Process control / automation control systems /SCADA Security rootkit (Stuxnet) #in

Posted on August 10, 2010

Having done a fair amount of work in the area of process control systems, and the design/implementation of control frameworks and minimum standards for these environments in the last few years, I am always interested in reading up on issues and threats being identified in this area.

My experiences have always been that the clients we have dealt with are relatively immature in their dealing with these environments (from an information security point of view) and have been reluctant to acknowledge the threats and take the necessary steps to protect themselves.  They are reluctant to even carry out the basics such as patch management and installation of anti-virus, often pressured by the solution vendors not to.

I noticed a short while back that there was some noise of a new “virus” that targeted WinCC, at the time I read about it briefly and was interested to see that it targeted one specific environment and appeared from the comments to have been designed to attack one specific environment.

Details that are emerging now seem to indicate something altogether different. This virus not only targets on specific environment, but is also a security rootkit. It targets Siemens Step7 and WinCC. Step7 is used to program the Programmable Logic Controllers (PLCs) of the Simatic S7 family.

In an updated blog post found here, Symantec explain in a bit more detail the seriousness of what Stuxnet is and what it does :

“Stuxnet has the ability to take advantage of the programming software to also upload its own code to the PLC in an industrial control system that is typically monitored by SCADA systems. In addition, Stuxnet then hides these code blocks, so when a programmer using an infected machine tries to view all of the code blocks on a PLC, they will not see the code injected by Stuxnet. Thus, Stuxnet isn’t just a rootkit that hides itself on Windows, but is the first publicly known rootkit that is able to hide injected code located on a PLC.

In particular, Stuxnet hooks the programming software, which means that when someone uses the software to view code blocks on the PLC, the injected blocks are nowhere to be found. This is done by hooking enumeration, read, and write functions so that you can’t accidentally overwrite the hidden blocks as well.

Stuxnet contains 70 encrypted code blocks that appear to replace some “foundation routines” that take care of simple yet very common tasks, such as comparing file times and others that are custom code and data blocks. Before some of these blocks are uploaded to the PLC, they are customized depending on the PLC.”

Two infographics have been shown in various places (Source : app Symantec), that show the distribution of the worm globally. This is not a localised phenomena that affects just one place in the world.

stuxnet global distribution

stuxnet global distribution

Iran, Indonesia and India are the areas most widely hit.

Stuxnet distribution graph

Stuxnet distribution graph

This virus is not just some theoretical proof of concept. In reading through some of the forums I came across this post, which could just as easily have originated from a South African organisation as a foreign one :

“Hi, currently I am in Iran, xxxx commisioning of our project for steel making plant.
We have this virus everywhere here, on WinCC server, clients and so on.
This virus was probably transfered from some USB stick from customer.
In this time I downloading Simatic patch and antivirus software from links above.
I am sure, that I have had this virus minimal one month ago in my project backups too.
So tomorow I try remove this virus and i will inform you. ”

From this it is clear that the environment they are in at least follows the basics of keeping the process control network separate from the organisations administration network and the Internet. This virus is smart, smart enough to know the target environment and run across multiple attack vectors. At very least, this virus is infecting USB memory sticks to get itself across to the process control environment. It is then infecting windows computers through open shares (and other vectors) and then attaching itself to the .DLLs on the WinCC machines and injecting itself into the S7 PLC’s, then modifying code on the PLCs to prevent it’s detection. This is serious stuff and introduces a few degrees more complexity than has been seen before in a worm targeting these sensitive devices.

If that wasn’t bad enough, once this virus has acquired targets, it is then reporting information back to it’s Command and Control centre, and also appears to have the ability to receive remote commands and execute them, as well as download further software from the command centre.

If you run a process control environment / SCADA / PLC’s then you should be concerned. IT security threat to the environment is no longer a theoretical or remote one. It is real, and you could be attacked, if you have not already been. It is important that you have the right governance and processes in place to provide you with both technical and procedural protection against attacks.

Has anyone heard of any infections here in South Africa?


Further reading:

Stuxnet introduces the first known rootkit for industrial control systems

Findings from the field : Stuxnet and Siemens

The Stuxnet worm and options for remediation : Download PDF from Industrial Defender here or get it from

Feedback on ISACA KZN chapter meeting control frameworks presentation

Posted on August 07, 2010

On Thursday evening (5th August) I presented at the ISACA KZN Chapter meeting. As Chapter coordinator I have the privilege of finding speakers and venues, and from time to time an arranged speaker has other commitments and so is unable to make the presentation. I always try and keep a “backup” presentation of my own and this time around it was my (our) “Tale of two cities – or control frameworks” presentation that was first presented at the IT Web security summit earlier in the year. This time I did the presentation without the assistance of my colleague from Jhb,  David Volschenk, as he had other work commitments  which prevented him traveling to Durban for the day.

