A computer virus has hit the entire U.S. drone fleet. The virus— a keylogger— was first spotted a couple weeks ago, and is proving very difficult to scrub from the drones and their servers.
So far the virus hasn’t interfered with the drones’ missions, but that only means that Skynet is biding its time . . .
1) the Internet goes crazy with conspiracy theories about how the Israelis are using a variant of Stuxnet to commandeer the Predators and use them for assassination missions, and the US knows about it and is pretending that this is all planned and authorized activity, because they don’t want to admit how badly their systems have been compromised.
2) everyone admits that if the USAF can get a keylogger on a secure network that maybe the Stuxnet thing wasn’t some kind of Tom Clancy cyber-op after all, but rather the result of a botnet virus misidentifying a particular device driver as a system file.
Kicking this around with the incident response / data forensics guys at work, our best guess is that someone probably brought this in via a removable drive. It may or may not have been planted deliberately to target this: Steve Jackson’s Law still applies. (“Never assume malice when incompetence is a good enough excuse.”)
As for being difficult to remove, pretty much any decent malware today can really only reliably be removed by wiping the system and rebuilding; that’s been the case for several years.
This is not to say it can’t possibly be the work of a state-sponsored or state-sanctioned entity. I would have downplayed such a notion even five years ago – but just as 2002-2004 saw the shift from hobbyist hackers to organized cybercriminals, sometime around 2007-2008 the landscape changed yet again, with nation-state players becoming a bigger slice of the pie.
My servers get hit from international IP addresses on a daily basis. This is true for most companies on the web. If you don’t like it, go back to using pidgins.
@ John Appel,
It is not always easy to remove a virus. How does the virus spread? If it can over the network, you would need to shut down every computer on the network, then clean each, one at a time. After each computer was cleaned, you would need to make sure it was disconnected from the network until every computer was clean. A smart virus might be able to flash itself into the BIOS (possibly even into the graphics card or a network printer). Thus, even if you write 0’s to the drives, the virus will recreate itself when the first computer is turned back on. In this case, the only safe thing would be to scrap every bit of hardware on the network.
@Ralf – thanks, I’m very aware of all this – I’m an information security guy. The IR & forensics guys I was referring to are down the hall from me and deal with these things on a daily basis. These days, I’m on the security architecture side of the house, though I still run our intrusion prevention system, and I see where the bad stuff is coming from. The nature of the bad stuff, and the points of origin, have evolved considerably since I got into this field 15 years ago. The threat landscape is very different.
I don’t think we’ve seen a virus in the wild that flashed a graphics card yet, nor a *virus* to hit a printer, but I’ve seen printers used as points of manual exploitation in the past.
And I agree, one has to deal with these things if one wants to operate in the modern world. Ubiquitous mobile computing (because that’s what a smartphone or tablet is, a mobile computer) are making things even more interesting.
As I was taught in the Army, “What can be seen can be hit; what can be hit can be killed.” My mantra today is “What is connected can be accessed; what can be accessed can be compromised.” The focus today is – or should be – on a) not being the low-hanging fruit, and b) being able to detect and respond to a compromise, because sooner or later one of your users is going to click on that e-mail with the attachment containing a zero-day exploit (see the RSA breach last spring). Assume you’re going to be hit and plan accordingly.
Two outcomes from this:
1) the Internet goes crazy with conspiracy theories about how the Israelis are using a variant of Stuxnet to commandeer the Predators and use them for assassination missions, and the US knows about it and is pretending that this is all planned and authorized activity, because they don’t want to admit how badly their systems have been compromised.
2) everyone admits that if the USAF can get a keylogger on a secure network that maybe the Stuxnet thing wasn’t some kind of Tom Clancy cyber-op after all, but rather the result of a botnet virus misidentifying a particular device driver as a system file.
Saw this on Friday when Wired broke the story.
Kicking this around with the incident response / data forensics guys at work, our best guess is that someone probably brought this in via a removable drive. It may or may not have been planted deliberately to target this: Steve Jackson’s Law still applies. (“Never assume malice when incompetence is a good enough excuse.”)
As for being difficult to remove, pretty much any decent malware today can really only reliably be removed by wiping the system and rebuilding; that’s been the case for several years.
This is not to say it can’t possibly be the work of a state-sponsored or state-sanctioned entity. I would have downplayed such a notion even five years ago – but just as 2002-2004 saw the shift from hobbyist hackers to organized cybercriminals, sometime around 2007-2008 the landscape changed yet again, with nation-state players becoming a bigger slice of the pie.
My servers get hit from international IP addresses on a daily basis. This is true for most companies on the web. If you don’t like it, go back to using pidgins.
@ John Appel,
It is not always easy to remove a virus. How does the virus spread? If it can over the network, you would need to shut down every computer on the network, then clean each, one at a time. After each computer was cleaned, you would need to make sure it was disconnected from the network until every computer was clean. A smart virus might be able to flash itself into the BIOS (possibly even into the graphics card or a network printer). Thus, even if you write 0’s to the drives, the virus will recreate itself when the first computer is turned back on. In this case, the only safe thing would be to scrap every bit of hardware on the network.
@Ralf – thanks, I’m very aware of all this – I’m an information security guy. The IR & forensics guys I was referring to are down the hall from me and deal with these things on a daily basis. These days, I’m on the security architecture side of the house, though I still run our intrusion prevention system, and I see where the bad stuff is coming from. The nature of the bad stuff, and the points of origin, have evolved considerably since I got into this field 15 years ago. The threat landscape is very different.
I don’t think we’ve seen a virus in the wild that flashed a graphics card yet, nor a *virus* to hit a printer, but I’ve seen printers used as points of manual exploitation in the past.
And I agree, one has to deal with these things if one wants to operate in the modern world. Ubiquitous mobile computing (because that’s what a smartphone or tablet is, a mobile computer) are making things even more interesting.
As I was taught in the Army, “What can be seen can be hit; what can be hit can be killed.” My mantra today is “What is connected can be accessed; what can be accessed can be compromised.” The focus today is – or should be – on a) not being the low-hanging fruit, and b) being able to detect and respond to a compromise, because sooner or later one of your users is going to click on that e-mail with the attachment containing a zero-day exploit (see the RSA breach last spring). Assume you’re going to be hit and plan accordingly.
Whoops! That “anonymous” post was me.
And indeed, it looks to have been a removable drive chock-full-o-malware:
http://www.theatlanticwire.com/national/2011/10/virus-infecting-us-drone-fleet-came-mafia-wars/43623/
Comments on this entry are closed.