If you think that the only possible variant for such a malware is a classic school-based .bat file with ‘format c:’ string inside, then you’re mistaken. The opportunity to automate various routine operations within the system with the help of .bat scripts has long grown into a full-scale trend for malware coding, for which almost all the anti-virus companies have rendered a special segment in their malware specifications.
I’d like to make a reservation right away that the vulnerabilities considered in the paper are typical virtually for all PLC types rather than only for PLC Delta DVP–14SS211R, which we will study. And these are not misses of a certain particular manufacturer but it is a sort of fundamental problem being the heritage of the time when the simplicity of implementation and economic expediency dominated rather than information safety and a threat of tampering.
As you most likely know, there are two methods of application analysis: static and dynamic. The former includes disassembly, decompilation, and app-manifest analysis. The latter assumes the application is launched in a special environment that permits its behavior to be analyzed under “real conditions,” so to speak. In practice, both methods are usually used in parallel. But as we have already reviewed static analysis (“Anatomy with Preparation”, No. 170), in this article, we are going to concentrate on dynamic analysis.