these fools like flies because they're convinced they can make a quick buck with little effort.
     
  18. geniesis

    geniesis Member

    Joined:
    Aug 27, 2007
    Messages:
    190
    Licensing IT people would be quite difficult. What level of competence in what areas of IT would you license against?

    There are just too many areas. crypto, security, programming, networking, virtualization tech, mainframes, larges clusters/grid computing, SANS to name a few. Even each large software package would be an area itself, MS Windows, MS Office, Linux, etc..

    I doubt you'll be able to get somebody to learn all areas in detail.

    Isn't this why we have industry certs which expire? This allows a person to show they have competence in particular areas of IT and forces then to keep up to date.
     
  19. Ashpool

    Ashpool Member

    Joined:
    Feb 24, 2003
    Messages:
    3,352
    Location:
    Ye Olde Melbourne Town
    Would decent endpoint protection deal with this. IE Symantec Endpoint Protection that locked down the USB ports?
     
  20. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    36,261
    Location:
    Brisbane
    Getting off topic (who wants to start the new thread?) but yes it would be difficult. However "difficult" should never be a reason not to do something worthwhile.
     

Share This Page

Advertisement: