plcforum.uz.ua

International PLC Forum
It is currently Tue Aug 22, 2017 3:49 pm

All times are UTC + 3 hours




Post new topic Reply to topic  [ 41 posts ] 
Author Message
PostPosted: Tue Jul 20, 2010 1:15 pm 
Site Admin

Joined: Thu Feb 16, 2006 6:25 pm
Posts: 3018
Location: Russia
You use DB 890 and DB 8062 in your project ?
This virus is specialy maded for you... Who are you ?
Quote:
http://www.langner.com/en/index.htm
Stuxnet logbook, Sep 16 2010, 1200 hours MESZ

With the forensics we now have it is evident and provable that Stuxnet is a directed sabotage attack involving heavy insider knowledge. Here is what everybody needs to know right now.

Fact: As we have published earlier, Stuxnet is fingerprinting its target by checking data block 890. This occurs periodically every five seconds out of the WinCC environment. Based on the conditional check in code that you can see above, information in DB 890 is manipulated by Stuxnet.

Interpretation: We assume that DB 890 is part of the original attacked application. We assume that the second DWORD of 890 points to a process variable. We assume that this process variable belongs to a slow running process because it is checked by Stuxnet only every five seconds.

Fact: Another fingerprint is DB 8062. Check for the presence of DB 8062 in your project.

Fact: Stuxnet intercepts code from Simatic Manager that is loaded to the PLC. Based on a conditional check, original code for OB 35 is manipulated during the transmission. If the condition matches, Stuxnet injects Step7 code into OB 35 that is executed on the PLC every time that OB 35 is called. OB 35 is the 100 ms timer in the S7 operating environment. The Step7 code that Stuxnet injects calls FC 1874. Depending on the return code of FC 1874, original code is either called or skipped. The return code for this condition is DEADF007 (see code snipplet).


http://support.automation.siemens.com/WW/view/en/43876783
Quote:
Via internet information is spread about a new malware, so called trojan, which affects at the visualization system WinCC SCADA. This malware is distributed via USB sticks. Just viewing the content of an USB stick could enable this trojan.

http://www.automationworld.com/news-7325
Quote:
The known variations of the malware are specifically directed at Siemens WinCC and PCS7 Products.
Over the weekend of July 17-18, news broke on the “Computerworld” technology Web site about a virus attacking industrial automation giant Siemens’ WinCC and PCS7 industrial control human-machine interface/supervisory control and data acquisition (HMI/SCADA) systems.
The virus exploited Microsoft Windows operating systems when Universal Serial Bus (USB) memory sticks are inserted in a host computer and automatically loaded.

In response to a query from Automation World, Siemens Industry Inc. (http://www.usa.siemens.com/industry) spokesperson Michael Krampe issued the following statement:

"Siemens was notified about the virus that is affecting its Simatic WinCC SCADA (Supervisory Control and Data Acquisition) systems on July 14. The company immediately assembled a team of experts to evaluate the situation. Siemens is taking all precautions to alert its customers to the potential risks of this virus.

"Siemens is reaching out to its sales team and will also speak directly to its customers to explain the circumstances. We are urging customers to carry out an active check of their computer systems with WinCC installations and use updated versions of antivirus software in addition to remaining vigilant about IT security in their production environments."

Well-known industrial cyber-security expert Eric Byres and his team conducted a weekend analysis, and Byres has issued a statement and is offering a White Paper analysis. Here is his analysis:

“Over the weekend my team has been investigating a new family of threats called Stuxnet that appear to be directed specifically at Siemens WinCC and PCS7 products via a previously unknown Windows vulnerability. At the same time I also became aware of a concerted Denial of Service attack against a number of the SCADA information networks such as SCADASEC and ScadaPerspective mailing lists, knocking at least one of these services off line.

“As best as I can determine, the facts are as follows:
• This is a zero-day exploit against all versions of Windows including Windows XP SP3, Windows Server 2003 SP 2, Windows Vista SP1 and SP2, Windows Server 2008 and Windows 7.
• There are no patches available from Microsoft at this time (There are work arounds which I will describe later).
• This malware is in the wild and probably has been for the past month.
• The known variations of the malware are specifically directed at Siemens WinCC and PCS7 Products and hardware PLC S7-315 and S7-417.
• The malware is propagated via USB key. It may be also be propagated via network shares from other infected computers.
• Disabling AutoRun DOES NOT HELP! Simply viewing an infected USB using Windows Explorer will infect your computer.
• The objective of the malware appears to be industrial espionage and sabotage; i.e. to steal intellectual property from SCADA and process control systems. Specifically, the malware uses the Siemens default password of the MSSQL account WinCCConnect to log into the PCS7/WinCC database and extract process data and possibly HMI screens.
• The malware is infected PLC S7-315 and S7-417 via modified S7 DLLs.

• The only known work arounds are:
• NOT installing any USB keys into any Windows systems, regardless of the OS patch level or whether AutoRun has been disabled or not
• Disable the displaying of icons for shortcuts (this involves editing the registry)
• Disable the WebClient service

“My team has attempted to extract and summarize all the relevant data (as of late Saturday night) and assemble it in a short white paper called “Analysis of Siemens WinCC/PCS7 Malware Attacks” which I have posted on my website in a secured area that can be accessed from http://www.tofinosecurity.com/professio ... cc-malware .

“If you would like to download the white paper, you will need to register on the web site and I will approve your registration as fast as I can. I have chosen to keep the whitepaper in a secure area as I do not want this information to be propagated to individuals that do not need to know and might not have our industries’ best interests at heart. People who are already http://www.tofinosecurity.com web members do not need to reregister.”


http://www.eset.com/press-center/article/eset-analysis-worm-win32stuxnet-targets-supervisory-systems-in-the-us-and-iran/7609
ESET Analysis: Worm Win32/Stuxnet Targets Supervisory Systems in the U.S. and Iran
Quote:
SAN DIEGO – July 19, 2010 – ESET has issued a warning against a worm dubbed Win32/Stuxnet, which threatens users around the globe.
Exploiting a vulnerability in Windows® Shell, this dangerous threat is detected by ESET as LNK/Autostart.A.
It is used in targeted attacks to penetrate SCADA systems, especially in the United States and Iran. SCADA are supervisory and monitoring systems used in many industries, for instance in power engineering...
The danger lies in the Windows® OS vulnerability connected with processing of LNK files.
Experts expect even more malware families to begin to exploit this security gap in the near future.


