According to Byres, however, changing the WinCC password would prevent critical components of the system from interacting with the WinCC system that manages them. “My guess is you would basically disable your whole system if you disable the whole password.”
To get around Windows systems that require digital signatures — a common practice in SCADA environments — the virus uses a digital signature assigned to semiconductor maker Realtek. The virus is triggered anytime a victim tries to view the contents of the USB stick. A technical description of the virus can be found here (pdf).
It’s unclear how the authors of the virus were able to sign their code with Realtek’s digital signature, but it may indicate that Realtek’s encryption key has been compromised. The Taiwanese semiconductor maker could not be reached for comment Friday.
In many ways, the virus mimics proof-of-concept attacks that security researchers like Wesley McGrew have been developing in laboratories for years. The systems it targets are attractive to attackers because they can provide a treasure-trove of information about the factory or utility where they’re used.
Back in the old days, when SCADA systems ran unconnected to absolutely anything else, a hardcoded password might not have been such a bad idea: it lets you connect to other bits of off-the-shelf software that insist on a password even when it’s not necessary. And it avoids lousy software developers writing yet another password storage and management package that just breaks when you need it most.
But that was 20 years ago.
The other kinda funny thing about this exploit is that keeping your SCADA system away from the internet isn’t good enough. It’s the USB sticks you have to watch out for.