PLC-Blaster: A Worm Living Solely in The PLC

by Ralf Spenneberg, Maik Br├╝ggemann, Hendrik Schwartke Sept. 16, 2017 via www.blackhat.com submitted by belen_caty

We developed a PLC program which scans a local network for other S7-1200v3 PLCs. Once these are found the program compromises these PLCs by uploading itself to these devices. The already installed user software is not removed and still running on the PLC. Our malware attaches itself to the original software and runs in parallel to the original user program. The operator does not notice any changed behavior. We developed the first PLC only worm. The worm is only written using the programming language SCL and does not need any additional support. For the remote administration of the compromised PLCs we implemented a Command&Control server. Infected PLCs automatically contact the C&C server and may be remotely controlled using this connection. Using this connection we can manipulate any physical input or output of the PLC. An additional proxy function enables us to access any additional system using a tunnel.

https://www.blackhat.com/us-16/briefings.html#plc-blaster-a-worm-living-solely-in-the-plc