Russian
Известные вариации вредоносных программ этого типа, специально направленны на продукцию Siemens Step7, WinCC и PCS7 и контроллеры S7-315 и S7-417. Пока...
http://www.esetnod32.ru/.company/news/?id=7953&year=2010
Quote:
Win32/Stuxnet представляет большую угрозу для промышленных предприятий.
Ты в своей программе используешь DB 890 и DB 8062 ?
Тогда этот вирус написан специально для тебя... Интересно кто ты ?

При запуске этой вредоносной программы используются ранее неизвестные уязвимости в обработке файлов с расширением LNK, содержащихся на USB-накопителе, работы сервиса печати.
Выполнение вредоносного кода происходит благодаря наличию уязвимости в Windows Shell, связанной с отображением специально подготовленных LNK-файлов.
Вредоносный код модифицирует библиотеки DLL пакетов программирования Step7/WinCC/PCS7 на инженерной станции
посредством которых, по возможности, записывает свои версии некоторых блоков OB, FC и DB в контроллеры S7-315 и S7-417.


Top
 Profile  
 
PostPosted: Tue Jul 20, 2010 8:17 pm 
Site Admin

Joined: Thu Feb 16, 2006 6:25 pm
Posts: 3018
Location: Russia
Рreventive medicine - disable LNK and PIF
http://support.microsoft.com/kb/2286198
or
http://www.youtube.com/watch?v=Gucn5xWZ1m8

Clear Registry LNK tools
HKEY_CLASSES_ROOT\lnkfile\shellex\IconHandle = [] (set empty)
Delete any value that it is specified (parameter should be "empty").
Result: Windows will not run LNK tools and not show LNK shortcut image for drive.

Start>Run>Regedit
Image

Stop and Disable WebClient
MyComputer>Manage>Service and Application>Service>WebClient
Stop + Disable + Apply
Image

Restart PC :(

Russia wrote:
Профилактическое лекарство
1) отредактировать параметр по умолчанию для HKEY_CLASSES_ROOT\lnkfile\shellex\IconHandler
Удалить любое значение, которое там задано (параметр должен быть "пустым"). Таким образом для ярлыков Windows не будет показывать картинки.
Обнулить LNK
Пуск>Выполнить>Regedit

2) отключить (многим совсем не нужную) службу WebClient.
Отключить службу - значит, поставить её параметр запуска на "отключено" и потом остановить её.
апрет WebClient
МойКомпьютер>Управление>Службы и Приложения >Службы>WebClient
Стоп+ Отключена + Применить
Перезапуск компа


RESULT :(
Image


Top
 Profile  
 
PostPosted: Wed Jul 21, 2010 9:17 pm 
Site Admin

Joined: Thu Feb 16, 2006 6:25 pm
Posts: 3018
Location: Russia
http://support.automation.siemens.com/WW/view/en/43877513
New info from Siemens wrote:
Current information on malware in connection with Simatic Software
The software/malware detects WinCC and Step 7 programs from Siemens and their data and can also contact and communicate with certain websites/servers...


Top
 Profile  
 
PostPosted: Fri Jul 23, 2010 7:07 am 

Joined: Thu Jun 08, 2006 9:10 am
Posts: 8
Location: Iran
Hi
Instal MICROSOFT SECURITY ESSENTIAL and udate it from microsoft .it will remove trojans stuxnet.A and suxnet.B from your system.


Top
 Profile  
 
PostPosted: Fri Jul 23, 2010 8:16 am 
Site Admin

Joined: Thu Feb 16, 2006 6:25 pm
Posts: 3018
Location: Russia
Update from Siemens
http://support.automation.siemens.com/WW/view/en/43876783
Quote:
Product Information July 22, 2010:
* Tool now available to detect and remove virus
sysclean.zip

SIMATIC Security Update available
SIMATIC_Security_Update_20100722.exe
....


=========== Very bad news for Siemens ====================
Kaspersky wrote: Stuxnet for WinCC - Made in INDIA
http://translate.google.com/translate?j ... l=ru&tl=en
Image
The expert from Kaspersky Lab, July 15, 2010 wrote:
If you look at these statistics, mapping the world, it becomes clear that the centers of the epidemic are the three countries - Iran, India and Indonesia (all three on the letter "I", funny).
In each of these countries the number of recorded incidents over KSN 5000.
Realtek is a hardware the company, and writing software for their devices - a by-process, for which the best of all - the use of outsourcers.
And which country is the world leader in the outsourcing programming?
Correct: India.
Can outsourcer, creating software for the company, have the means to "sign" the certificate program this company? Probably yes.
hus, one can assume that the malicious program was created precisely in India (see the map) and, perhaps, not without an insider among the developers of applications for Realtek.

Possible this indian insider also work for programming new Siemens WinCC/PCS7 :(


Kaspersky wrote: Stuxnet for WinCC - what it made
http://translate.google.com/translate?j ... l=ru&tl=en
Quote:
Indeed, Stuxnet trying to connect to the visualization system WinCC SCADA, using "password default", which Siemens is laid in its program.

As part of the worm is a very interesting component, dll-file, which is a kind of "wrapper» (wrapper) around this, original DLL from Siemens.
This "wrapper" and tries to interact with WinCC, directing most of the features in the original dll.
Other functions he emulates yourself!

