Kim Zetter’s article for Wired tells us that “SCADA System’s Hard-Coded Password Circulated Online for Years” – see the article at http://www.wired.com/threatlevel/2010/07/siemens-scada/#ixzz0uFbTTpM0 for a classic description of how a password can have little or no value as a security measure.
Zetter quotes Lenny Zeltser of SANS as saying that ““…anti-virus tools’ ability to detect generic versions of the exploit have not been very effective so far.” We now detect it as LNK/Exploit.CVE-2010-2568, but our lab will be delighted to improve the detection if SANS has a sample we don’t detect. ;-)
Costin Raiu, however, has an interesting take on the code signing issue that Pierre-Marc flagged here yesterday, suggesting that JMicron and Realtek might both have been infected by a malware such as Zbot (Zeus) that steals digital certificates.
I had an interesting chat this morning with Jeremy Kirk of IDG, but that’s an angle that hadn’t occurred to me. Jeremy’s article “Eset Discovers Second Variation of Stuxnet Worm” is here.
Dan Raywood of SC Magazine also looked at the issue here and quoted my earlier blog, And Jim Finkle of Reuters quoted Siemans, Microsoft, and our own Randy Abrams here. Randy was also quoted by Richard Adhikari in a TechWorld article here.
Hat tip also to Bob McMillan for pointing me to the US-CERT advisory at http://www.us-cert.gov/control_systems/pdf/ICSA-10-201-01%20-%20USB%20Malware%20Targeting%20Siemens%20Control%20Software.pdf
David Harley CITP FBCS CISSP
ESET Senior Research Fellow
Author David Harley, ESET