US media outlets are reporting that the Stuxnet worm first discovered in connection with the LNK hole has globally infiltrated 14 Siemens industrial control systems which run the Windows Control Center (WinCC) SCADA software, in the US, South Korea, the UK and Iran. Stuxnet is specifically designed to compromise systems running this software. Researchers at Symantec say that the worm can even infect Programmable Logic Controllers (PLCs), used on site to control such components as pumps and valves, via the WinCC system.

According to Symantec's analysis, Stuxnet can replace or add individual blocks of PLC code – it apparently includes a total of 70 (encrypted) blocks to implement new functions. The malware even goes to the trouble of hiding its PLC manipulations: If a WinCC user accesses the code blocks, any blocks that were added by the worm are said to be invisible. Symantec has, therefore, called the malware the first publicly known rootkit for industrial control systems.

Instead of acting autonomously, however, Stuxnet allows its creators to remotely access WinCC systems and select, as well as manipulate, the behaviour of individual PLCs. Which functions are implemented by the new code and whether the code is designed to allow its operators just to monitor or, even worse, to disrupt systems remains unclear. Symantec's blog mentions a historic example where a "trojanised" valve controller was reportedly manipulated to increase the pressure in a pipeline beyond the pipeline's capacity. Even if the operators of an industrial plant have removed the Stuxnet worm from their WinCC systems, parts of the Programmable Logic Controllers potentially remain affected.

When analysing the worm, the security experts also discovered further, previously undisclosed, security holes in Windows the worm apparently exploits to proliferate through the network and to elevate its privileges on infected systems. Microsoft closed one of these holes on its recent Patch Tuesday.

The worm uses Siemens' hard-coded MS SQL database access credentials to obtain access to the SCADA system's data.

(crve)