It IT Web we had 45m for the presentation and Q&A so where fairly time constrained and did not have much time at all for discussion or questions. At the Chapter meeting we had much more time to go through the presentation at a leisurely place, have discussion around certain aspects and make it a much more interaction (and fun) session.

There were about 20 people present, representing the consulting firms (EY, PKF, Deloitte), public sector and private sector.

Off the top of my head (I was presenting rather than taking notes :) the main areas of discussion were around :

  • Getting executive buy in for the project
  • Getting adequate funding
  • Instilling change in an organisation where the maturity level is low and the corporate culture is such that the environment is generally poorly controlled
  • What the drivers are for the implementation of a control framework, and particularly King 3 and how it is changing perspectives (creating the fire)
  • The implications of King 3, and how they will drive change from the top (rather then it being left to middle management to drive failed projects)
  • The apparent lack of understanding of King 3 on the part of directors, and how negative statements having to be made in the Annual Financials with respect to King 3 compliance could affect their reputations and those of the organisations they represent (or what happens if they “lie” and put in statements of compliance when they aren’t compliant). Company directors really do need to start taking notice of this.
  • The implementation of control frameworks is a long term process, not a quick fix. Deciding 6 months ahead of the King 3 implementation deadline that the organisation needs to be compliant may be an impossible task

In “off the record” discussions after the presentation a number of consultants wanted to know if the failed company (Company B) was actually Company XYZ or Company ABC. The answer each time was know, it wasn’t that company, Company B was a combination of failed projects. That said, the names of companies mentioned by the other parties in each case also were not one of the companies involved in the combined “Company B”.  It seems there are a lot of failed control framework and security framework implementations out there.

I really enjoyed the presentation and the discussions that went with it. Thanks to all who attended for your attendance and participation. If you are interested in having further discussions around this, or have me meet with your directors to discuss further, please contact me.  j-j (at) worldonline (dot) co (dot) za or on Twitter.

Thanks to Ernst & Young for hosting the chapter meeting.

See you next time at PKF.


You can find a copy of the presentation in the original article or directly here. More on King 3 here. And get a copy of the King 3 report from the IOD website.

Microsoft’s largest security patch release (ever?) #in

Posted on August 06, 2010

Microsoft are set to release their biggest set of patches ever next week Tuesday. According to the Microsoft Security Response Center, Microsoft will issue fourteen Security Bulletins addressing thirty four vulnerabilities, and that excludes the out of band patch release done earlier this week for the LNK vulnerability. The list of affected operating systems includes all supported versions of Windows, as well as various versions of MS Office (for Mac and Windows) and Silverlight. They will also be updating Windows Update, Windows Server Update Services and Microsoft Update.

Microsoft will host a webcast after the patches are released. See the details here.

Find the full content of Microsoft’s bulletin advance notice here.

Network security podcast covers Cisco 2010 Midyear Security Report #in

Posted on August 04, 2010

I was listening to the Network Security podcast this morning (Blackhat mini-cast) and they had an interview with Mary Landesman, a Senior Cisco security researcher, who discussed the Cisco 2010 Mid-year security report that is now available. Download here. Direct link to PDF.

Quoting the intro from the report :

The Cisco 2010 Midyear Security Report examines the major forces of change reshaping the global security landscape. These changes demand that organizations rethink their approaches to enterprise security. Current shifts — from the virtualization of operations to collaboration and social networking — provide new opportunities for criminals to infiltrate networks and steal high-value business data.

The Cisco 2010 Midyear Security Report includes:

  • Results and analysis from two new Cisco studies — one focused on employee collaboration and the other on the concerns of IT decision-makers worldwide
  • International trends in cyber-security and their potential impact on business
  • Insight into how hackers penetrate “soft spots” in enterprise security to steal sensitive data and sell it to the highest bidder
  • An update on global spam trends since late 2009 and spam volume predictions for 2010
  • Guidance from Cisco security experts to help businesses improve their enterprise security by 2011

Read the Cisco 2010 Midyear Security Report, and find the best strategies to help you meet current security demands for your organization.

During the podcast it was also mentioned that Cisco put out weekly and monthly reports. I hadn’t seen these reports before and have just whipped through some quickly and it’s quite interesting, definitely something I will come back to and have a look at on a weekly basis. To quote the site blurb “The weekly Cyber Risk Reports provide strategic intelligence that highlight current security activity. The reports address seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical.”

You can find the weekly reports and supporting podcasts here.

ZaCon call for papers closes 20th August 2010 (17 days folks)

Posted on August 03, 2010

Just a reminder that the free (low cost) security conference ZaCon is being held on Saturday 9th October 2010 at the University of Joburg.

The call for papers went out some time ago and closes on the 20th August. If you are interested in attending, diarise, if you have something to share then write up that abstract and send it through.

