A sophisticated new piece of malware that targets command-and-control software installed in critical infrastructures uses a known default password that the software maker hard-coded into its system. The password has been available online since at least 2008, when it was posted to product forums in Germany and Russia.

The password protects the database used in Siemens' Simatic WinCC SCADA system, which runs on Windows operating systems. SCADA, short for "supervisory control and data acquisition," systems are programs installed in utilities and manufacturing facilities to manage the operations. SCADA has been the focus of much controversy lately for being potentially vulnerable to remote attack by malicious outsiders who might want to seize control of utilities for purposes of sabotage, espionage or extortion.

"Default passwords are and have been a major vulnerability for many years," said Steve Bellovin, a computer scientist as Columbia University who specializes in security issues. "It's irresponsible to put them in, in the first place, let alone in a system that doesn’t work if you change it. If that’s the way the Siemens systems works, they were negligent."

Siemens did not respond to a request for comment.

Coding a password into software all but ensures that interested third-parties can retrieve it by analyzing the code, though software-makers can employ obfuscation techniques to make this more difficult.

It's not known how long the WinCC database password has been circulating privately among computer intruders, but it was published online in 2008 at a Siemens technical forum, where a Siemens moderator appears to have deleted it shortly thereafter. The same anonymous user, "Cyber," also posted the password to a Russian-language Siemens forum at the same time, where it has remained online for two years.

The password appears to be used by the WinCC software to connect to its MS-SQL back-end database. According to some of the forum posts, changing the password causes the system to stop working.

Last week, a security expert in Germany named Frank Boldewin found the password in a new and sophisticated piece of malware designed to spread through USB thumb drives to attack the Siemens system. The malware exploits a previously unknown vulnerability in all versions of Windows in the part of the operating system that handles shortcut files – files ending with a .lnk extension. The code launches itself when a file-manager program, such as Windows Explorer, is used to view the contents of the USB stick.

News of the malware was first reported last week by security blogger Brian Krebs who said that a security firm in Belarus named VirusBlokAda had discovered it in June.

Boldewin's analysis showed that once the malware is launched, it searches the computer for the presence of the Simatic WinCC software and then applies the hard-coded password, 2WSXcder, to access the control system's database.

Siemens indicated in a statement to reporters last week that it learned of the malware on July 14 and had assembled a team of experts to evaluate the problem. The company said it had also alerted customers to the potential risk of being infected by the virus. The statement made no mention of the hard coded password.

Hard-coded passwords aren't a problem just for Siemens.

"Well over 50 percent of the control system suppliers" hard-code passwords into their software or firmware, says Joe Weiss, author of the book Protecting Industrial Control Systems from Electronic Threats. "These systems were designed so they could be used efficiently and safely. Security was simply not one of the design issues."

The emergence of malware targeting a SCADA system is a new and potentially ominous development for critical infrastructure protection. But for the average user, the Windows vulnerability the code uses to infect its targets is of much greater immediate concern.

Microsoft issued a workaround to address the Windows vulnerability that the malware exploits, suggesting that users modify their Windows registry to disable the WebClient service as well as the display of shortcut icons. Security experts have criticized the company for these suggestions, noting that they are not easy to do in some environments and that disabling the WebClient service would break other services.

In the meantime, a security researcher has published a working exploit for the Windows hole, making it more likely that someone will try to conduct such an attack.

The SANS Institute, which trains security professionals, indicated that it believed "wide-scale exploitation is only a matter of time."

"The proof-of-concept exploit is publicly available, and the issue is not easy to fix until Microsoft issues a patch," wrote Lenny Zeltser at the SANS Internet Storm Center blog. "Furthermore, anti-virus tools' ability to detect generic versions of the exploit have not been very effective so far."

Photo courtesy Surber/Flickr.com

See also: