Newton-Willbanks Engineering, Inc.

Duqu - Son of Stuxnet

Duqu, a new malware using the same techniques as Stuxnet has been found infecting systems in Europe.

Though similar to Stuxnet, there are some differences:

1) It does not self-replicate in order to spread itself. Therefore, it is not a worm.

2) It does not contain a destructive payload that damages the hardware. Instead, it is designed to conduct reconnaissance to gather intelligence that can later be used to conduct a targeted attack on the control system.

3) It removes itself after 36 days.

there is some speculation that his malware (or something similar) was used as a precursor to gather intelligence for the Stuxnet attacks in Iran.

Wired Magazine Article

Symantec Report

Forbes Article

BBC Article

Stuxnet PLC Virus Update

4/11/2011, Siemens info regarding Stuxnet:

http://support.automation.siemens.com/WW/view/en/43876783

If the link doesn't work, cut and paste it into your browser.

3/2011, Ralph Langner's TED Talk:

http://www.ted.com/talks/ralph_langner_cracking_stuxnet_a_21st_century_cyberweapon.html

2/15/2011, Colbert on Stuxnet:

http://www.colbertnation.com/the-colbert-report-videos/374401/february-15-2011/david-albright

Symantec Dossier on Stuxnet:

http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf

Symantec Video (a little lame):

http://www.youtube.com/watch?v=cf0jlzVCyOI&feature=player_embedded

1/16/2011, NY York times article states that Stuxnet was developed by Israel and targeted PLC's involved in Iran's nuclear weapons program:

http://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html

10/6/2010, Early Forbes article:

http://www.forbes.com/2010/10/06/iran-nuclear-computer-technology-security-stuxnet-worm.html

9/24/2011, Early Bloomberg video (with inaccurrate descriptions, but interesting anyway):

http://www.bloomberg.com/video/63225920/

Problem Opening Links in Microsoft Outlook when Firefox is the Default Browser

When opening links in Microsoft Office with Firefox as the default browser, you may get a error message similar to "general failure the url was application not found". The link may or may not open.

To fix, in Windows XP:

1. Open Windows Explorer (or My Computer).

2. Go to Tools -> Folder Options -> File Types

3. Select Extension: "(NONE)" File Type: "URL:HyperText Transfer Protocol"

4. Click "Advanced". In the "Edit File Type" window, select "open" and click "Edit"

5. Uncheck "Use DDE" (the dialog should then hide the lower part).

6. Click OK for that dialog and the next one (afterwards, the "Use DDE" box is still checked but the "DDE Message" box will be cleared, as shown here)

7. Repeat for Extension: "(NONE)" File Type: "URL:HyperText Transfer Protocol with Privacy" (and any other protocols you want to fix)

8. Repeat for Extension: "(NONE)" File Type: "Firefox URL"

9. Repeat for Extension: "HTM" (or "HTML") File Type: "Firefox Document"

Network Tools

Look At Lan

This network discovery tool quickly scans your network and displays a list of devices it finds.

NetSetMan

Manages network settings for various networks. It's much easier to setup than IPConfig and can save multiple configurations.

 inSSIDer

Wireless scanning tool similar to NetStubler, but easier to use.

Sullair eConnect/PanelView Notes

Application note for A-B PanelView 600 Plus to communicate with Sullair eConnect using Modbus protocol.

PanelView Info

1. Install FT View ME Studio on PC.

2. Install KEP Server Enterprise on PC (all drivers).

3. PanelView Settings:

a. 192.168.2.10

b. 320 x 240 screen size

4. Need to flash PV firmware: c:\Program Files\Rockwell Software\RSView Enterprise\FUPs. Make sure “Ethernet” is selected on Kepware drivers.

5. When upgrading firmware, got “not enough memory” message. Had to change PV startup configuration to “go to configuration screen” instead of “loading and running application”.

6. Apparently, the Kepware configuration is the only thing that affects the PanelView communications setup – not the RSLinx Enterprise settings as normally. After any changes to Kepware, the application must be recompiled.

Sullair Info

1. Econnect design company: ICC Designs, 608-831-1255

2. Econnect card had different IP settings than shown in the book. Used hyperterminal to change them to match the book.

3. Hyperterminal settings for connection: 38400 / 8 / none / 1 / hardware

4. IP address settings for Econnect: 192.168.1.2 / 255.255.255.0

5. Before Sullair system was configured using the HMI, Panel View diagnostics returned an exception 7 (neagative acknowledgement) indicating that the Etherent communications were OK, but that the eConnect was not communicating to the Sullair control system through the RS485 link. The PanelView displayed all “***” in the data fields.

6. Sullair HMI configuration:

a. Factory Setup -> Comm Module -> Yes <Enter>

b. Sequencing -> Sequence By Remote

7. Only one compressor is connected on this application, but multiple compressors could be connected. On multiple setups, Com1 uses addresses 1 through 200, Com2 uses addresses 201 thru 400, etc.

8. Addresses for analog holding registers are offsets. For example parameter 105 is Modbus address 40105 (this shows us as 400105 in the Kepware server).

9. Wired start relay to output 4 (Modbus address 43125 (403215 in the Kepware server). This is dout4, terminal J9/5. Output On =Run (External relay is de-energized). Output Off =Stop (External relay is energized).

10. Remote on Sullair Supervisor must be illuminated (Red) for PanelView remote start/stop button to work.