Software: PLC-Blaster

From attackics
Revision as of 09:25, 4 May 2021 by Oalexander (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
PLC-Blaster
Software
ID S0009
Aliases PLC-Blaster
Type Malware

PLC-Blaster is a piece of proof-of-concept malware that runs on Siemens S7 PLCs. This worm locates other Siemens S7 PLCs on the network and attempts to infect them. Once this worm has infected its target and attempted to infect other devices on the network, the worm can then run one of many modules.12

Associated Software Descriptions

  • PLC-Blaster - 1

Techniques Used

  • Change Operating Mode - PLC-Blaster stops the execution of the user program on the target to enable the transfer of its own code. The worm then copies itself to the target and subsequently starts the target PLC again.1
  • Denial of Service - The execution on the PLC can be stopped by violating the cycle time limit. The PLC-Blaster implements an endless loop triggering an error condition within the PLC with the impact of a DoS.1
  • Modify Program - PLC-Blaster copies itself to various Program Organization Units (POU) on the target device. The POUs include the Data Block, Function, and Function Block.1
  • Native API - PLC-Blaster uses the system function blocks TCON and TDISCON to initiate and destroy TCP connections to arbitrary systems. Buffers may be sent and received on these connections with TRCV und TSEND system function blocks.1
  • Remote System Discovery - PLC-Blaster scans the network to find other Siemens S7 PLC devices to infect. It locates these devices by checking for a service listening on TCP port 102.1