Information Warfare: The Worm That Won't Die

Archives

June 21, 2011: The U.S. Department of Defense believes a computer worm (agent.btz), introduced into their heavily protected (not connected to the Internet) SIPRNet network three years ago, was developed by Russia. It was three years ago that agent.btz got into the top secret Department of Defense network when a soldier in Central Command, stationed in the Middle East, plugged an agent.btz infected thumb drive into a laptop, connected to the secure net. Despite three years of efforts, the Department of Defense has not been able to completely clean out agent.btz. New versions of agent.btz have shown up in other U.S. government networks. Hostile software like agent.btz is programmed to constantly try and duplicate itself and move to other networks. That's what a worm does. But agent.btz also seeks to find a network that is connected to the Internet, so that it can transmit out data it has collected. This is the perfect spy, and there are more of them out there every month. There are not only more of them, but they get more capable. New ones are programmed to evade defenses (anti-virus software) and most of them are equipped to insert them onto your hard disk so that they are difficult to detect.

But the Department of Defense is determined to make it difficult for malware like agent.btz to spread, and spy. This effort has been going on for a while. Late last year, the U.S. military prohibited any use of removable media (thumb drives, read/write DVD and CD drives, diskettes, memory cards and portable hard drives) on PCs connected to SIPRNet. Thumb drives had earlier been banned.

The main motivation for this latest action was the enemy within, and Wikileaks, which obtained hundreds of thousands of secret American military and diplomatic documents from a U.S. soldier (PFC Bradley Manning). As an intel specialist, Manning had a security clearance and access to SIPRNet (Secret Internet Protocol Router Network). This was a private Department of Defense network established in 1991, using Internet technology and able to handle classified (secret) documents. But Manning got access to a computer with a writable CD drive, and was able to copy all those classified documents to a CD (marked as containing Lady Gaga tracks) and walk out of his workplace with it. The big error here was having PCs available with writable media. You need some PCs with these devices, but they should be few, and carefully monitored. Normally, you would not need to copy anything off SIPRNet. Most of the time, if you want to share something, it's with someone else on SIPRNet, so you can just email it to them, or tell them what it is so they can call it up themselves. A network like SIPRNet usually (in many corporations, and some government agencies) has software that monitors who accesses, and copies, documents, and reports any action that meets certain standards (of possibly being harmful). SIPRNet did not have these controls in place, and still does not on over a third of the PCs connected.

This sort of thing is nothing new. Three years ago, the U.S. military found itself having more problems keeping hackers out of its private Internet, and responded by outlawing memory sticks (thumb drives, flash memory devices, whatever, that plug into USB ports). The immediate cause of the ban was hacker programs ("worms", Stuxnet being a notorious example) that automatically copy themselves to rewritable CDs and DVDs as well as memory sticks. Then, the next time CD/DVD/memory stick is read by another program, the "worm" program copies itself onto that computer, and tries to secretly take over, and enable hackers to gain access and steal stuff. This stuff is so scary that the military has told troops to not use memory sticks on military computers. This has caused problems in the combat zone, where there is not a lot of bandwidth (Internet capacity) for moving information around. Troops prefer to keep a lot of stuff on memory sticks.

For the last decade, the Pentagon has had increasing security problems with its internal Internet networks. The Department of Defense has two private Internets (using Internet technology, but not connected to the public Internet). NIPRNet is unclassified, but not accessible to the public Internet. SIPRNet is classified, and all traffic is encrypted. You can send secret stuff via SIPRNet. However, some computers connected to SIPRNet have been infected with computer viruses. The Pentagon was alarmed at first, because the computers only used SIPRNet. As a result, they did not have any anti-virus software installed. It turned out that worm type hackware was the cause of infection, and was installed when someone used a memory stick or CD, containing the worm, to work and, well, you know the rest.

Before the Internet came along, these worms were a common method for viruses and other malware to get around (slowly, but the stuff did travel that way.) NIPRNET is also vulnerable. Even though the Department of Defense installed new hardware (special routers, for example) and software to increase security, the worms were still getting in. And with that, there was the risk of a worm being designed to seek out and collect secret information, and keep copying itself to new media until it found itself on a PC with an Internet connection. At that point, the secrets could be transmitted to the hackers who had unleashed the worm.

The military is a big user of the public Internet, and they have discovered that most of the intrusions (hacks and viruses) are the result of poor configuration (not keeping the hardware and software set up correctly to defeat known vulnerabilities), or not installing patches and security update in time. The rest of the intrusions come from more mundane problems, like using an easily cracked password, or no password at all. Network security has always been a people problem, and these recent incidents are a sharp reminder of that.

It's easy for troops to be doing something on SIPRNET, then switch to the Internet, and forget that they are now on an unsecure network. Warnings about that sort of thing have not cured the problem. The Internet is too useful for the troops, especially for discussing technical and tactical matters with other soldiers. The army has tried to control the problem by monitoring military accounts (those ending in .mil), but the troops quickly got hip to that, and opened another account from Yahoo or Google, for their more casual web surfing, and for discussions with other troops. The Internet has been a major benefit for combat soldiers, enabling them to share first hand information quickly, and accurately. That's why the troops were warned that the enemy is actively searching for anything G.I.s post, and this stuff has been found at terrorist web sites, and on captured enemy laptops. In reality, information spreads among terrorists much more slowly than among American troops. But if soldiers discuss tactics and techniques in an open venue, including posting pictures and videos, the enemy will eventually find and download it. The terrorists could speed up this process if they could get the right hackware inside American military computers.