SANS ICS Summit

Project MIMICS

Agenda• Hypothesis 1: Lots of infected ICS software online (non-targeted)

• Hypothesis 2: Public reports contribute to discoveries of threats

• Hypothesis 3: ICS-themed malware/intrusions are not uncommon

• Hypothesis 4: Untrained IT security teams/product submit sensitive ICS files

Example of the knownNCCIC / ICS-CERT Year in Review (FY 2015)

6%1%

3%

6%

1%

37%

9%

37%

FY 2015 Incidents by Infection Vector (295 total)

Other Brute Force Abuse of Authorized Access

Weak Authentication SQL Injection Spear Phishing

Network Scanning Unknown

Unknown

8%0%0%1%

13%

78%

FY 2015 Observed Depth of Intrusion

Level 6 - Critical Systems Level 5 - Critical System Management

Level 4 - Critical System DMZ Level 3 - Business Network Management

Level 2 - Business Network Level 1 - Business DMZ

Level 1 – Business DMZ

MIMICS: Malware in Modern ICS

• Only public data: Virustotal.com• Malware repository used by “the Internet” to test files against 50+ antivirus vendors

• Also used google, DNS data etc

• Purpose of the research is census-like data• Explore hypothesis to give real data points without hype or fear

ICS Kill Chain

Develop

Test

Deliver

Install / Modify

Execute ICS Attack

Stage 2 – ICS Attack

Enabling Initiating Supporting

Trigger

Deliver

Modify

Inject

Hide

Amplify

Reconnaissance

TargetingWeaponization

Delivery

Exploit

Install / Modify

C2

Act

Stage 1 - Intrusion

Discovery

Capture

Movement

Collect

Install & Execute

Exfiltrate

Launch

Clean & Defend

Words matter

• Malware is not a virus but

• A virus is malware

• A virus can infect

• A trojan can compromise

Malware

Virus

Trojan

Dropper

Downloader

Virus

• Self propagating

• Functionality:

• PE Infectors

• Network / removable media

Trojan

• User interaction

• Functionality

• Command & Control

• Arbitrary command execution

(full control)

PE Infector Virus (simplified)

Header

Code

Section 1..n

Header

Code

Section 1..n

Virus

Microsoft Portable Executable

(pe or “.exe”) File StructureAddressofEntryPoint

Virus PE infector

Trojan and related activities

Dropper

Downloader

Stage 1 Payload

Stage 2 PayloadRemote Access

Trojan

Command & Control

Stage 3 Payload

Remote Access Trojan

Command & Control

Aggregated Data15,000 samples over ~3 months

Hypothesis 1

• Non-targeted intrusions/malware in ICS is far more common than realized

Detect Rate (log)

Num

ber

of

file

s

Number of detections

count 14949.000000

mean 6.338484

std 15.635142

min 0.000000

25% 0.000000

50% 0.000000

75% 0.000000

max 57.000000

Low

hit

rate

High

hit

rate

Detect Rate with positives > 0

count 3157.000000mean 30.013937std 21.142954min 1.00000025% 2.00000050% 46.00000075% 48.000000max 57.000000

Compare by vendor

Most Common Detections

count Trojan Virus-like (PE Infector)Virus-like (storage

hopping) Approximate First Seensivis 15863 ❔ ✅ ✅ 2012lamer 6830 ❔ ✅ ✅ 2012ramnit 3716 ✅ ✅ ✅ 2011sinowal 2909 ✅ ❌ ❌ 2006cosmu 2769 ✅ ✅ ✅ 2013virut 1814 ✅ ✅ ✅ 2007

eldorado 1554 ❔ ❔ ❔ 2012skeeyah 1486 ✅ ❔ ❔ 2015androm 1471 ✅ ❌ ❌ 2013sality 1225 ❔ ✅ ✅ 2003zatoxp 1093 ❌ ✅ ✅ 2012neshta 1085 ❌ ✅ ❌ 2008nimnul 963 ✅ ✅ ✅ 2013visisig 905 ❔ ✅ ✅ 2012siggen 642 ❌ ✅ ✅ 2012graftor 586 ❌ ✅ ✅ 2012virtob 468 ✅ ✅ ✅ 2007

PE Infectors you should care about

VIRUT

• Portmanteau “Virus” + “Trojan”

• C2 via IRC

• Doesn’t need IRC to spread through environment

• Infects current processes

Sality

• Botnet / Peer2Peer C2*

• Pay per install / Downloader

• Rootkit

• Infects current processes and executables on local/removable/network drives

* http://www.christian-rossow.de/publications/p2pwned-ieee2013.pdf

Aggregated Data: Key Takeaways

• PE Infectors are a real vector• VIRUT and Sality in particular are modern PE Infectors that rarely gets discussed

Looking at what we already know

Hypothesis 2

• Public reports contribute to ICS threat discoveries

FireEye Blog post

uncovering OPC

Havex

July 17 2017

(F-Secure Blog

Post)

June 23 2014

UA

June 26 2014

UA

July 2 2014

KR & UA

July 8 2014 UA

July 15 2014

KR

July 1 2014

(from US)

April 17 2014

Hav

ex

FI

(from ZZ)

June 29 2014

RU

Dec 4 2014

ES

July 2-3 2014

TrendMicro Blog

post uncovering

OPC Havex

July 14 2017

IL

Jan 06 2016

BlackEnergy

“[..] attackers behind the outages in two power facilities in Ukraine in December likely attempted similar attacks against a mining company and a large railway operator in Ukraine.”

