Re: [foxboro] "Conficker" virus,

Conficker (I think) and other modern virus variants are using other means 
to get onto machines, i.e., "autorun" (I call it auto-hose) on CDs and USB 
sticks -- you know, that thing you thought you could disable in Windows 
but really wasn't disabled (thanks, Microsoft).  You do not have to 
connect your system to the Internet anymore to get infected.

Your statements are valid, but in practical terms there are problems. Yes, 
you can scan the CDs and USB sticks on some sacrificial box and hope 
nothing gets by your scanner(s).  "Hardening" Windows is not an option on 
most systems I have dealt with because it causes massive breakage (not 
necessarily Windows' fault, but that of the entire Windows software 
development mindset).  Patching is not always as easy as it sounds; 
usually the PCS vendor must qualify them before you load them, and even 
then it is more of a "smoke test" than a comprehensive compatibility 
review.  And who has resources to test all those patches inhouse before 
loading them, potentially on a hundred or more machines?


I feel a how-stupid-do-you-have-to-be-to-build-a-control-system-on-Windows 
rant coming on, so I'll stop now.


Corey Clingo
BASF Corp.






"Toecker, Michael" <mtoecker@xxxxxxxxxxxx> 
Sent by: foxboro-bounce@xxxxxxxxxxxxx
06/15/2009 11:25 AM
Please respond to
foxboro@xxxxxxxxxxxxx


To
<foxboro@xxxxxxxxxxxxx>
cc

Subject
Re: [foxboro] "Conficker" virus,







...which also begs the question why your process control systems have
access to the internet...

I haven't done a Conficker detection on a foxboro system yet.  Most of
the ones available require that you:
1.  Use their product
2.  Currently RUN their product on the system
3.  Can connect to the internet or an AV system for updates.

I've had a decent amount of success with Microsoft's removal tool
(Windows Malicious Software Removal Tool) on other Windows based DCS.
You can download it from their website.  It has all the files "onboard"
to detect and remove conficker, you don't have to connect to the
internet for updates.

AND!  All of this is for NAUGHT if you don't PATCH YOUR SYSTEM.  If you
remove it, and other systems are infected, you are likely to be
reinfected within minutes of removing the virus.  I'm not sure if
Foxboro has released an approved system patch and patch procedure for
Conficker...

You should perform this on an isolated test system before trying it in
production to get a feel for what is gonna happen (such as required
reboots).  And, since I'm not the one doing the removal, proceed under
your own risk.

Sincerely,
 
Michael Toecker
Control Systems Security Designer
Compliance & Infrastructure Protection
Burns & McDonnell Engineering

 




 
 
_______________________________________________________________________
This mailing list is neither sponsored nor endorsed by Invensys Process
Systems (formerly The Foxboro Company). Use the info you obtain here at
your own risks. Read http://www.thecassandraproject.org/disclaimer.html
 
foxboro mailing list:             http://www.freelists.org/list/foxboro
to subscribe:         mailto:foxboro-request@xxxxxxxxxxxxx?subject=join
to unsubscribe:      mailto:foxboro-request@xxxxxxxxxxxxx?subject=leave

Other related posts: