For full functionality of this site it is necessary to enable JavaScript. Here are the instructions how to enable JavaScript in your web browser.

Close

Not a member yet? Register now and get started.

lock and key

Sign in to your account.

Account Login

New Variant of Havex Malware Scans for OPC Servers at SCADA Systems

At the beginning of the month, the new surge of a Stuxnet-like malware “Havex”, which was previously targeting organizations in the energy sector, had been used to carry out industrial espionage against a number of companies in Europe and compromised over 1,000 European and North American energy firms.

Recently, researchers have discovered a new variant of Havex remote access Trojan that has capability to actively scan OPC (Object linking and embedding for Process Control) servers, used for controlling SCADA (Supervisory Control and Data Acquisition) systems in critical infrastructure, energy, and manufacturing sectors.

OPC is a communications standard that allows interaction between Windows-based SCADA or other industrial control systems (ICS) applications and process control hardware. New Havex variant gathers system information and data stored on a compromised client or server using the OPC standard. OPC is pervasive and is one of the most common ICS protocols.

ICS or SCADA systems consist of OPC client software that interacts directly with an OPC server, which works in tandem with the PLC (Programmable Logic Controller) to control industrial hardware.

Once after getting into network, the Havex downloader calls the runDll export function and then starts scanning of OPC servers in the SCADA network.
To identify potential OPC server, the OPC Scanner module use the Windows networking (WNet) functions i.e. WNetOpenEnum and WNetEnumResources, that enumerates network resources or existing connections.

Using OPC scan, the new Havex variant could gather any details about connected devices and sends them back to the command-and-control server for the attackers to analyze. It appears that this new variant is used as a tool for future intelligence gathering.