On January 13, 2021, the technical service department of Venut received a large number of inquiries from corporate users who had served them. The main content of the inquiries was whether the outbreak of the Incaseformat worm on the Internet would have an impact on the industrial control system of the enterprise, and the host guard has been installed. Whether the engineer station and the host computer can defend against such viruses.

  1

virus description

The team of Vinut’s attack and defense experts immediately analyzed this type of virus sample and found that the virus was a worm. Since there was an empty file named incaseformat.log in the root directory of the deleted file partition, the virus was named on the Internet as incaseformat.log Incaseformat virus. The worm virus mainly spreads through U disk, etc. When it infects the U disk, the original folder under the U disk will be hidden, and the virus will disguise as the icon of the original folder.

  burst!  ! Incaseformat worm outbreak industrial enterprise users need not panic

When the user inserts the infected U disk and clicks to run, the worm virus will be automatically copied to the Windows directory of the system disk, and a registry will be created to start automatically. Once the user restarts the host, the virus will immediately infect other disks except the C drive. folder, and delete all data on disks other than C drive in the system within a specified period of time.

  burst!  ! Incaseformat worm outbreak industrial enterprise users need not panic

It is worth noting that this is not a new virus, at least an old virus from 2014. Antivirus software manufacturers have named this virus as Worm.Win32.Autorun. From the name, it can be judged that the virus is spread through mobile media under the Windows platform. worm.

  burst!  ! Incaseformat worm outbreak industrial enterprise users need not panic

As an old virus, this sample does not trigger deletion of user files until January 13, 2021. The main reason is that the value of the IMSecsPerDay variable in the DateTimeToTimeStamp function in the delphi library used by the virus is incorrect, which eventually causes DecodeDate to calculate the converted system current Time is wrong. Not only that, the deletion date set by the virus is not only today (January 13), the most recent next deletion time is January 23.

 2

solution

Verified by the Vinut Attack and Defense Expert Group, since the virus can only trigger file deletion when it is executed in the Windows directory, and restart is the main way for the virus to start in the Windows directory, therefore, products that have installed Host Guard can block the Incaseformat worm virus , or prevent its deletion through mandatory access control policies to ensure the continuous and stable operation of industrial hosts.

  burst!  ! Incaseformat worm outbreak industrial enterprise users need not panic

Figure 1 Local execution

  burst!  ! Incaseformat worm outbreak industrial enterprise users need not panic

Figure 2 Interception log

Since the virus itself can only be spread through mobile media such as U disk, and there is no relevant network transmission characteristics, the use of the U disk can also be strictly controlled by using the mobile media control function of Host Guard to prevent the introduction of viruses caused by illegal abuse.

  burst!  ! Incaseformat worm outbreak industrial enterprise users need not panic

Figure 3 Peripheral Control

burst!  ! Incaseformat worm outbreak industrial enterprise users need not panic  

Figure 4 Peripheral control log

3

virus screening

first step:

Check whether there are tsay.exe and ttry.exe files whose icons are folders in the Windows directory of the industrial control system. If these two files exist, delete them in time. Do not restart the host before deleting them.

Step 2:

Check whether there is a tsay.exe or ttry.exe process in the Windows task manager of the industrial control system, and if so, close it manually.

third step:

Check whether there are resident files tsay.exe and ttry.exe and registry-related startup items (RunOnce) in the Windows directory of the industrial control system.

Note: For enterprise users who have installed Industrial Control Host Guard, it is recommended to check whether the relevant policies are normally enabled.

 4

Security advice

Most of the industrial control system is used in the field of national key information infrastructure, and the data stored in the key engineer station, host computer, and database in the industrial control system is of great value to the industrial control system. Once deleted, it will lead to Production stagnation can even lead to production safety accidents in various industrial scenarios, so industrial enterprises should pay special attention to the safety protection of industrial hosts.

Venut Industrial Control Host Guard builds a secure computing environment for industrial hosts through “four locks and seven core functions”.

  burst!  ! Incaseformat worm outbreak industrial enterprise users need not panic

◇ App lock

The “whitelist” protection mechanism is adopted to lock the operation of applications on the industrial host, prevent the operation of any programs outside the whitelist, avoid the operation of malicious codes and illegal programs, and maximize the security of important equipment such as engineering stations, operator stations and servers. Stable operation.

◇ System lock

Through the security baseline management and mandatory access control functions, the industrial host operating environment and resources are locked to ensure that the settings on the industrial host comply with the security baseline policy requirements, and the read and write access control policies are formulated for access according to the set subject and object.

◇ Network lock

Lock the network access environment of the industrial host, only allow communication between the industrial host and a specific server, and control the spread and spread of malicious codes within the network.

◇ Peripheral lock

Lock the use of external input devices, and only certified safe and trusted USB devices can run on industrial hosts, preventing malicious programs from being introduced through external input devices such as U disks, which may lead to virus infection and leakage of sensitive data.

  

  

The Links:   BSM50GX120DN2 FF600R12ME4 PM150RSE120