Wednesday, October 22, 2008

Malware targeting industrial control software(?)


So this morning I was doing my usual malware roundup and looking for anything new or vaguely interesting. Lots of the usual sites all serving the same thing. The pdf exploit (I've a special fondness for this one, see the pentesting failures post), the snapshot_viewer_activex exploit, ms08_053, realplayer11, ms08_011, ms06_014 and a few others. All pretty popular right now.

Then I saw a site that has been floating around serving up malware for a while now. It's been up for about a year I think. It's always had a nice index.htm page with a list of iframes serving up all of the above and some others. I generally have a quick look every now and again and find it's always the same stuff. Lots of reuse of exploits, etc...

Today was a surprise as I found something 'new'. The page has another exploit added. Nothing new about that but it's what the exploit is for that is surprising.

hxxp://www.wackystone.com/counter/IConics.htm

In August a stack overflow exploit in the Iconics Vessel ActiveX control was released. The exploit is in the dlgwrapper.dll [Dialog Wrapper Module ActiveX control]. Tebo and kf wrote a Metasploit exploit module for it. [http://www.milw0rm.com/exploits/6570].

Iconics makes plant automation software for various industries including oil, gas, pharma, airports, etc... SCADA anyone?

A quick decode of the ucs2 encoded payload reveals:

hxxp://www.wackystone.com/counter/taskmgr.exe

The exploit downloads taskmgr.exe, a dropper that installs a second stage piece of malware. I've not downloaded that as yet so I don't know the actual payload or it's function.

I guess what is interesting to me is that the malware authors have decided to use an exploit that has a somewhat small target audience. I could be wrong as I'm not that familiar with those industries and perhaps the software is really widespread.

/dean
dean de beer

2 comments:

Michael Janke said...

Attacking industrial controls and instruments would be an interesting path to pursue if someone wanted to be rude.

Our experience with network security and HVAC vendors is pretty negative. They've tended to bring in a whole infrastructure to manage heating and cooling for an entire campus, then run it from an unsecured desktop that has full internet access. In the case of simple campus HVAC, the hacker could heat/cool the buildings or other misc. misdeeds, but no real harm would be done.

Iconics appears to dabble in building security though, and even uses the Pentagon as a reference. I can see why that might be an application worth targeting.

dean de beer said...

You have to wonder whether or not there was any real motive aside from another attack vector in their list.

This site seems to be mirrored identically by www.tomi2008.com. eg: www.tomi2008.com/ipstat/index.htm

I'm hoping it's just the malware authors being opportunistic and nothing more.