Cyphort Labs has taken a closer look at the malware’s capabilities to assess the risk posed by the most recent ICS malware and shed light on what future variants could bring so ICS operators can take proactive measures to protect their systems against future variants of Havex RAT attacks.

 

Havex.RAT is likely a tool for the reconnaissance phase of a larger campaign against industrial control systems. Comparing to a typical malware targeting Windows endpoints, Havex.RAT is not heavily code-protected. The fact that it can achieve infection success should set off strong warning to all ICS operators. Furthermore, we recommend that ICS implementers carefully consider the security implication of frameworks such as COM/DCOM when they are adopted and integrated into control systems, as illustrated by the OPC interface for ICS.

 

Havex has previously been covered from various aspects [1, 2]. It is used in a campaign dubbed Energetic Bear, also known as Dragonfly, as a remote access trojan that steals sensitive information from infected machines. Interestingly Havex includes a module that can spy on other ICS devices in the same network that the infected machine resides on, which clearly qualifies it as an industrial espionage tool.

 

Based on current reports, Havex victims were infected via spearphishing e-mails, waterhole attacks via well-reputed industry websites and trojanized software. Such trojanized software includes original software distributions or updates from compromised ICS vendor websites, which were injected with malicious code. When potential victims downloaded the trojanized software for their ICS equipment, they end up unknowingly installing Havex.RAT on their machines.

 

The infection vectors clearly indicate that the attack was aiming at a specific industry, i.e. ICS, if not a very specific company.

 

A HAVEX INFECTION

 

An initial peak at one of the known Havex infectors reveals a GUI application, which is obviously a piece of management software created by one of the compromised ICS device vendors. Unnoticed by the potential victim, the same GUI application drops a malicious DLL into the local TEMP directory and launches it using Windows’ rundll32.exe. By visualizing the malware’s execution trace, one can gain insights on how Havex infiltrates infected machines.

 havex-1

Figure 1 – ProcMon Visualization – red equals write, green means read access

 

  The malware’s DLL is written in object oriented C++ and multi-threaded. The analyzed dropper is a compromised version of the commercial software mbcheck.exe and drops a malicious DLL in the systems %TEMP% directory, namely mbcheck.dll. This DLL is executed using rundll32.exe from Windows and injects itself to the systems explorer.exe process.

 

The malware will copy its malicious DLL to the system directory, named svcprocess043.dll and set a registry key named svcprocess under HKLM\Software\Microsoft\Windows\CurrentVersion\Run to start it at system start (rundll32 “C:\WINDOWS\system32\svcprocess043.dll”, RunDllEntry).

 

A CLOSER LOOK

 

The malware is capable of enumerating network resources using the Win32 APIs WNetOpenEnumW, WNetGetUniversalNameW, WNetEnumResourceW and WNetCloseEnum from mpr.dll. This way it can enumerate all available resources on the network.

 havex-2-300x269

Figure 2 – WNetOpenEnum to search for all available resources

 

The malware searches for OPC servers and OPC tags among the detected resources. OPC stands for OLE Process Control and is a way for Windows operating system to interact with process control hardware. No functionality to directly interact with such components was found in the analyzed binary. So this suggests that the Havex sample under examination is mainly designed for discovery of and access to ICS systems.

 

A definition of OPC is available at [3]:

 

OPC is implemented in server/client pairs. The OPC server is a software program that converts the hardware communication protocol used by a PLC (Programmable Logical Controller) into the OPC protocol. The OPC client software is any program that needs to connect to the hardware, such as an HMI (Human Machine Interface). The OPC client uses the OPC server to get data from or send commands to the hardware.

 

OPC is an open standard, which allows for individuals to implement custom client software to interact with their hardware components. Communication happens via an abstraction layer that eases translation of commands.

 

In 2009 the OPC Foundation published the OPC Unified Access standard [4], which elevates OPC to state-of-the-art web services technology that includes a dedicated security module.

 

Whatsoever be the reason, prior OPC implementations depend heavily on Windows COM/DCOM as operating system interface. COM/DCOM stands for Component Object Model / Distributed Component Object Model and describes a protocol for communication between entities across the network. Due to this dependency, OPC COM/DCOM implementations also inherit the security configuration of Windows’ COM/DCOM.

 

With involvement of client implementations and dependency on operating system configurations, security of OPC in many cases does not comply with the requirements of today’s ICS systems. Extended systems interoperability is often achieved on the cost of security.

 

HAVEX’ HUNGER FOR ICS DATA

 

For enumeration of OPC components the malware uses the following CLSID/UUID.

