KL’s Airport Gets Infected

image

If there’s one place you hope you won’t get infected by a computer virus, it’s an airport.

It’s not just that the virus may fiddle with your departure times; it’s the wider possibility that the virus may have infected more sensitive parts of the airport: ticketing, say, or—heaven forbid—flight control.

Kuala Lumpur International Airport—Malaysia’s main international airport—was on Friday infected by the W32.Downadup worm, which exploits a vulnerability in Windows Microsoft patched back in October. The worm, according to Symantec, does a number of things, creating an http server on the compromised computer, deletes restore points, downloads other file and then starts spreading itself to other computers.

image

Enlargement of the photo above. The notification says Symantec Antivirus has found the worm, but has not been able to clean or quarantine the file.

KL airport clearly isn’t keeping a tight rein on its security. The virus alert pictured above is at least 12 hours old and the vulnerability it exploits had been patched up a month before. Says Graham Cluley of UK-based security software company Sophos: “What’s disturbing to me is that over a month later, the airport hasn’t applied what was declared to be an extremely critical patch, and one which is being exploited by malware in the wild.”

What’s more worrying is that this isn’t the first time. It’s the first time I’ve noticed an infection on their departures/arrivals board, but one traveller spotted something similar a year and a half ago, with a Symantec Antivirus message popping up on one of the monitors. I saw a Symantec Antivirus message on one monitor that said it had “encountered a problem and needs to close”, suggesting that the worm had succeeded in disabling the airport’s own antivirus defences:

image

So how serious is all this? Cluely says: “Well, it’s obviously a nuisance to many people, and maybe could cause some disruption.. but I think this is just the most “visible” sign of what may be a more widespread infection inside the airport.  I would be more concerned if ticketing and other computer systems were affected by the same attack.”

He points to computer viruses affecting other airports in recent years: In 2003, Continental Airlines checkin desks were knocked out by the Slammer worm. A year later, Sasser was blamed for leaving 300,000 Australian commuters stranded, and BA flights were also delayed.

For me, the bottom line about airports and air travel is confidence. As a traveler I need to feel confident that the people deciding which planes I fly and when are on top of basic security issues. And that doesn’t mean just frisking me at the gate. It also means keeping the computer systems that run the airport safe. This is probably just sloppy computer habits but what if it wasn’t? What if it was a worm preparing for a much more targeted threat, aimed specifically at air traffic?

(I’ve asked KL International Airport and Symantec for comment.)

News: It’s Monday, the Worms Are Out

 Sophos, a British anti-virus company, is getting worried about the new Mimail worm (W32/Mimail-A), a mass-mailing worm which first struck in
the United States on Friday 1st August.  Sophos says it “has received many reports of Mimail infections and anticipates the worm could be one of
the biggest of 2003″.
 
 
The Mimail worm arrives in an email claiming to be from the network administrator. Cunningly, it can even spoof the domain name of the business’s email address.  For instance, if the recipient’s email address is John.Smith@ABCLimited.com the email would appear to come from admin@ABCLimited.com.
The message suggests that the recipient’s email account will soon expire and urges them to read the attached information. The attachment, called
‘message.zip’, contains an HTML file which is not a message at all – it is a copy of the worm, which scours the user’s hard disk looking for email addresses for its next round of victims.  
 
More information about the Mimail worm can be found at http://www.sophos.com/virusinfo/analyses/w32mimaila.html.