Researchers Create Self-Propagating Worm That Targets SCADA Equipment
June 3, 2016
Shah Sheikh (1294 articles)

Researchers Create Self-Propagating Worm That Targets SCADA Equipment

German researchers from OpenSource Security (OSS) have created a proof-of-concept worm that targets programmable logic controllers (PLCs), crucial ICS/SCADA equipment.

Their research builds on previous work by fellow German researchers, who presented at last year’s Black Hat USA conference a port scanner that can identify Internet-accessible PLCs.

The OSS team led by Ralf Spenneberg has created a worm, a self-propagating computer virus, that can live in the small memories of PLC devices, scan the local network, and spread to other similar devices.

PLC-Blaster PoC worm only works with Siemens PLCs

In their proof-of-concept code, the researchers created a worm that can infect Siemens SIMATIC S7-1200 PLCs. Nicknamed PLC-Blaster, the worm will scan the local network via port 102, shared by Siemens devices and the Inter-Control Center Communications Protocol (ICCP), to find new targets to copy itself.

After identifying a new target, the worm shuts down the device, copies its code, and reboots it. Researchers say the actual infection process works because the worm mimics the Siemens TIA-Portal and also leverages a vulnerability already patched by Siemens.

Researchers say that this kind of attacks will need the malicious actor to have access to the vulnerable network, or to compromise the PLCs before getting shipped to their customers.

Companies can detect PLC-Blaster infections

Once installed on an industrial network, PLC-Blaster executes, spreads to other devices, and then executes other types of malicious code that can damage SCADA equipment or create a DoS (Denial of Service) state for critical equipment.

Researchers also said their worm can be easily modified to target other types of PLCs, but that it is also easy to detect, thanks to the mandatory ten seconds interruption needed for the worm to copy itself.

Restating the SCADA device where the PLC is deployed won’t help since the worm is stored on the controller itself. The only method of removing the threat is to perform a factory reset.

More details about the PLS-Blocker mode of operation can be found in the research paper and this Black Hat Asia 2016 presentation.

Source | SoftPedia