KillDisk (sha1: f3e41eb94c4d72a98cd743bbb02d248f510ad925)

Datetime (UTC+2) File name Source Country

2015-12-24 00:34:19 tsk.exe 73805832 (web) UA

2015-12-24 08:28:39 tsk.exe 883db971 (web) UA

2015-12-24 11:00:52 E:\Дмитрий\sample\tsk.exe 725be15c (api) UA

Hash – SHA1 upload date (GMT) country of origin

f3e41eb94c4d72a98cd743bbb02d248f510ad925 12/23/15 UA

8AD6F88C5813C2B4CD7ABAB1D6C056D95D6AC569 11/10/15 UA *u

16f44fac7e8bc94eccd7ad9692e6665ef540eec4 10/25/15 UA & FR * n

2d805bca41aa0eb1fc7ec3bd944efd7dba686ae1 11/6/15 UA *u

0B4BE96ADA3B54453BD37130087618EA90168D72 11/10/15 UA *u

KillDisk and BlackEnergy Are Not Just Energy Sector Threats. Trend Micro. February 11, 2016.

New Things

Hypothesis 3

• There are ICS themed intrusions/malware currently undiscovered or underreported by non-ICS security companies

NMMSS Theme

Siemens themed downloader

• Downloader with Siemens theme

embedded in vs_versioninfo

• In wild since at least 2013

• Last observed March 2017

• Over 10 binaries located

Behavior

Execute Stage 1 Payload

Get /vip.htm HTTP/1.1

Content-Type: text/html

Accept: text/html, */*

User-Agent: Mozilla/3.0 (compatible; Indy Library)

Decrypt/read Stage 1

Download / execute

/vip.htm/vip.htm

/vip.htm/vip.htm

/vip.htmStage 2 Payload(s)

Submissions

3/201411/2013

11/2016 (2x)

12/2013

3/2014

7/2014

10/2016

1/2014

2/2014

Manual.exe

• SerialLineUseManual.exe …………………………(Serial comms?)

• Air precision elt 96 maintenance manual.exe …….(avionics)

• syncmemanual.exe ……………………………….(?)

• baofeng uv_100 manual.exe ……………………..(talk radios)

• Breville bb290 manual.exe ………………………(bread oven)

• Steris_harmony_lc_manual.exe …………………(medial equipment)

• garmin_gps_48_12_channel_manual.exe ………(GPS)

• bendix_westinghouse_ba-921_manual.exe …….(air brake system compressor)

Mass Mailer

www.download.windowsupdate.c

om

abs-wi.com

accolades-inc.com

acs-hro.com

ca.abb.com

[...]

carlyle.com

cat.com

cma.ca

comcast.net

e2etec.com

ct.gov

districtoffice.org

dcrsystems.net

entoend.com.mx

erinsystems.com

emerson.com

fi.fujitsu.com

MassMailerHeavily obfuscatedGenerates litigimate trafficModifies proxy settingsRelaxes firewall settingsBeacons out to hosts on subnet 91.220.131.0/24 via encrypted UDP traffic

Reasons why to mass mail:

• Viagra and similar unsolicited spam

• Pay per Install, Malicious attachments (banking crimeware, adware)

Cracking and reversing community

Warez

User Behavior&

Poor Operations Security

Hypothesis 4

• Non-ICS security trained teams and IT security products are submitting legitimate ICS software and files to public databases

Weird hypocrisy: you don’t trust your AV but you do trust 50 other AV companies?

Project files

~ 120 project files over course of ~ 90 days

• Speed Control BOM.rfq

• LogixDiagnostics.ACD

• LCS24.RSS

• DRIVE_CONTROL_ML1100_PF4CLASS-EN-DRV_CTRL-C0_07.RSS

• Rizhao_tertiary.RSS

• H:\Simple Systems\PBR\PB&R_ML1100_PF40-EN-PBR_PF40-C0_07.RSS

• C:\Users\Wu.Charlene\Downloads\8110409835_HMI_PAR_Line9_v1_04.mer

• Untitled.RSS

Data files

Installers

Scan your public content

One electric utility, starting in 2012 began routinely uploading

their entire public website starting in 2012 to VirusTotal. 136

files indexed on VT

Program Files

In Conclusion

Virus propagation in ICS: ICS Themed: ICS Tailored:

Measured in 10^4 Measured in 10^1 3 (still)

Key Takeaways

• You’re more likely to be impacted with Virut than Stuxnet

• ICS themed malware (but not enabled) is definitely a thing

• VirusTotal is useful to shed light on specific campaigns post facto

• Supply chain weakness through legit binaries

Practices

Things to do

• Use VT as a data source

• Have suspected and confirmed malware handling guidance/processes

Things NOT to do

• Treat VT as a whitelist

• Treat VT as a blacklist

• Use VT to validate your AV

• Allow your outsourced teams (IT security or AV) to make decisions about your data

Questions?

@robertmleeRLee@Dragos.com

@electricforkBMiller@Dragos.com

Stay in Touch:Dragos.com