The recording of yesterday’s Stuxnet webinar has been posted. I thought there was some interesting debate as to the authors of the worm and their intent. All such debate was of course speculation, since no concrete evidence as to the authors of the worm has been published. Eric Byres of Tofino Security suggested the authors may have been looking for competitive intelligence and trade secrets embodied in the physical processes the control systems operate. Dale Peterson, Digital Bond, suggested it might be someone trying to “prove it could be done,” frustrated by how little attention industrial security issues were receiving. But, he observed, if this were the motive, it seems unusual to use a USB key as a propagation mechanism — physical media seems a slow and inefficient method to distribute a worm that someone wants to draw attention to.
My own opinion is that it really is not clear who is behind this. If it was organized crime, how did they make any money on this? If it was an intelligence agency looking for industrial trade secrets, I think there are more efficient ways of extracting those secrets. Documentation as to how industrial sites are constructed and how they are operated is a much more accessible source of intelligence than trying to pick apart set points and process graphics. If this was a military intelligence gathering attempt, it looks to me to have been botched. The worm has alerted target sites to a new kind of threat and has raised awareness of the need to protect these sites more thoroughly.
As I mentioned earlier, the entire webinar was recorded and is available for replay. Some of the questions addressed by the panelists include:
- (Panel discussion introduction) How should the owners / operators react? How should the product vendors react? Are there gaps in security elements? What are potential work-arounds?
- Who do we really think is behind this?
- How likely is it that other malware is circulating that is targeting control systems?
- Which of the repair or prevention tools have been approved by Siemens?
- Hard-coded passwords – why can’t a user or organization change the Siemens hard-coded password?
- Does anyone know how else the worm affects control systems?
- Have any operating control systems been affected? Does anyone have examples?
- What can people do to monitor their systems to see if the worm has had an effect on their environment?
- What is a zero-day vulnerability?
There was a lot of interest in the webinar and we had many questions posted. Unfortunately, the panel was not able to get to all of the questions. Over the next couple of days, I’ll be posting the complete set of questions and panelist responses to them.
To start that process, let’s tackle one of the questions now:
Question: You’ve mentioned that the payload is “phoning home”. Have these IPs been published ? This might be useful for others looking for similar traffic.
Answer: The Symantec blog reports that all versions of the Stuxnet worm they’ve seen attempt to contact command and control servers on port 80 at one of the DNS entries:
www . mypremierfutbol . com
www . todaysfutbol . com
One variant did contain hard-coded IP addresses, and these addresses were the same as the above DNS entries resolved to. Both of the above DNS entries have been changed — they now resolve to benign IP addresses which are being used to count infected sites and contact those sites about the need for remediation.
So one way to tell if your control system has been compromised is to use strict egress filtering on your control system firewall. Many sources recommend that owners and operators block most or all connections from any computer on a control system network to their enterprise networks. Those sources recommend that operators be even more aggressive at blocking connections from their control system network to the open internet. If you set up such blocks, and enable logging of dropped connection attempts, and then Stuxnet or any other malware takes over one of your control system machines and tries to contact a command and control server, your firewall logs will show the attempt.
More questions and answers will follow in the next few days.