While most of the current research focus is rightfully put on finding and mitigating vulnerabilities in industrial control systems (ICS), the opposite angle, namely researching operational weaknesses or unintelligent decisions of ICS malware that make them susceptible to detection, defensive entrapment, and forensics at large, is lesser explored. In this paper we perform a quantitative evaluation of the ability of Havex ICS malware plugin to correctly discover and query its target industrial control systems. We discuss the reverse engineering and analysis of various blocks of machine code of the Havex ICS malware plugin that pertain to its target selection process. We then quantify mathematically several performance measures of its target selection process. We find that despite its notoriety in the media as a nation state sponsored attack code, the Havex ICS malware plugin uses a plain and unsophisticated target selection process. That weakness in the malware opens the way to targeted defensive mechanisms to accurately neutralize the Havex malware and alike.
[1]
Alfred L. Brophy,et al.
Alternatives to a table of criterion values in signal detection theory
,
1986
.
[2]
J. G. Snodgrass,et al.
Pragmatics of measuring recognition memory: applications to dementia and amnesia.
,
1988,
Journal of experimental psychology. General.
[3]
Neil A. Macmillan,et al.
Signal detection theory as data analysis method and psychological decision model
,
1993
.
[4]
Thomas Schonhoff.
Detection and Estimation Theory
,
2006
.
[5]
Christopher Krügel,et al.
Detecting System Emulators
,
2007,
ISC.
[6]
Xu Chen,et al.
Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware
,
2008,
2008 IEEE International Conference on Dependable Systems and Networks With FTCS and DCC (DSN).