 

CATID_OPCDAServer10   = {63D5F430-CFE4-11d1-B2C8-0060083BA1FB}

 

CATID_OPCDAServer20   = {63D5F432-CFE4-11d1-B2C8-0060083BA1FB}

 

CATID_OPCDAServer30   = {CC603642-66D7-48f1-B69A-B625E73652D7}

 

CLSID_OPCServerList   = {13486D51-4821-11D2-A494-3CB306C10000}   IID_IOPCServerList2   = {9DD0B56C-AD9E-43ee-8305-487F3188BF7A}

 

IID_ISupportErrorInfo = {df0b3d60-548f-101b-8e65-08002b2bd119}

 

IID_IOPCServer   = {39C13A4D-011E-11D0-9675-0020AFD8ADB3}

 

IID_IOPCBrowseServerAddressSpace = {39C13A4F-011E-11D0-9675-0020AFD8ADB3}

 

IID_IOPCItemProperties = {39C13A72-011E-11D0-9675-0020AFD8ADB3}

 

IID_IOPCBrowse = {39227004-A18F-4b57-8B0A-5235670F4468}

 

IID_IOPCEnumGUID = {55C382C8-21C7-4e88-96C1-BECFB1E3F483}

 

The collected information is saved in the form of a text-based logfile in the systems %TEMP% directory, derived from the environment. We can confirm that the following bits of information are logged:

 
  •         Network entities UNC paths
  •         Thereof OPC servers
  •         Class ID
  •         User type
  •         Server version
  •         OPC version support
  •         Server state
  •         Group count value
  •         Server bandwidth
  •         OPC Tags on the network
 havex-3

Figure 3 – Havex writing its logfile

 

Our analysts found that Havex includes code fragments of the OPC Data Access framework, which describes how an OPC client should communicate to a given server in real-time. More specifically the structure of opcda.h could be identified, similar to the version found in [5].

 

OPC DA is a group of specifications, which define communication of real-time data from data acquisition devices such as PLCs. Next to OPC DA there are other groups, such as HDA (Historical Data Access) for requesting non-real-time data and AE (Alarms and Events) for processing event triggered signaling.

 havex-4

Figure 4 – Opcda.h structures reconstructed in the Havex DLL

 

Given that OPC specifications and client implementations are publicly available, extending the spying capabilities of Havex or creating similar variants would be trivial. As OPC is designed to provide interoperability across a large number of proprietary ICS protocols, OPC server interface naturally presents a massive attack surface for targeting ICS systems. Besides the information exfiltration threat seen in the Havex sample, there seems to be little research as to the risk of ICS components being controlled through the OPC interface. Granular access control with strong authentication at the OPC interface is always a good security practice in ICS system design and implementation.

 

CONCLUSION

 

The structure of the Havex binary and its system infiltration techniques resembles very much of those found in a typical Windows malware. The ICS spying module uses publically available code and shows no means of self-protection. The fact that such a low-sophistication ICS malware can still achieve successful infections without being detected should set off alarms for most ICS operators. That the malware focuses on data exfiltration suggests that it is likely part of the reconnaissance phase of a campaign. However, we anticipate that similarly designed malware with extended ICS modules will be capable of causing a lot more damage beyond information gathering.

 

Regardless, this variant of ICS malware can only affect implementations of OPC that still rely on COM/DCOM which does not implement strict access control with strong authentication. To research further on proper security configuration of COM/DCOM components, we recommend starting with the official Microsoft documentation [6].

 

While use of NT based system in mission-control system was once a very controversial issue, Microsoft has made great strides in enhancing the security of the Windows operating systems, notably starting with Windows 7. However, based on the analysis of Havex.RAT and how it exploits OPC interface in collecting ICS information, we recommend a security audit of frameworks such as COM/DCOM before adopting and/or integrating tem into other control systems, as illustrated by the OPC interface for ICS. -by Marion Marschalek and McEnroe Navaraj

 

SOURCES

 

[1] F-Secure

http://www.f-secure.com/weblog/archives/00002718.html

[2] Crowdstrike

http://www.crowdstrike.com/sites/all/themes/crowdstrike2/css/imgs/platform/CrowdStrike_Global_Threat_Report_2013.pdf

[3] OPC Definition

http://www.opcdatahub.com/WhatIsOPC.html#note4

[4] OPC Unified Access Specification

http://www05.abb.com/global/scot/scot271.nsf/veritydisplay/75d70c47268d78bfc125762d00481f78/$file/56-61%203m903_eng72dpi.pdf

[5] OPCDA.h

http://opcgw.googlecode.com/svn/trunk/OPC%20Server/OPCDA.h

[6] COM/DCOM Security

http://msdn.microsoft.com/en-us/library/aa910590.aspx