More details here

Sophos mid-year 2010 Security Threat Report

Posted on August 03, 2010

IT security company Sophos has released its mid-year 2010 Security Threat Report. The report provides some insight into Cybercrime as well as other IT security trends and developments for the first half of 2010.

The report provide a short history and background into the cybercrime economy, then covers some noticeable arrests and sentences over the last 12 months, making for interesting reading. Of particular interest is the particularly “tolerant” attitude of those survyed to government cyber-crime activities.

Some thoughts around social media as an attack vector are also explored, as well as some insights into the threats to the major mobile platforms (iPhone, Blackberry, Android).

The report also provides details on the top malware/spyware hosting countries for January to June 2010.

Download the PDF copy of the full report here.

Security and ethics presentation to UKZN MBA class – copy of presentation

Posted on July 30, 2010

On Tuesday evening (27th July 2010) I did a presentation to the University of KwaZulu Natal MBA class. The presentation was rather enjoyable (from my perspective) and with all the questions and interactions with the class we spoke for around and hour and a half or so.We did go a bit over time for the normal end time for the lecture, so thanks to the class for their patience and thanks again for you attention and questions.

Attached is a copy of the presentation for anybody who is interested.

Help out an MBA student by completing questionnaire on Phishing

Posted on July 23, 2010

I, RAJAN MUNIEN, an MBA student, at the Graduate School of Business, University of Kwazulu-Natal, hereby invite you to participate in a research project entitled “Internet Phishing – Hook, Line and Hopefully not Sunk…” The aim of this study is to gain a better understanding about online user’s awareness to the problem of Internet Phishing (IP). Through your participation I hope to determine the level of awareness amongst users and to present a strategy in creating further awareness on the problem. The results are intended to contribute towards implementing an awareness programme that will prevent further users from becoming victims to the threat of Internet Phishing. Your participation in this project is voluntary. You may refuse to participate or withdraw from the project at any time with no negative consequence. There will be no monetary gain from participating in this survey group. Confidentiality and anonymity of records identifying you as a participant will be maintained by the Graduate School of Business, UKZN.

If you agree to the above and want to proceed to the questionnaire, please click on the link below. This survey will take you approximately 10 minutes to complete.

If you have questions at any time about the survey or the procedures, you may contact the author hereunder:
Rajan Munien, Cell : 084 – 5800 176, email :

The lurking dangers hidden in .PDF’s

Posted on June 13, 2010

A couple of days ago there was some noise around some nasty payloads being delivered through .PDF’s. So just in-case you thought that opening a PDF file was safe, take a read of the blog post that Z0nbi put together on the actions of a spam PDF that he received :

” Today I was trawling through my Gmail spam folder like a good little mail monkey when I came across a rather strange bit of spam. Usually you just get rubbish about making your manhood the size of a small country or the latest twitter/gmail support/facebook AV malware. Most of the time I just ignore the messages due to them being very boring and not really worth a coffee and a few hours in Terminal…Today’s message was a little different. It was a very simple email with the subject line “New Resume” and one line in the body of the email saying “Please review my CV, Thank You!“. So, seeing as I have NO idea who the sender was and that there are no issues with the PDF format that I know of, I saved the PDF document to my desktop as I had a virtual machine I just knew the PDF would love immediately. ”

Read the rest of his great post here

ISG (Whitehat) Durban June meeting : Information Warfare

Posted on June 13, 2010

The details for the next ISG Durban (White Hat) meeting :

Title: Information Warfare
Speaker: Brett van Niekerk
Date: 17 June 2010
Time: 18:30
Venue: Elephant Room, M Block, UKZN Westville Campus

If you have any problems or need help getting to the venue, email or drop me a mail and I will provide you with whatever details you need.

To get to the Elephant Room, first follow the map to get to M block, then go through the door to the right, in front of you there will be the access the LANs (light blue turnstiles and a door), the door will be open, go through and listen for the voices :)

Importing NMAP .xml output into MS Access part 2

Posted on June 13, 2010

As in the previous post, our initial NMAP scan produced an XML file over 600mb in size. To finish the scans we split the remaining ip ranges into more manageable chunks and ended up with another 20+ xml files of around 50mb each.

Running all of these through Exult XML to get a single consolidated access database was a bit problematic. The tool didn’t have the functionality to add additional scans to our original database, so all of the XML files had to be selected together and run through the tool to produce a single database. The conversion ran for 24hrs without completing so we had to come up with a better plan. Initially we considered running the conversion on a more powerful machine with much faster disk, but when trying to install the tool discovered the license key wouldn’t work.  It used some (undisclosed) technique to ensure single install only. An email off to the developers and they sent us a new key (about 6 hours later – thanks to time differences, not any delay on their part). In the meantime plan B was in place.

