New DHS ICS-CERT Stuxnet Advisory

This afternoon the DHS ICS-CERT has published a new Stuxnet Advisory on their web site. The new advisory provides three lists of file names that are indications of Stuxnet infection. They can be found in computers with the Siemens software installed, while some can also be found in infected computers without Siemens SIMATIC WinCC or SIMATIC STEP 7 software installed.

Yesterday I mentioned the recently detected transmission route via project files. This alert addresses infection indicators related to these files, noting:

“In infected projects, the malicious *.sav files are stored in the GraCS subdirectory within a project’s root directory. This can occur in compressed or zipped project files. It appears that the malware specifically looks for demo projects commonly installed as part of the WinCC software. If any of these malicious *.sav files are found, it is likely that the malware has injected malicious stored procedures into one or more of the project’s database files. If any of these malicious *.sav files are detected, please contact ICS-CERT for further assistance [emphasis added].”