Malware Forum Logs from Control Systems, Part Deux

Last September, I did a guest blog post titled “Online-Malware-Support-Shows-Infected-ICS-Computers”, where I searched for HiJackThis posts containing automation software. Basically, there are forums available to users that had been infected with viruses. These users can run a set of programs, including HijackThis, DDS, OTS, and others, to pull information from the system. This information is analyzed by the forum community, and recommendations given to those who are infected. Last year, I found data from many control systems being put on these forums because the user could not fix their computer.

With all the activity regarding Shodan and ICS recently, I figured there should be another showing of just how many ICS computer interact with the Internet, and are even potentially infected with Malware. Remember, the main vector now for infecting normal user systems is via web browser exploits, XSS, email phishing and other less direct methods. I went for an Electric Power focus this year, locking on to several very specific programs that interact with Electric Power infrastructure. The programs I selected are relay configuration programs, used in Electric Infrastructure to configure the devices that open and close breakers on Transmission and Distribution lines. These programs aren’t like SCADA HMIs and OPC servers, their only purpose is to provide a user interface that allows management and reconfiguration of a digital protection relay.

The programs used for this configuration are well known in engineering circles, and can be found by reviewing manufacturers found via Google search as well. The programs I decided to look for online are below, but there are dozens of others:

  1. Schweitzer Engineering Labs AcSELerator Software – Used to configure the entire line of SEL products, with some exceptions
  2. GE Power’s EnerVista Software – Used to configure the entire line of GE electric power protection products.
  3. The MiCOM S1 Suite of Tools for Relays – Used to configure MiCOM relays, though I’m confused if Schneider, Areva, or Alstom is the final vendor. I think it depends on the year.
  4. The Siemens Digsi 4 Tools – Used to configure Siemens Siprotec relays

I posted some of the results of this search on Twitter, inviting others to “Spot the ICS software”. I held back a few others, mainly because I wanted to look at them closely. The one I thought was worth some time was this one, an extremely detailed DDS log posted on May 11, 2011.

First off, this system has the SEL AcSELerator Quickset and GE Enervista, so it was used to either review relay configurations or install relay configurations on SEL and GE digital protective relays. Going through the installed programs also shows Beckwith’s IPScom for Integrated Protection, Marathon Electric’s DVR2000E, a WAGO BootP Server, and a bunch of other automation programs, such as AutoDesk, CoDeSys, and the IEC61850 library. Second, the presence of an Intel Zeroconfig program (“zCfgSvc.exe”) suggests a laptop, backed up by the presence of a RadioShack USB to Serial Driver as well. This suggests a technician’s laptop, one who works on a wide variety of electric power systems and other automation systems.

The laptop is infected by two pieces of malware, “Malware Protection Designed to Protect” and “Windows XP Recovery”.  These are fake Anti-Virus and Backup programs respectively, and infect users via either drive by download or by the user actually downloading and installing the software. That’s right, if this post is a representative sample, the cyber security and reliability of the electric power grid could be in the hands of the normal computer user who will click on and install just about anything. This technician is ahead of the game, as he recognized he had a problem and took at least some action to resolve it.

Some other interesting information on this technician laptop:

  • The MAC address of the Network Card is 00:21:5C:5D:B4:C5, which corresponds to an Intel Chip (this is likely the wireless mac, as the Ethernet is a BroadCom chipset)
  • This individual has either, or planned to, do work on the GE 369, 469, 489, 745, 750, and 760 series of Relays, all of which are protection relays for smaller equipment.
  • Both TrendMicro and BigFix are installed on this system, implying that it is managed by an IT department in some way. This is supported by domain membership, an asset management suite, and a set of scripts.
  • Running Windows XP SP 2….  in 2011…  I’d say for shame, but you’d still walk away with par in ICS.
  • The domain name for the system is shown in event logs, which leads me back to the contracting company. The username is shown as well, which…  You get the picture.

So, what’s the point of this exercise? Well, relay configuration programs are usually installed on laptops assigned to power engineers or relay technicians. Most often, these are capable of email, web browsing, work processing, and other standard office functions too. With the relay program, the engineer is capable of configuring the protection settings, which tell the relay under what conditions to automatically trip the line out. A technician can then load the configuration onto the protection relay using either a network connection or serial cable. With access to a protection relay through a laptop, a malicious program could alter settings in the configuration file, inject bad data designed to halt the relay, or even send commands directly to the relay when a connection was made. While the NERC CIP-005 standard could help mitigate connecting via IP network, the serial connection could still be allowed with the current regulations.

If you’re interested in seeing a few more of these systems, enjoy the links below. As always, comments and questions are more than welcome.

  • http://hjt.iamnotageek.com/log-866407.html – Enervista – 2010-10-06
  • http://forums.techguy.org/virus-other-malware-removal/792196-need-help-window-xp-sp2.html – EnerVista – 1/19/2009
  • http://hjt.iamnotageek.com/log-944183.html – AcSELerator
  • http://forums.malwarebytes.org/index.php?showtopic=17422 – 6/12/2009 – AcSELerator
  • http://www.bleepingcomputer.com/forums/topic399405.html – AcSELerator, with lots of detail.
  • http://hjt.iamnotageek.com/log-950794.html – MiCOM S1 STUDIO
  • http://www.bleepingcomputer.com/forums/topic237006.html – MiCom S1 Studio
  • http://www.informationsarchiv.net/topics/68901/ – Siemens Digsi 4 – Recommend translation from German.
  • http://www.trojaner-board.de/89470-png7tqx2-dll-enthielt-tr-spy-585728-35-trojan.html – Digsi 4

title image by Salim Virji

6 comments to Malware Forum Logs from Control Systems, Part Deux

  • Too scary. I would be interested in knowing if you have similar information on a control sytems at a chemical and/or pipeline facility?

  • I can modify some of my searches to see. If you have any specific software you’ve seen exclusively (or semi-exclusively) in chemical or pipeline facilities, let me know.

    It bears mentioning that chemical facilities use pumps, which have motors, which need motor protection systems, and the software for that is the dump I had in this post. Not a smoking gun, but it sure smells like cordite.

    Mike

  • Hi Michael,
    Some good observations. Lately I am researching the cyber security situation in Critical Infrastructure and I fin the same story all over the place. It is surprising that people know about the security issues of the internet but not seem to see the impact of direct or indirect connections of their ICS systems.
    I am wondering if anyone really take action and creats a seurity plan of their environment.

    Marc

  • What September blog post? It’s not in the archive, Google cache or archive.org.

  • J.D. Abolins

    I was looking for the earlier blog post Michael Toecker mentioned above and I found a URL at Digital Bond but the post is gone from

    http://www.digitalbond.com/2011/08/29/online-malware-support-shows-infected-ics-computers/

    Not in some of more common online Web site caches.

  • Everyone, my apologies. I’ve been looking for the previous version of this blog post in the archives as well, and it is definately not there. We think it’s a problem with how I was added to the system last year.

    I’m going through my backups this week, and will see if I have it in there. If so, I’ll repost as a page, and let you know.

    Since it’s missing right now, consider it a sublime work of brilliance until I get it back.

    Mike

Leave a Reply