So Fireeye and Mandiant have access to Virustotal
Sounds like malware writers will be testing their code against their own stash of AV in future.
I wonder who else has access to look at the malware and 0days. Not Sure Actually.
FireEye threat researchers have found a complex malware instance that borrows tricks from Stuxnet and is specifically designed to work on Siemens industrial control systems. Josh Homan, Sean McBride, and Rob Caldwell named the malware "Irongate" and say it is probably a proof-of-concept that is likely not used in wild. …
"Industrial control system malware are complex beasts in large part because exploitation requires knowledge of often weird, archaic, and proprietary systems."
True, based in no small part on the desire of the makes to keep their stuff proprietary and on the fact that quite often a new proprietary system is based on an old proprietary system. Which often has the effect that something that started as a crude workaround in V1.0 has mutated into an internal standard by V4.0 or whatever.
That being said, once you know something about one system it's relatively easy to spot the similarities in other systems by the same maker. Or systems that use components made by that maker.
Plus, there is a lot of documentation 'out there' that should have remained proprietary, but isn't. There are just too many people involved.
As to Siemens, there is a very old joke: "Muß es funktionieren, oder darf's auch was von Siemens sein?"
Industrial control system malware are complex beasts in large part because exploitation requires knowledge of often weird, archaic, and proprietary systems.
- You mean creating malware for exploiting SCADA systems, right?
- This is pretty much the way it is for many systems. Not limited to SCADA.
- Still not sure if it's the malware which is a complex beast or the SCADA system.
The steep learning curve required to grok such systems limits the risk presented by the many holes they contain.
- Steep learning curve limits the risk? This is hardly a mitigation to score risk against. Multiple vulnerabilities trump the 'learning curve' any day given the probable damage
- Even in this case, if we simulate a high difficulty in launching an attack (different from a 'learning curve'), it's still high risk given the probable damage.
- ...and of course, unless someone creates an automated application so anyone can launch the attack against this particular application/system.
The malware is also unique in that it employs man-in-the-middle attacks to capture normal traffic on human machine interfaces to replay it in a bid to mask anomalies during attacks.
- Hardly unique. This technique has been employed for YEARS in various forms
"Irongate is also capable of evading VMware and Cuckoo sandboxes"
So maybe all windows software should be run in a VM?
OK specialised PCI cards, etc, are an exception, but if we are only talking supervision via USB/RS232 and the time-critical stuff is handled directly on the PLC, what is there not to like?
Biting the hand that feeds IT © 1998–2019