A sophisticated new piece of malware that targets command-and-control software installed in critical infrastructures uses a known default password that the software maker hard-coded into its system.