Havex Rat

I believe the last time ICS-CERT announced malware that specifically attacked a control system product or protocol was back on July 20, 2010. At that time I naively railed that DHS / INL / ICS-CERT should be thoroughly investigating this and determining the impact to control systems. After they essentially and intentionally dropped the ball, I was encouraging the guy in the ICSsec community that knew the most about Siemens’ products and protocols to dig into it. Ralph Langner and his team, along with some great work from Symantec, did the analysis that led to the world learning about Stuxnet.

Now we have the announcement from F-Secure on the Havex RAT. There are two reasons to believe this is attack is targeted at ICS. First, it is doing something with the OPC protocol. OPC is often used to transfer process data between systems from different vendors. Almost every ICS made in the last decade has an OPC interface; it is the ICS universal translator.

What it is doing to OPC servers is still unclear. If this is an early phase of an attack it could simply be running OpcEnum to gather information about what OPC servers are on the network. Most do not deploy the available security controls in OPC because it is difficult (even after reading a three part white paper from Byres / Digital Bond), and it breaks necessary comms if not done right. Also, the lack of good coding practices leaves many OPC servers with vulnerabilities, some disclosed and many just waiting to be found or used.

The other reason to believe it is targeting ICS comes from F-Secure:

Of more interest is the third channel, which could be considered a form of “watering-hole attack”, as the attackers chose to compromise an intermediary target – the ICS vendor site – in order to gain access to the actual targets.

It appears the attackers abuse vulnerabilities in the software used to run the websites to break in and replace legitimate software installers available for download to customers.

Our research uncovered three software vendor sites that were compromised in this manner. The software installers available on the sites were trojanized to include the Havex RAT. We suspect more similar cases exist but have not been identified yet.

Based on the content of their websites, all three companies are involved in development of applications and appliances for use in industrial applications. These organizations are based in Germany, Switzerland and Belgium. Two of them are suppliers of remote management software for ICS systems and the third develops high-precision industrial cameras and related software.

Let’s watch the post-discovery DHS / INL / ICS-CERT analysis of the Havex RAT. I’ll keep my tinfoil hat in the closet for now.

F-Secure’s discovery of this ICS malware leads to a question … shouldn’t DHS / INL / ICS-CERT be scouring malware data and samples to identify ICS malware?

I have to give Michael Toecker credit for being prescient on this. While at Digital Bond he had a Mining Malware research project and wrote a bit about it. Time and other limitations left it to primarily conceptual conclusions, but the idea had merit and likely would have identified this as ICS malware if the F-Secure or VirusTotal sample was scanned.

Developing a process and tools to identify potential ICS malware in large samples seems like an ideal project for DHS / INL / ICS-CERT. Then give it, don’t try to sell it a la Sophia, to those with large samples with some agreement to share the results. The ICS world would get some great threat data from the often touted, but rarely of value, public/private partnership. Big win.

Image by turiskopio