By Gregory Hale
Malware has always been a big security issue, but taking a step back and understanding what to do when an inevitable attack occurs is vital.
“Understanding it is not about everyone is going to die or everyone is going to live; there is a lot of wiggle room out there,” said Ben Miller, director of threat operations at Dragos during his keynote address at DHS’s ICS-CERT ICSJWG Spring 2017 conference in Minneapolis, MN, Tuesday.
Miller said there is plenty of infected ICS software in the industry and that understanding becomes even more clear when there are public reports that contribute to discovery of threats. He did say, though, ICS-themed malware is not uncommon and oftentimes, untrained IT security teams submit sensitive ICS files and leave them in a public space where anyone can retrieve them.
When it comes to attacks, Miller said in an annual ICS-CERT report, there were 37 percent of unknown attacks and 37 percent of attacks came from spear phishing. That means there are a good portion of attacks that are malware related.
Miller then went on to give definitions just to update everyone on what everything was.
“Malware is not a virus, however a virus is malware,” he said. A Trojan is a compromise designed for remote access for a third party. Whereas a virus has self-propagating functionality. Stuxnet, he said, was an example of a virus.
In addition, a dropper delivers a payload containing something like a remote access Trojan. Whereas a downloader will issue a payload full of software, which can then propagate or then bring in more malware.
Miller said he conducted some research where they collected 15,000 samples of malware over three months. He found malware was more targeted than he thought.
It is easy to remember the big attacks that affected very few people, like Stuxnet, which was a virus that helped disable centrifuges at the Natanz, Iran, nuclear enrichment site. The virus, created in a joint effort between Israel and the United States, made centrifuges run wildly out of control as operators saw everything running as normal. It was a joint operation between the U.S. and Israel to help set back the Iranian nuclear program.
But Miller said users should focus on smaller unknown viruses like Virut and Sality compared to the huge rare viruses like Stuxnet.
“You are more likely to get impacted by Virut than Stuxnet,” he said.
In comparing Virut to Sality, Miller found Virut doesn’t need Internet Relay Chat (IRC) to spread, it infects current processes and it uses command and control via IRC. Sality, on the other hand, is a botnet that is a pay per install, it infects current processes and has executables on drives.
Unlike Stuxnet, these viruses stand the test of time as 2012 is the last known iteration of Sality, he said.
He mentioned some attacks in various ICS environments where a form of malware was in play.
There was an intrusion reported by GFI SandBox where malware ended up delivered that had a nuclear focus.
There was a Siemens-themed downloader dating back to November 2013 and even up to last month full of malware. He said he was not sure where that came from. It will download a binary to retrieve a series of other payloads.
There was also an Allen Bradley-themed ransomware attack that went out last summer, according to an ISSSource report.
One of the areas where attackers gain an advantage is when people use Google’s VirusTotal to check for malware issues. VirusTotal is a free virus, malware and URL online scanning service.
“Non ICS-trained teams are submitting ICS code and software to VirusTotal putting ICS information on public files,” Miller said. “We also found NRC documents on VirusTotal that gave details in a zip file of things like maintenance reports. Important details.”
“From and adversary perspective, it is a great tool to create their own lab. It is all public data,” Miller said.