Looking through the raw XML files I saw that the vast majority of the IP’s were non responsive and those few lines indicating this were taking up an awful lot of space when looked at collectively. A quick search and replace to remove these lines and the XML files were reduced to about 1/20th of their original size. With the new reduced file sizes Exult happily produced our Access database in less than half an hour and we were ready to continue with the exercise. The old sayings about better planning and new strategies certainly applied here.

Using access we were then able to produce great summary reports to pull out details on top active ports, numbers of machines in each class, active IP ranges etc etc. Next step choose our samples for more detailed scanning.

Wardriving on mobile phones

Posted on June 06, 2010

I was vaguely wondering if there is software to do war driving on the Blackberry Bold 9000. It has the GPS and WiFi so technically it should be possible. Google didn’t reveal much other than a few other people asking the same question. I did however come across a guy in Greece who had found software to do the exercise on Nokia Symbian S3 devices (N95, E71) etc.

You can read about Sascha’s experiences here, and find the Barbelo tool here. The tool is a bit dated, perhaps there are others which do a better job?

Hopefully I will find time to give it a try over the next week or two and will post back more results then.

Importing NMAP .xml output into MS Access

Posted on June 03, 2010

Over the last few days we ran a really large discovery scan on a client’s network. The scan was discontinued part of the way through and at that stage had produced a 650Mb .xml file. Smaller files are easy to load into Excel or Firefox to view and work with. With this much data we needed a more workable solution.

The first though was to import it into MS Access 2007. Access has built in import filters, easy enough we though. Two error lines in a table and no data brought an end to that hopeful idea. A little bit of googling found as a tool that promised to do pain free importing of XML into access, building the table structures on the fly and automatically creating the necessary table links.

The Exult XML converter from was a lifesaver.We downloaded the trial, tested it on a scan of the local class C and it worked wonders, creating all the required tables and links. $105 later on the credit card and the full version was purchased.

Using it on out full scan file was a little trickier. Since we aborted the scan the .xml file hadn’t been properly completed. Exult didn’t like the incomplete file so threw out an error message and refused to build the access database.  A comparison of the short test scan and the full scan revealed the missing XML tags. We copied and pasted these over to the full file, updating the scan information manually, and saved the file. Running Exult again took a while (over an hour) but produced the required file. Perfect solution.

Thanks Novixsys.

We are scanning the rest of the network as we speak. Not sure how we will import the balance of the .xml files into the same database. Hopefully Exult can do that for us too. Will find out soon enough :)

ZaCon II Call For Papers

Posted on May 28, 2010

Date : 9 October 2010.
Location : University of Joburg. Joburg.
Cost : The goal is to hit breakeven on the costs,  so an entry fee (if charged) will be low.

Many other conferences exist to cater either to the strictly Academic or Professional individual. We want a simple community based forum  that is completely  free of  corporate affiliation (or shilling). The intention behind this  is that the passion for the field or of sharing knowledge should  be  the primary motivation  of attending or speaking at this conference.

We aim to fulfill these objectives:
* Provide a platform for publication of infosec research
* Showcase free locally-developed infosec tools
* Support  the interaction of industry, academia and  the interested public
* Encourage discussion on infosec / hackery / sec-related-geekery at large
* Build the ZA infosec community
* Provide a platform to up-n-coming talent

Closing date for submissions is 20 August 2010.

* Site:
* Abstracts: abstracts AT zacon org za
* Organisers: people AT zacon org za
* IRC: #zacon on

ITWeb Security Summit 2010

Posted on May 19, 2010

I was up in Johannesburg last week to attend and co-present at the IT Web Security Summit 2010. The conference had some really good speakers (Joe Grand, Moxie Marlinspike, FX, Charlie Miller, and others) covering a wide variety of most interesting topics.

You can read some articles about the conference, the speakers and the presentations at the link above. Alex Kayle did a brief email based Q&A ahead of the presentation and wrote up the following article. It gives some idea of what the presentation is all about.

I was co-presenting with a colleague, David Volschenk on the implementation of Security and control frameworks. We took two hypothetical companies (combined from various client experiences) and compared the processes and experiences to contrast what worked and what didn’t across the organisations, while looking at the key drivers (of which King 3 is now a significant one). This was woven around Dickens’ “A tale of two cities” to bring a bit of a different angle into what otherwise could have been quite a dry topic. Take a look at the King 3 responsibilities on the Board of Directors if you haven’t already. They are quite onerous compared to King 2 (which pretty much ignored IT governance). The King 3 report is available for download on the Institute of Directors (IOD) website.

Our presentation on the day went down reasonably well to quite a full venue. Thanks to all those who attended, hope you enjoyed what we had to say.

The presentation has been uploaded for all those who may wish to check it out.

%d bloggers like this: