Because the malware exploits a zero-day vulnerability in the way that Windows processes shortcut files, the malware is able to execute without using the AutoRun feature. The malware appears to launch when a USB storage device is viewed using a file manager such as Windows Explorer. These products are widely used in many critical infrastructure sectors.
SIEMENS STEP 7 WINDOWS XP SOFTWARE
SIMATIC® STEP 7 is engineering software used in the programming and configuration of SIMATIC® programmable controllers. SIMATIC® WinCC HMI is a scalable process-visualization system for monitoring automated processes.
SIEMENS STEP 7 WINDOWS XP CODE
On Jproof-of-concept exploit code for the zero-day Windows vulnerability was publicly released. ICS-CERT is currently evaluating the malware to determine the potential affects that it could have on control system environments. The actual impact to control environments is not yet known. Exact software versions and configurations that may be affected are still being analyzed jointly by ICS-CERT and Siemens CERT. The malware also appears to interact with SIMATIC® WinCC or SIMATIC® Siemens STEP 7 software. There are also unconfirmed reports that Windows 2000 and Windows XP SP2 are also susceptible to this zero-day vulnerability.
SIEMENS STEP 7 WINDOWS XP FULL
The full capabilities of the malware and intent or results of the queries are not yet known. ICS-CERT has confirmed the malware installs a trojan that interacts with installed SIMATIC® WinCC or SIMATIC® Siemens STEP 7 software and then makes queries to any discovered SIMATIC® databases. Microsoft has also released a Security Advisory (2286198) cĭetailing the previously unknown vulnerability.
US-CERT has released a Vulnerability Note bĭetailing the vulnerability and suggested workarounds. The malware utilizes this zero-day vulnerability and exploits systems after users open a USB drive with a file manager capable of displaying icons (like Windows Explorer). The discovery of malware that uses a zero-day vulnerability in Microsoft Windows processing of shortcut files.
VirusBlokAda, an antivirus vendor based in Belarus, announced a