It features:
s7db_open s7db_open
s7blk_write s7blk_write
s7blk_findfirst s7blk_findfirst
s7blk_findnext s7blk_findnext
s7blk_read s7blk_read
s7_event s7_event
s7ag_test s7ag_test
s7ag_read_szl s7ag_read_szl
s7blk_delete s7blk_delete
s7ag_link_in s7ag_link_in
s7db_close s7db_close
s7ag_bub_cycl_read_create s7ag_bub_cycl_read_create
s7ag_bub_read_var s7ag_bub_read_var
s7ag_bub_write_var s7ag_bub_write_var
s7ag_bub_read_var_seg s7ag_bub_read_var_seg
s7ag_bub_write_var_seg s7ag_bub_write_var_seg

In addition, the module contains multiple encrypted blocks of data (an example of one of the decoded blocks):
Image


Russian wrote:
http://www.securelist.com/ru/blog/34302/Mirt_i_guava_Epizod_3
Александр Гостев
Эксперт «Лаборатории Касперского»
опубликовано 15 июл 2010, 13:59 MSK
Таким образом, можно сделать предположение, что вредоносная программа была создана именно в Индии (смотрите на карту) и, возможно, не без наличия инсайдера среди разработчиков приложений для Realtek.

Значит он ещё и для Сименса программы пишет, раз написал заразу специально под WinCC/PCS7 :(

http://www.securelist.com/ru/blog/34310/Mirt_i_guava_Epizod_5#c36364
Quote:
Действительно, Stuxnet пытается подключаться к системе визуализации WinCC SCADA , используя «пароль по-умолчанию», который компания Siemens заложила в свою программу.

В состав червя входит весьма интересный компонент, dll-файл, который представляет собой своеобразную «обертку» (wrapper) вокруг настоящей, оригинальной DLL от Siemens.

Эта «обертка» и пытается осуществлять взаимодействие с WinCC, перенаправляя большую часть функций в оригинальную dll. Остальные функции он эмулирует самостоятельно!

Это функции:
s7db_open
s7blk_write
s7blk_findfirst
s7blk_findnext
s7blk_read
s7_event
s7ag_test
s7ag_read_szl
s7blk_delete
s7ag_link_in
s7db_close
s7ag_bub_cycl_read_create
s7ag_bub_read_var
s7ag_bub_write_var
s7ag_bub_read_var_seg
s7ag_bub_write_var_seg

Кроме того, в модуле содержится несколько зашифрованных блоков данных (пример одного из расшифрованных блоков)


Top
 Profile  
 
PostPosted: Tue Aug 03, 2010 7:10 am 
Site Admin

Joined: Thu Feb 16, 2006 6:25 pm
Posts: 3018
Location: Russia
Download MS HotFix for your OS from http://www.microsoft.com/technet/security/Bulletin/MS10-046.mspx
Quote:
Vulnerability in Windows Shell Could Allow Remote Code Execution (2286198)
This security update resolves a publicly disclosed vulnerability in Windows Shell.
The vulnerability could allow remote code execution if the icon of a specially crafted shortcut is displayed.
An attacker who successfully exploited this vulnerability could gain the same user rights as the local user.
Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.


Top
 Profile  
 
PostPosted: Wed Aug 04, 2010 11:20 pm 
Site Admin

Joined: Thu Feb 16, 2006 6:25 pm
Posts: 3018
Location: Russia
2010-08-04 Update info about MS HotFix
http://support.automation.siemens.com/WW/view/de/43876783
Siemens wrote:
Important note on the Microsoft Patch
The Microsoft Patch only prevents that the trojan from being installed automatically on the system.
If a user with admin-rights opens an infected LNK-file by mouse click on a computer on which the Microsoft Patch is installed, the computer will become infected - if no virus scanner has been installed.
To avoid such an infection, it is strongly recommended that users only log in with power user rights.
Power users do not have the necessary permissions to start code from another drive.
For additional security use an approved virus scanner.


==== Russian ========
greg2008 wrote:
http://www.securelist.com/ru/blog/32867/Patch_LNK_vypushchen
"Буду краток, но хотелось бы обратить ваше внимание — наконец выпущен бюллетень безопасности Microsoft MS10-046, представляющий заплату для уязвимости LNK, которая изначально эксплуатировалась вредоносной программой Stuxnet. Если вы еще не установили патч, обязательно сделайте это.
Эта критическая уязвимость активно эксплуатируется киберпреступниками"

Буду краток - эта заплата не спасёт вас от модификаций этого вируса:
- если вы обладаете правами администратора
- если вы сами кликните в заражённую иконку или PIF
- если, установленный антивирус не знает об новой модификации вируса.
А этот "патч" прикрывает только автозапуск при открытии носителя :( - а так это та же самая дырка, но с наклейкой "Думали, что защитили..."


Top
 Profile  
 
PostPosted: Tue Sep 21, 2010 3:59 pm 

Joined: Tue May 12, 2009 12:50 pm
Posts: 66
Hi

Take a look here:
http://www.langner.com/en/index.htm

& here:
http://www.digitalbond.com/index.php/20 ... g-picture/

for more info on the virus...

Stuxnet inside PLC !? wrote:
Fact: Stuxnet intercepts code from Simatic Manager that is loaded to the PLC.
Based on a conditional check, original code for OB 35 is manipulated during the transmission.
If the condition matches, Stuxnet injects Step7 code into OB 35 that is executed on the PLC every time that OB 35 is called.
OB 35 is the 100 ms timer in the S7 operating environment.
The Step7 code that Stuxnet injects calls FC 1874.
Depending on the return code of FC 1874, original code is either called or skipped...


http://www.symantec.com/connect/blogs/exploring-stuxnet-s-plc-infection-process
symantec wrote:
Image
1. Determining which PLCs to infect.

Stuxnet infects PLCs with different code depending on the characteristics of the target system.
An infection sequence consists of PLC blocks (code blocks and data blocks) that will be injected into the PLC to alter its behavior.
The threat contains three infection sequences.
Two of these sequences are very similar, and functionally equivalent. We dubbed these two sequences A and B.
The third sequence was named sequence C.
Stuxnet determines if the system is the intended target by fingerprinting it.

It checks:

* The PLC type/family: only CPUs 6ES7-417 and 6ES7-315-2 are infected
* The System Data Blocks: the SDBs will be parsed, and depending on the values they contain, the infection process will start with method of infection A, B or none. When parsing the SDBs the code searches for the presence of 2 values (7050h and 9500h), and depending on the number of occurrences of each of these values sequence A or B is used to infect the PLC.

The code also searches for the bytes 2C CB 00 01 at offset 50h in the SDB blocks, which appear if the CP 342-5 communications processor (used for Profibus-DP) is present. If these bytes are not found then infection does not occur.

Infection conditions for sequence C are determined by other factors.

Image

2. Method of infection

Stuxnet uses the code-prepending infection technique. When Stuxnet infects OB1 it performs the following sequence of actions:

1. Increases the size of the original block
2. Writes malicious code to the beginning of the block
3. Inserts the original OB1 code after the malicious code

As well as infecting OB1, Stuxnet also infects OB35 in a similar fashion. It also replaces the standard coprocessor DP_RECV code block with its own, thereby hooking network communications on the Profibus (a standard industrial network bus used for distributed I/O).

The overall process of infection for methods A/B is as follows:

* Check the PLC type; it must be an S7/315-2
* Check the SDB blocks and determine whether sequence A or B should be written
* Find DP_RECV, copy it to FC1869, replace it with a malicious copy embedded in Stuxnet
* Write the malicious blocks (in total, 20 blocks) of the sequence, embedded in Stuxnet
* Infect OB1 so that the malicious code is executed at the start of a cycle
* Infect OB35, which will act as a watchdog

Image


Top
 Profile  
 
PostPosted: Sat Oct 02, 2010 1:43 pm 
Forum Community
Forum Community

Joined: Mon Apr 12, 2010 1:59 pm
Posts: 300
http://www.symantec.com/connect/blogs/stuxnet-infection-step-7-projects
Stuxnet Infection of Step 7 Projects
Quote:
Previous blog entries have covered several different Stuxnet propagation vectors, from autorun.inf tricks to zero-day vulnerabilities.
Our research has also uncovered another method of propagation that impacts Step7 project folders, causing one to unknowingly become infected when opening an infected project folder that may have originated from a third party.

Stuxnet monitors Step7 projects (.S7P files) being worked on by hooking CreateFile-like APIs of specific DLLs within the s7tgtopx.exe process (the Simatic manager). Any project encountered by the threat in this way may be infected. Analysis additionally shows that projects inside Zip archives may also be infected through the same method.

The infection process consists of several distinct steps:

First, Stuxnet creates the following files:

* xutils\listen\xr000000.mdx: an encrypted copy of the main Stuxnet DLL
* xutils\links\s7p00001.dbf: a copy of a Stuxnet data file (90 bytes in length)
* xutils\listen\s7000001.mdx: an encoded, updated version of the Stuxnet configuration data block
.....


http://www.symantec.com/connect/de/blogs/w32stuxnet-dossier
Quote:
When looking through our archive, we were able to find a sample from June 2009. Therefore the attackers had been active for at least a year. We would not be surprised if they started even prior to that.

w32_stuxnet_dossier.pdf
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf


You use DB 890 and DB 8062 in your project ?
This virus is specialy maded for you... Who are you ?


Top
 Profile  
 
PostPosted: Wed Oct 20, 2010 10:10 am 

Joined: Mon Jul 28, 2008 12:06 pm
Posts: 54
Location: Russia
see video:
http://www.tofinosecurity.com/sites/def ... Global.swf


Top
 Profile  
 
PostPosted: Thu Oct 28, 2010 6:38 pm 

Joined: Tue Aug 21, 2007 10:05 am
Posts: 797
Schneider Electric Industry Business’s Response to the Stuxnet Malware Issue
http://rapidshare.com/files/427620070/Stuxnet_Citect.rar
or
http://narod.ru/disk/26682797000/Stuxnet_Citect.rar.html
Quote:
Stuxnet malware was targeted at Siemens control systems and therefore will not directly impact Schneider Electric systems. However, as the cyber security landscape evolves, users should continuously reassess their security policies and protocols to mitigate against future attacks.

For more information on defense-in-depth strategies, you can review the PlantStruxure™ System Technical Note - How can I protect a system from cyber attacks?
http://www.citect.com/documents/STN_Ethernet.pdf


Top
 Profile  
 
PostPosted: Sat Nov 13, 2010 2:22 pm 
Forum Community
Forum Community

Joined: Mon Apr 12, 2010 1:59 pm
Posts: 300
http://www.symantec.com/connect/blogs/stuxnet-breakthrough
symantec, 11/13/2010 wrote:
However, we can now confirm that Stuxnet requires the industrial control system to have frequency converter drives from at least one of two specific vendors, one headquartered in Finland («Vacon») and the other in Tehran, Iran.
This is in addition to the previous requirements we discussed of a S7-300 CPU and a CP-342-5 Profibus communications module.
Image
...
Video
http://www.youtube.com/watch?v=cf0jlzVC ... r_embedded

Stuxnet Dossier v1.3 (13 November 2010)
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf
Stuxnet Dossier v1.3, p.42 wrote:
The PLC is infected.
• Frequency converter slaves send records to their CP-342-5 master, building a frame of 31 records
• The CPU records the CP-342-5 addresses.
The frames are examined and the fields are recorded.
• After approximately 13 days, enough events have been recorded, showing the system has been operating between 807 Hz and 1210 Hz.
• The infected PLC generates and sends sequence 1 to its frequency converter drives, setting the frequency to 1410Hz.
• Normal operation resumes.
After approximately 27 days, enough events have been recorded.
• The infected PLC generates and sends sequence 2 to its frequency converter drives, setting the frequency initially to 2Hz and then 1064Hz.
• Normal operation resumes.
• After approximately 27 days, enough events have been recorded.
• The infected PLC generates and sends sequence 1 to its frequency converter drives, setting the frequency to 1410Hz.
• Normal operation resumes.
• After approximately 27 days, enough events have been recorded.
• The infected PLC generates and sends sequence 2 to its frequency converter drives, setting the frequency initially to 2Hz and then 1064Hz.


Top
 Profile  
 
PostPosted: Sun Nov 14, 2010 3:29 pm 
Site Admin

Joined: Thu Feb 16, 2006 6:25 pm
Posts: 3018
Location: Russia
Who's lying?
http://www.symantec.com/connect/blogs/stuxnet-breakthrough
Image
(boom)
In the Symantec demo example = CPU S7-315 2DP (6ES7 315-2AF03-0AB0) + with Digital outputs modul,
with simple program = main organization block OB1 with simple code (1 timer and 1 output).
We see that the virus Stuxnet kills the simple control system immediately at startup!
The virus can destroy any control system S7 !?
It does not check the hardware configuration and program.
It starts immediately at startup.
And all that is written about the intelligence of the virus is a lie ?
No one can believe :(

To Langner
Not only Russian experts create automation objects in Asian countries.
For example, many Finnish companies operating in the region.

Distribution pattern and mass infection suggests that the virus is spread primarily on the domestic level - from hand to hand (from USB stick to USB stick) and not via the Internet.
How much time is necessary, in order to infect the area alone?
Image

Maybe easier to sell in the region, the party of cheap USB stick/photo memory cards with preinstalled virus?
This may explain the infection in Indonesia - there is no reactor.

According to the theory of probability it can be entered on the target object.
Therefore, one can not assert that the virus is spreading "stupid" Russian specialists from the ASE and "Power Machines".

Russian wrote:
В демо примере = 1 ЦПУ с модулем ввода-вывода с наипростейшей программой, состоящей из блока ОВ1 с одной веткой кода, в которой имеется один таймер и один выход.
Мы видим, что вирус убивает простую систему управления сразу при старте = просто тупо включает единственный выход.
Получается, что вирус может уничтожить любую систему управления S7 ?!
Он не проверяет состав аппаратной конфигурации и программу управления.
Он запускается сразу при старте.
И всё что пишут про интеллект вируса есть ложь?
Никому нельзя верить.

Отповедь руссофобу Лангнеру.
Не только русские специалисты создают объекты автоматизации в азиатских странах.
Например многие финские фирмы работают в этом регионе.
Характер распространения и массовость заражения показывает, что вирус распространяется в первую очередь на бытовом уровне - из рук в руки, а не через интернет.
Сколько времени надо, чтобы заразить эту территорию в одиночку ?
Может проще продать в регионе партию дешёвых карт памяти с уже установленным вирусом ?
Этим можно объяснить заражении Индонезии - там то реакторов нет.
По теории вероятности он может быть занесён на целевой объект.
Поэтому нельзя утверждать, что вирус распространяли "тупые" русские специалисты из Атомстройэкспорта и Силовых машин.


Top
 Profile  
 
PostPosted: Wed Nov 17, 2010 11:31 am 

Joined: Tue May 12, 2009 12:50 pm
Posts: 66
Hi

I was wondering if anyone has the Stuxnet PLC code?

Just the pure STL code that Stuxnet injects in the PLC(s ?), not the windows stuff (which I'm not gonna understand anyway)...

Anyone has testing Stuxnet PLC with S7 Doctor ?
viewtopic.php?f=1&t=3293&p=32534&hilit=s7+doctor#p32534

Update:

Found this: http://tuts4you.com/download.php?view.3011

It claims the .rar is Stuxnet, but I am not sure.
Anyway, I'll try to set up a test environment to check it.


Last edited by sanruku on Wed Nov 17, 2010 12:18 pm, edited 1 time in total.

Top
 Profile  
 
PostPosted: Wed Nov 17, 2010 6:35 pm 
Site Admin

Joined: Thu Feb 16, 2006 6:25 pm
Posts: 3018
Location: Russia
Quote:
It claims the .rar is Stuxnet, but I am not sure.

Yes this is Stuxnet. Very dangerous
KIS 2009 with last bases (17/11/2010) noting detect :(
KIS2011 detect all.
1. Test only on a single computer.
2. Will not embed the infected memory card.
3. USB flash drive becomes infected is not always. To check the USB stick/memory card can be viewed from DOS (Start from old CD) with Norton Commander (Show Hidden files)

Image

Quote:
КИС 2009 с сегодняшними базами даже не крякнул :(
КИС 2011 задетектил.
1.Тестировать только на отдельном компьютере.
2. Никуда не вставлять заражённые карты памяти.
3. Флешка заражается не всегда. Для проверки карты памяти можно смотреть из под ДОС с Нортон Коммандер с показом скрытых системных файлов



About Gas Centrifuge
http://translate.google.com/translate?j ... ndex.shtml
Quote:
Its essential element is a rotor (8) - a cylinder rotating at high speed in a gas with low blood pressure.
Here is a diagram of the so-called subcritical centrifuges, which means that the operating speed of the rotor below its first resonant frequency.
With increasing rotor speed consistently passes the frequencies at which the resonant vibrations caused by the mechanical properties of the rotating system. (* By the way turbine the power plant Sayano-Shushenskaya is precisely why we broke up - but it made with OMRON)
Centrifuge, operating at a frequency of rotation of the rotor above the resonance is called supercritical.
Image
Здесь приведена схема так называемой подкритической центрифуги, что означает, что рабочая частота вращения ротора ниже его первой резонансной частоты.
При увеличении оборотов ротор последовательно проходит частоты, на которых возникают резонансные колебания, обусловленные механическими свойствами вращающейся системы. (*Кстати турбина Саяно-Шушенской ГЭС именно поэтому и развалилась - но была сделана на Омроне).
Центрифуга, работающая на частоте вращения ротора выше резонансной, называется надкритической.

and
http://translate.google.com/translate?j ... sentrifuga


Top
 Profile  
 
PostPosted: Sun Jan 16, 2011 8:57 pm 

Joined: Tue Aug 21, 2007 10:05 am
Posts: 797
Image
http://query.nytimes.com/search/technol ... et&x=9&y=6
http://topics.nytimes.com/top/reference ... &st=Search
Updated: Jan. 15, 2011

Siemens security test
2008 Automation Summit
A Users Conference
How to crack PCS7
http://graphics8.nytimes.com/packages/pdf/science/NSTB.pdf

Russian
http://news.rambler.ru/8726068/


Top
 Profile  
 
PostPosted: Tue Jan 25, 2011 10:58 pm 
Forum Community
Forum Community

Joined: Mon Apr 12, 2010 1:59 pm
Posts: 300
SIMATIC Security Update (updated 24th January 2011)
SIMATIC_Security_Update_V1_0_SP1.exe
https://support.automation.siemens.com/ ... d=43876783


Top
 Profile  
 
PostPosted: Tue Feb 22, 2011 11:25 pm 
Faq & Info
Faq & Info

Joined: Wed Oct 05, 2005 12:00 pm
Posts: 354
Symantec W32.Stuxnet Dossier
Version 1.4 (February 2011)
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf


Top
 Profile  
 
PostPosted: Sat Feb 26, 2011 6:30 pm 

Joined: Tue Aug 21, 2007 10:05 am
Posts: 797
http://translate.google.com/translate?j ... 5945.shtml
Russian wrote:
видимо хорошо поработали израильские товарищи раз до сих пор наши спецы не уверены в безопасности объекта http://www.rbc.ru/rbcfreenews/20110226155945.shtml


Top
 Profile  
 
PostPosted: Sun Feb 27, 2011 12:11 pm 
Site Admin

Joined: Thu Feb 16, 2006 6:25 pm
Posts: 3018
Location: Russia
Oldman wrote:
http://translate.google.com/translate?js=n&prev=_t&hl=ru&ie=UTF-8&layout=2&eotf=1&sl=ru&tl=en&u=http%3A%2F%2Fwww.rbc.ru%2Frbcfreenews%2F20110226155945.shtml
Russian wrote:
видимо хорошо поработали израильские товарищи раз до сих пор наши спецы не уверены в безопасности объекта http://www.rbc.ru/rbcfreenews/20110226155945.shtml

Do not be paranoid Langner style
And without Stuxnet there are many reasons (based on "security") for the discharge of fuel
June 3, 2002
http://translate.google.com/translate?j ... asp%3F6068

Quote:
Не надо паранойи в стиле Лангнера
И без Стукнета есть много причин для выгрузки топлива по мотивам "безопасности"
3 июня 2002 года
http://nuclearno.ru/text.asp?6068


Top
 Profile  
 
PostPosted: Thu Mar 31, 2011 7:18 pm 

Joined: Tue Jun 27, 2006 8:52 am
Posts: 500
Location: Russia
Symantec in RUSSIAN
Перевод доклада Symantec с анализом кода Stuxnet:
http://www.phocus-scada.com/rus/pub/Stuxnet-CodeAnalys-rus.pdf

Спасибо фирме "NAUTSILUS" Ltd., Moscow

Принимают замечания по переводу:
http://asutpforum.spb.ru/viewtopic.php?f=13&t=1603


Top
 Profile  
 
PostPosted: Wed Jul 06, 2011 10:50 pm 
Faq & Info
Faq & Info

Joined: Wed Oct 05, 2005 12:00 pm
Posts: 354
Potential Password Security Weakness in SIMATIC Controllers = Potential external attack to passworded S7-PLCs
http://support.automation.siemens.com/WW/view/en/51401544

ICS-ALERT-11-186-01— PASSWORD PROTECTION VULNERABILITY IN SIEMENS SIMATIC CONTROLLERS S7-200, S7-300, S7-400, AND S7-1200
July 5, 2011
http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-186-01.pdf

Russian wrote:
Потенциальная слабость Пароля безопасности в SIMATIC Контроллерах = Потенциальная внешняя атака на запароленные S7-PLC


Top
 Profile  
 
PostPosted: Sat Jul 23, 2011 1:36 pm 
Site Admin

Joined: Thu Feb 16, 2006 6:25 pm
Posts: 3018
Location: Russia
One year later
http://www.wired.com/threatlevel/2011/07/how-digital-detectives-deciphered-stuxnet/4/
Quote:
Even the hard-coded Siemens database password had been previously exposed.
In April 2008, someone using the name “Cyber” had posted it online to German and Russian technical forums devoted to Siemens products.

This is not our Cyber
Total 2 posts about RSLogix in 2007
==============
but it exist
Russian http://iadt.siemens.ru/forum/viewtopic.php?p=32066&highlight=#32066
English http://translate.google.com/translate?j ... 3D%2332066
Quote:
Quote:
Posted: May 3, 2005 11:42 Post subject: User WinCCConnect
Found a password for the integrated user of the database WinCC 6 , who are interested, ask in private messages;)

Cyber wrote:
Posted: April 11, 2008 19:27
login='WinCCConnect' password='2WSXcder'
login='WinCCAdmin' password='2WSXcde'

Russian wrote:
Год спустя.
из статьи wrote:
Даже трудно кодированный пароль базы данных Siemens был ранее представлен.
тот, кто использует имя "Кибер" разместил его в Интернете на немецком и русском технических форумах, посвященных продукции компании Siemens

Наш Кибер, не тот Кибер 2008.
Пытаются на Кибера 2008 (из официального форума) повесить проблему, хотя о ней было известно по крайней мере 3-мя годами раньше.
Quote:
Вт Май 03, 2005 11:42 Заголовок сообщения: Пользователь WinCCConnect
Найден пароль для этого интегрированного пользователя БД WinCC 6, кому интересно


Top
 Profile  
 
PostPosted: Wed Oct 19, 2011 8:00 pm 

Joined: Fri May 13, 2011 8:49 pm
Posts: 4
W32.Duqu = The precursor to the next Stuxnet
http://www.symantec.com/connect/w32_duqu_precursor_next_stuxnet
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet_research.pdf
Quote:
On October 14, 2011, we were alerted to a sample by a research lab with strong international connections that appeared very similar to the Stuxnet worm from June of 2010.
The threat was written by the same authors, or those that have access to the Stuxnet source code, and appears to have been created after the last Stuxnet file we recovered. Duqu’s purpose is to gather intelligence data and assets from entities such as industrial control system manufacturers in order to more easily conduct a future attack against another third party.
The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility.


Top
 Profile  
 
PostPosted: Wed Oct 19, 2011 10:38 pm 
Site Admin

Joined: Thu Feb 16, 2006 6:25 pm
Posts: 3018
Location: Russia
In last time Kaspersky says nasty message when you run Simatic EKB Install.
I do not know what the "store password".
Maybe it's a reaction:
1- to reading the registry key HKEY_LOCAL_MACHINE \ SOFTWARE \ Siemens - this is done to determine the installed Siemens software and fill the window "Required/installed keys".
2 - Using MS Crypt functions to decrypt crypted EKB keys.
An example of running an older version of the program and its results, depending on the choice of the type of trust.
Russian wrote:
В последнее время Касперский пишет неприятное сообщение при запуске Simatic EKB Install.
Я не знаю, что такое "хранилище паролей".
Возможно это реакция:
1 - на чтение ветки реестра HKEY_LOCAL_MACHINE\SOFTWARE\Siemens - это делается для определения установленного программного обеспечения Siemens и заполнения окна "Требуемые/установленные ключи"
Использование функций MS Crypt для расшифровки установленных ключей.
Пример запуска старой версии программы и результаты её работы в зависимости от выбора типа доверия.

Image


Top
 Profile  
 
PostPosted: Thu Oct 20, 2011 12:26 am 
Site Admin

Joined: Wed Sep 06, 2006 3:03 pm
Posts: 1089
Location: CIS
CoMod wrote:
I do not know what the "store password".

Kaspersky just detects reading from folders c:\Documents and Settings\User\Application Data\Microsoft\Crypto\ and c:\Documents and Settings\User\Application Data\Microsoft\Protect\, nothing more...
Russian wrote:
Я не знаю, что такое "хранилище паролей".

Касперский просто отлавливает обращение к папкам c:\Documents and Settings\User\Application Data\Microsoft\Crypto\ и c:\Documents and Settings\User\Application Data\Microsoft\Protect\...


Top
 Profile  
 
PostPosted: Sat Oct 22, 2011 10:04 am 
Faq & Info
Faq & Info

Joined: Wed Oct 05, 2005 12:00 pm
Posts: 354
Currently, this virus DuQu does not pose a direct threat to control systems.
It does not contain the module antiPLC.

Symantec
http://www.symantec.com/connect/blogs/duqu-status-update-1
http://www.symantec.com/connect/blogs/duqu-updated-targeting-information
The latest version of Symantec white paper includes new information, such as details on further components we observed being downloaded onto a compromised machine.
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf

Gostev from Kaspersky about DuQu http://www.securelist.com/en/blog/208193182/The_Mystery_of_Duqu_Part_One
Russian wrote:
В настоящее время вирус DuQu не представляет прямой опасности для систем управления.
Он не содержит модуля антиPLC.

Гостев из Касперского о ДуКу http://www.securelist.com/ru/blog/40797/Tayna_Duqu_chast_pervaya
http://www.securelist.com/ru/blog/40793/Duqu_FAQ


Top
 Profile  
 
PostPosted: Wed Nov 02, 2011 9:06 pm 
Faq & Info
Faq & Info

Joined: Wed Oct 05, 2005 12:00 pm
Posts: 354
http://www.symantec.com/connect/w32-duqu_status-updates_installer-zero-day-exploit
Quote:
The DuQu installer file is a Microsoft Word document (.doc) that exploits a previously unknown kernel vulnerability that allows code execution.


Top
 Profile  
 
PostPosted: Sat Nov 19, 2011 12:05 pm 
Site Admin

Joined: Thu Feb 16, 2006 6:25 pm
Posts: 3018
Location: Russia
You still do not disable control your system from the Internet?
Then they come to you (boom)
http://www.washingtontimes.com/news/2011/nov/18/hackers-apparently-based-in-russia-attacked-a-publ/?utm_source=RSS_Feed&utm_medium=RSS
Washington Times, Friday, November 18, 2011: Intrusion on water tower wrote:
Hackers apparently based in Russia attacked a public water system in Illinois last week and damaged one of its pumps.
The “Public Water District Cyber Intrusion” report gives details about the attack, saying it had resulted in the “burn out of a water pump” and had been traced to an Internet address in Russia.
Federal officials said they were investigating the incident but played it down, implying that the report might be wrong.


Quote:
Вы всё ещё не отключили вашу систему управления от интернета ?
Тогда они придут к вам (boom)

Washington Times, 18.11.2011: Вторжение на водокачку wrote:
На прошлой неделе Хакеры, по-видимому, находящиеся в России, напали на общественную систему водоснабжения в штате Иллинойс и повредили один из насосов.
Доклад "Вторжение на водокачку" даёт подробную информацию о нападении и заявляет, что в результате "сгорел насос перекачки воды", и нападение было отнесено к действиям с конкретного Интернет-адреса в России.
Федеральные чиновники заявили, что расследуют инцидент, но отыграли его вниз, это означает, что отчет может быть неправильным (поддельным)


Top
 Profile  
 
PostPosted: Mon May 28, 2012 5:12 pm 

Joined: Tue Oct 24, 2006 3:01 pm
Posts: 70
Location: Ukraine
Comparison of Antivirus Software for Detecting Various Types of Stuxnet

