This evening the DHS ICS-CERT published an alert concerning the Havex RAT publicly reported by the folks at F-Secure with a follow-up article at Arstechnica.com. Both sources provide more information than does ICS-CERT.
The Havex Remote Access Trojan (RAT) has reportedly been used to gather information about industrial control systems. What makes this particular RAT of specific concern is that at least some of the infections detected by F-Secure were pickup up from compromised web sites of control system vendors. F-Secure has not publicly identified the three specific web sites that were compromised.
The interesting comment in the ICS-CERT advisory (beyond the most basic reporting about the RAT) is the notice that they have released a third-party report on the US-CERT secure portal. Hopefully, some of the as of yet ‘unverified’ information in that report is the list of affected web sites.
This is obviously a preliminary effort by ICS-CERT. They report that they are working to:
• Evaluate the install/deployment base of the reported affected vendors
• Provide additional indicators of compromise
• Identify any affected entities in the US
• Reach out to the ICS vendors that were compromised and offer assistance in identifying those customers that may have visited the web site and downloaded the Trojan.
They are also requesting that any organization that feels that they may have been affected by the Havex malware contact ICS-CERT. This will help them identify more details about the problem.