Wednesday, October 8, 2014

Havex Targets OPC

Posted by Aron Semle

You may have heard of the new malware on the street targeting Industrial Control Systems called Havex. It isn't the first malware to target our industry (Stuxnet), but there are two things that make it interesting.

First, its primary attack vector is vendor installers. The folks behind Havex compromise vendors’ websites and add “bad” code to the vendor installer (“mbcheck.dll” and “mbcheck.exe”). Customers download the installer and become instantly infected. The Trojan calls to command and control servers, which are really just compromised websites (like blogs). From there, the hackers have free reign to push bad code down to the machine.

The second thing that makes this malware interesting iStock_000020785695Small_Gris that it looks for OPC servers. It scans the local network for OPC products, records the information (such as IP, host, and CLSID), and sends it back to the hackers. It essentially profiles the control system, which is critical when attacking a system: it's like having a Google Map of the network. They can choose what, how, and when to attack.

To avoid the Havex threat, we recommend that you get your product download from our website at You can also confirm that the installation you are downloading is authentic by verifying the digital thumbprint. For more information, refer to the instructions below.

  1. To start, right-click on the installation executable and then select Properties.
  2. Next, open the Digital Signatures tab.
  3. In Signature List, select Kepware Technologies. Then, click Details.
  4. In Digital Signature Details, click View Certificate. Then, open the Details tab.
  5. Make sure that Show is set to <All>. Then, select Thumbprint. The value displayed depends on the version of the product. For up-to-date digital thumbprints, refer to Kepware's How Do I Ensure That My Installation Is Valid? Knowledge Base article. If a thumbprint is needed for a version that is not listed, please contact Kepware's Technical Support team through the My Kepware customer self-service portal.

At Kepware, we understand cyber security is crucial to control systems. We'll continue helping you safeguard your process against malicious threats and malware like Havex.