Spanair crash shows deadly result of using tainted USB stick
Posted on | August 22, 2010 | 2 comments
A virus-carrying USB thumb drive has been implicated in the 2008 crash of a Spanish jetliner, the deadliest air disaster in Spanish history.
Packed with vacationers, Â Spanair Flight JK5022 smashed into the ground shortly after takeoff from Madrid’s Barajas international airport, bound for the Canary Islands. The Aug. 20, 2008 tragedy killed 154 of 172 souls on board the Boeing MD-80 jetliner.
El Pais cites a 12,000-page investigative report that outlines how a computer infection, spread via an infected USB thumb drive, may have been a contributing factor. A malicious program precipitated failures in a fail safe monitoring system at the airline’s headquarters in Palma de Mallorca. The system was slow in sending out alerts that might have led to delaying or canceling the departure.
Click here to see a PDF copy of the 96-page CIAIAC crash report summary; it’s in Spanish.
Instead, the jet took off with flaps and slats retracted, instead of extended to boost the lifting surface of the wing. The pilots also should have detected something amiss during pre-flight checks, and internal cockpit warnings should have triggered.
Rick Wanner, threat expert at the SANS Institute’s Internet Storm Center, says the revelation show how disruptive malicious programs can be to the controls of any complex network at any big organization. “I am not a pilot, so I cannot speak with authority on how to fly a passenger airliner, but it seems clear to me that this accident was caused by the failure of a number of controls leading to a disastrous outcome,” says Wanner in this blog post.
Hot attack vector
Infectious USB thumb drives helped spread the infamous Conficker worm, and more recently, helped elite attackers launch the Stuxnet worm, which pioneered a new way to corrupt Siemens’ SCADA (supervisory control and data acquisition) systems used to run power plants and industrial factories.
Jose Nazario, senior manager of security research at Arbor Networks, notes that USB thumb drive attacks take advantage of security weaknesses in Windows autorun, a basic component built into the Windows operating system. Microsoft added autorun to Windows 95 to make it easier for you to install programs from CD disks, and now from thumb drives, as well.
Nazario says there is an extensive family of malicious programs designed to “take advantage advantage of the autorun functionality when a USB stick is inserted.”
Autorun easy to attack
He says it’s not very difficult to mount an autorun attack. Online discussions are widespread. Bad guys are able to bypass firewalls, intrusion detection systems and other external-facing defenses and load a malicious program from a machine inside the soft, gooey innards of an organization’s network.
Several other tech security experts LastWatchdog interviewed at the Black Hat cybersecurity conference and Defcon hackers event last month in Las Vegas, said the are wary of using randomly-acquired USB sticks.
Narario says they are the equivalent of reusing dirty hypodermic needles. At conferences, it has become routine participant to exchange slide shows, press kits and what have you via USB sticks. The rapid spread of autorun triggered viruses suggests the bad guys are just as routinely slipping infected USB sticks into the mix. Says Nazario:
Think about how many USB sticks you have, you’re probably undercounting. Everyone does. I just found one in my bag I didn’t realize was there. Iget them at a lot of conferences I go to. Now think about how many sticks in the past month your laptop has had used with it, and think about how many other systems you have used your USB sticks on. This is like those classic HIV commercials, where you’re with everyone that person has been with before.
By Byron Acohido
Comments
2 Comments »
RSS feed for comments on this post.
Downvoted for mentioning Internet Storm Center.
Comment by n3td3v Security — 8/23/2010 @ 2:34 pm
I was disappointed to see no mention of Microsoft’s 2009 decision to disable autorun functionality for non-optical removable media (i.e., USB drives) in Windows 7. http://blogs.technet.com/b/srd/archive/2009/04/28/autorun-changes-in-windows-7.aspx
In Windows 7, malware cannot execute automatically on USB drives via autorun.
Comment by Paul Royal — 8/28/2010 @ 11:57 am