KL’s Airport Gets Infected

image

If there’s one place you hope you won’t get infected by a computer virus, it’s an airport.

It’s not just that the virus may fiddle with your departure times; it’s the wider possibility that the virus may have infected more sensitive parts of the airport: ticketing, say, or—heaven forbid—flight control.

Kuala Lumpur International Airport—Malaysia’s main international airport—was on Friday infected by the W32.Downadup worm, which exploits a vulnerability in Windows Microsoft patched back in October. The worm, according to Symantec, does a number of things, creating an http server on the compromised computer, deletes restore points, downloads other file and then starts spreading itself to other computers.

image

Enlargement of the photo above. The notification says Symantec Antivirus has found the worm, but has not been able to clean or quarantine the file.

KL airport clearly isn’t keeping a tight rein on its security. The virus alert pictured above is at least 12 hours old and the vulnerability it exploits had been patched up a month before. Says Graham Cluley of UK-based security software company Sophos: “What’s disturbing to me is that over a month later, the airport hasn’t applied what was declared to be an extremely critical patch, and one which is being exploited by malware in the wild.”

What’s more worrying is that this isn’t the first time. It’s the first time I’ve noticed an infection on their departures/arrivals board, but one traveller spotted something similar a year and a half ago, with a Symantec Antivirus message popping up on one of the monitors. I saw a Symantec Antivirus message on one monitor that said it had “encountered a problem and needs to close”, suggesting that the worm had succeeded in disabling the airport’s own antivirus defences:

image

So how serious is all this? Cluely says: “Well, it’s obviously a nuisance to many people, and maybe could cause some disruption.. but I think this is just the most “visible” sign of what may be a more widespread infection inside the airport.  I would be more concerned if ticketing and other computer systems were affected by the same attack.”

He points to computer viruses affecting other airports in recent years: In 2003, Continental Airlines checkin desks were knocked out by the Slammer worm. A year later, Sasser was blamed for leaving 300,000 Australian commuters stranded, and BA flights were also delayed.

For me, the bottom line about airports and air travel is confidence. As a traveler I need to feel confident that the people deciding which planes I fly and when are on top of basic security issues. And that doesn’t mean just frisking me at the gate. It also means keeping the computer systems that run the airport safe. This is probably just sloppy computer habits but what if it wasn’t? What if it was a worm preparing for a much more targeted threat, aimed specifically at air traffic?

(I’ve asked KL International Airport and Symantec for comment.)

Beware Evaman

The Sydney Morning Herald is warning of a new Doomsday with ”a new internet virus is expected to clog mail servers, cause severe slowdown and wreak financial damage as it spreads rapidly around the world when businesses return to work today”.

It is a mass-mailer worm called Evaman, and Symantec is likening it to MyDoom, using a false email address to generate messages with an attachment that carries the virus. By opening the attachment, recipients “unleash the virus onto their computer, where it automatically starts sending out dozens of new messages”.

As with an increasing number of these viruses, the worry is that the infection rate will be worsened because of the weekend factor: Tim Hartman, senior technical director at the security firm Symantec, “estimated the virus would spread at an uncontrollable rate as people returned to work”. He’s quoted as saying: “There’s so many unprotected machines out there that the likelihood that this will spread significantly is quite high. We have to wait until everyone gets back to work from their weekend around the world.”

What’s not quite clear to me is how exactly this works, and for what purpose. Symantec says the worm “generates random queries to email.people.yahoo.com (an email search engine), and collects email addresses from the search results”. It then sends copies of itself to the addresses that it finds with a spoofed From address”. But why?

I can only assume it is trying to verify email addresses in bulk. If so, it’s proof, if it were needed, that spamming and virus writing is all pretty much the same business these days.

Update: Blaster B Suspect Is About To Be Arrested

 There must be at least one frightened teenager out there today. AP reports that U.S. investigators have identified a teenager as one author of a version of the Blaster worm and plan to arrest him early Friday (U.S. time). A witness reportedly saw the teen testing the infection and called authorities, an official said. The worm and its variants infected more than 500,000 computers worldwide.
 
The “Blaster.B” version of the infection, which began spreading Aug. 13, was remarkably similar to the original Blaster worm that first struck two days earlier; experts said the author made few changes, renaming the infecting-file from “msblast” to an anatomical reference. Can’t help feeling sorry for the kid. He is going down.