August 26th, 2008
Malware detected at the International Space Station
Malware is reaching new heights, and going into Space through a removable media carrying the W32.Gammima.AG
password stealing malware to the International Space Station. According to SpaceRef.com :
“W32.Gammima.AG worm is a level 0 gaming virus intended to gather personal information. Virus was never a threat to any of the computers used for cmd and cntl and no adverse effect on ISS Ops. Theory is virus either in initial software load or possibly transferred from personal compact flash card. Working with Russians (and other partners) regarding ground procedures to protect flown equipment in the future. It was noted that most of the IP laptops and some of the payload laptops do NOT provide virus protection/detection software .”
Going through some of the daily reports from the ISS, it appears that the folks above us may in fact be doing more antivirus signature updates and scanning of arriving removable media then the average Internet users here on Earth. Trouble is, this approach only mitigates the risk of infection from known threats. How long before the ISS’s laptops start phoning back to a botnet command and control here on Earth upon having their laptops infected with an undetectable by their AV scanner malware?
Wired’s Ryan Singel quotes NASA spokesman Kelly Humphries that “This is not the first time we have had a worm or a virus, it’s not a frequent occurrence, but this isn’t the first time :
“NASA downplayed the news, calling the virus mainly a “nuisance” that was on non-critical space station laptops used for things like e-mail and nutritional experiments. NASA and its partners in the space station are now trying to figure out how the virus made it onboard and how to prevent that in the future, according to Humphries.”
Moreover, according to the 2007’s Final Report of the International Space Station Independent Safety Report, someone needs to tip NASA on why quarterly scanning for vulnerabilities leaves a wide open window of opportunity for exploitation through client-side exploits executed against the crew’s laptops :
“The software and workstations that perform communications and commanding functions also have several security measures. Security for the MCC workstations is governed by and consistent with the National Information Assurance Policy for U.S. Space Systems. All work-stations for command and telemetry are continuously monitored by standard anti-virus and spy-ware protection software and are scanned quarterly for vulnerabilities using the latest industry standard security software. Password protection is in place on all workstations and only certain users/accounts can access ISS commanding servers, which require an additional password. Access to ISS commanding is further limited by partitioning available commands by user groups, and users only have access to the commands necessary to perform that discipline’s function. To provide a quality check of commands, two people are required to perform a command. Finally, all commands to the vehicle are encrypted and must pass through a series of validity and authentications checks.”
Wonder which antivirus software they’re running at the ISS? The daily reports detailing the activities of the crew members provide some interesting details :
- ISS On-Orbit Status 08/14/08 - Working on the Russian RSS-2 laptop, Sergey Volkov ran digital photo flash cards from stowage through a virus check with the Norton AntiVirus application
- ISS On-Orbit Status 11/14/07 - Yuri also had about an hour set aside for inspecting RS onboard computer & OpsLAN/Ethernet systems, including verifying laptop equipment, familiarizing himself with cabling functions and laptop assignments, checking anti-virus signature updates on the RSS2 laptop, and checking computer spares & accessories kits
- ISS On-Orbit Status 08/21/08 - Sergey checked another Russian laptop, today RSK-1, for software virus by scanning its hard drives and a photo disk with the Norton AntiVirus application
- ISS On-Orbit Status 08/22/08 - CDR Volkov began his day by downlinking yesterday’s Norton AntiVirus (NAV) data from the RSK-1 laptop scan
Since it’s fairly logical to assume that the ISS is heavily networked using protocols that malware can easily spread through despite not being originally written and intended to reach the ISS, NASA should definitely take this repeating situation more seriously next to calling a “nuisance”.
Image courtesy of NASA.
Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog. See his full profile and disclosure of his industry affiliations.
Subscribe to Zero Day via Email alerts or RSS.