In This Article We Look at Security Products That Are the Main Tools of Disinfecting Malware.
We Compare Them With Each Other for Detecting Various Types of Stuxnet Malware for Seven Infected PCS7 Projects.
See the Results

http://www.controlglobal.com/articles/2012/stuxnet-iranian-view.html


Top
 Profile  
 
PostPosted: Thu May 31, 2012 1:36 am 
Faq & Info
Faq & Info

Joined: Wed Oct 05, 2005 12:00 pm
Posts: 354
http://www.symantec.com/connect/blogs/f ... iddle-east


Top
 Profile  
 
PostPosted: Wed Jul 25, 2012 11:34 am 

Joined: Tue Aug 21, 2007 10:05 am
Posts: 797
Iran's nuclear facilities attacked by a dangerous new virus
http://translate.google.ru/translate?sl ... rus_497295

Russian
http://www.cnews.ru/top/2012/07/24/yade ... rus_497295


Top
 Profile  
 
PostPosted: Tue Jul 15, 2014 6:02 pm 

Joined: Fri Feb 16, 2007 8:53 pm
Posts: 8
Location: Croatia
Virus Stuxnet

I know the Stuxnet is old subject but I have some questions:
1) How we can know the PC (programing PC not server) it's really infected by stuxnet??
2)Can or can't stuxnet attack OP panels type TP177B ??
3)For protection of stuxnet is enough have installed on PC antivirus program Microsoft Security Essentials??
4) How we can clean infected CPU?? Is enough to delete online program from memory card ??
5) Is possible to before start the plc and after download make control of all block and see if PLC is infected by stuxnet??
Please can you explain to me this questions.
Thanks in advance


Top
 Profile  
 
PostPosted: Fri Jul 18, 2014 7:28 am 
Site Admin

Joined: Thu Feb 16, 2006 6:25 pm
Posts: 3018
Location: Russia
Old Stuxnet is dead by internal date limit [dead]
KIS2014 detect it (try KIS trial version)

after Stuxnet is released new virus - from Israel, USA and China :(

Use LINUX or MSDOS for testing USB flash stick - you can view HIDDEN files (place photo=screnshot for MSDOS )
Image

Microsoft Security Essentials??
= NSA/CIA and new Edward Joseph Snowden ?

Can or can't stuxnet attack OP panels type TP177B ??
Possible TP177B is selfdead without virus :)
Image


Top
 Profile  
 
PostPosted: Fri Sep 12, 2014 8:13 am 
Site Admin

Joined: Thu Feb 16, 2006 6:25 pm
Posts: 3018
Location: Russia
ONLY http://plcforum.uz.ua PLACES ORIGINAL LINKS TO EKB INSTALL
WITHOUT BACKDOOR
Our project is not commercial
We do not earn money on the links
Romanians are making money on relinking our (your) links
And now they distribute modified EKB install - beware of backdoors and viruses in their "re-issued" version

Image

наш проект не коммерческий
мы не зарабатываем деньги на ссылках
поэтому если уж качаете, то качайте из проверенного временем первоисточника
румын делает бизнес на перелинковке наших(ваших) ссылок
а теперь ещё и подделывает "святое" - опасайтесь чёрных ходов и вирусов в перевыпущеном им

Image


Top
 Profile  
 
PostPosted: Sun Dec 18, 2016 1:31 pm 
Site Admin

Joined: Thu Feb 16, 2006 6:25 pm
Posts: 3018
Location: Russia
Wait new version of ObamaNet (h)
Obama Confronts Complexity of Using a Mighty Cyberarsenal Against Russia
http://www.nytimes.com/2016/12/17/us/politics/obama-putin-russia-hacking-us-elections.html
Image

Russia, Ufa, 2016/07/16, 5 dead... Clintax64
Image

Stuxnet live anew (boom)


Top
 Profile  
 
PostPosted: Wed Mar 08, 2017 4:00 pm 
Site Admin

Joined: Thu Feb 16, 2006 6:25 pm
Posts: 3018
Location: Russia
Russian hackers... yes yes... Putin hacker... PocketPutin_v7
Image
Pucket Putin WinCC Server :)

Vault 7: CIA Hacking Tools Revealed
https://wikileaks.org/ciav7p1/cms/page_13763491.html#efmBJBBJMBJ9BKIBNbBNmBN1BOBBP8BQHBQaBQmBR7BSGBSYBSk


Top
 Profile  
 
 Post subject: Fake news
PostPosted: Thu Apr 20, 2017 1:56 pm 
Site Admin

Joined: Thu Feb 16, 2006 6:25 pm
Posts: 3018
Location: Russia
http://www.dw.com/en/reports-german-government-plans-cyberattack-hackback-ahead-of-election/a-38506101
Quote:
In government circles, for example, this would include an attack on an electricity grid or another hacking of the Bundestag - Germany's lower house of parliament. In this case, it would also be possible to remove the servers on which stolen parliament data is located.

Image
Image


Top
 Profile  
 
PostPosted: Sat May 13, 2017 8:26 am 
Site Admin

Joined: Thu Feb 16, 2006 6:25 pm
Posts: 3018
Location: Russia
Backup to external HD/DVD and Update Antivirus !!!
Global attack (boom)
Image

Делайте резервные копии важных данных на внешних носителях


Top
 Profile  
 
PostPosted: Mon May 15, 2017 1:16 pm 

Joined: Thu Dec 10, 2009 10:43 pm
Posts: 49
security patch for old windows: https://blogs.technet.microsoft.com/msr ... t-attacks/ for new windows: https://technet.microsoft.com/en-us/lib ... 7-010.aspx


Top
 Profile  
 
PostPosted: Tue Jun 13, 2017 4:43 pm 

Joined: Thu Dec 10, 2009 10:43 pm
Posts: 49
Win32/Industroyer: новая угроза для промышленных систем управления


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 41 posts ] 

All times are UTC + 3 hours


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  
Powered by International PLCforum® Forum Software © PLCforum
Mobile version