U.S. military drones catch a virus

Mysterious recurring virus hits military drone fleet as network specialists scramble to determine infection's origin, nature

U.S. military drones and other computer systems at a military base in Nevada have reportedly been infected with a key-logging virus that officials reportedly can't seem to remove -- and plug-in drives, notorious for introducing malware on corporate systems, are the likely culprit, according to Wired. Officials have gone so far as to order Air Force bases worldwide to stop using removable drives entirely.

The purported virus -- Wired attributed unnamed sources -- first started infecting systems at Creech Air Force Base two weeks ago. The base serves as the control room for carrying out military missions overseas in regions like Afghanistan.

There's a great deal of mystery (or secrecy) behind the infection. According to the report, military network specialists don't know whether the malware is benign, whether it was introduced intentionally or by accident, or how many systems have been infected in all. Also baffling: Each time they purge the virus from the network, it comes back. Not surprisingly, the Air Force is officially remaining mum on the subject.

What does seem clear is how the virus may have been introduced in the first place: through removable drives, which crews use to load map updates and send mission videos between computers. For the most part, the use of such drives is highly restricted on military systems, Wired noted. The Creech base is a striking exception and is the only base to reportedly be dealing with the virus. As a precaution, Air Force bases worldwide running military drones have been ordered to stop using removable drives, Wired reported.

The virus was more likely introduced via plug-in drives than, say, the Internet: "None of the remote cockpits are supposed to be connected to the public internet," according to the Wired report, "which means they are supposed to be largely immune to viruses and other network security threats."

Two of InfoWorld's security and networking experts weighed in on the subject with some interesting insights. Security Adviser Roger A. Grimes raised several questions as well as criticism of how the military appears to be handling the situation if Creech is indeed contending with a malware threat. For starters, he noted it was strange that military security experts could neither identify not remove the malware. "The report says they don't know if the malware is custom for them or generic. That's a huge red flag. It's fairly easy for any antivirus company to know in seconds of whether it is new or not (usually by MD5/SHA1 hash check). Once someone looks at the code, you can tell exactly what is doing and how to stop it," he said.

Additionally, he noted that if the attack is indeed valid, it would appear that the military specialists violated a critical basic security measure: Scan your removable drives. He also observed that the systems should have settings in place to prevent systems from automatically running the contents of drives. (Microsoft released an anti-AutoRun patch last February, for example.)

Finally, Grimes questioned the logic of continuing to use the drones to carry out missions if they are, indeed, infected. "That would be insane and so against protocol for any military weapon system. If you don't know what it's doing, you don't keep flying. Period," he said.

InfoWorld contributor Logan G. Harbaugh, who has worked on military networks in the past, suggested that perhaps the Air Force's virus-scanning software is misidentifying a file or process as a key-logger. "That has happened before, which might explain why it keeps coming back. It could be some standard system file that is put on the disks automatically, which the detection software thinks is a virus," he said.

Fortunately, Harbaugh said that if there is, indeed, a virus transmitting key-logged data via connected systems, the threat it poses is fairly limited, though not entirely inconsequential. "In addition to passwords and logins being [compromised], which shouldn't be useful without direct access to the consoles, [that data] would include commands given to the drones, coordinates entered for surveillance, etc. But it shouldn't directly compromise information in real time or allow our enemies to gain control of the drones," he said.

There are plenty of question marks here, no doubt. Still, the report should serve as a stark reminder that the Internet has become a prominent battlefield. What's more, it should remind organizations of all kinds to implement policies and protections to prevent malware being introduced into their systems via plug-in drives and other seemingly innocuous hardware, such as an innocent-looking mouse.

This story, "U.S. military drones catch a virus," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.

Copyright © 2011 IDG Communications, Inc.

How to choose a low-code development platform