A Quantitative Evaluation of the Target Selection of Havex ICS Malware Plugin

While most of the current research focus is rightfully put on finding and mitigating vulnerabilities in industrial control systems (ICS), the opposite angle, namely researching operational weaknesses or unintelligent decisions of ICS malware that make them susceptible to detection, defensive entrapment, and forensics at large, is lesser explored. In this paper we perform a quantitative evaluation of the ability of Havex ICS malware plugin to correctly discover and query its target industrial control systems. We discuss the reverse engineering and analysis of various blocks of machine code of the Havex ICS malware plugin that pertain to its target selection process. We then quantify mathematically several performance measures of its target selection process. We find that despite its notoriety in the media as a nation state sponsored attack code, the Havex ICS malware plugin uses a plain and unsophisticated target selection process. That weakness in the malware opens the way to targeted defensive mechanisms to accurately neutralize the Havex malware and alike.