Password Stealing Worm Attack NASA Laptops

UNSECURED : Password Stealing Worm Attack NASA Laptops

By Richard Adhikari

August 28, 2008

www.internetnews.com/security/article.php/3768196

You'd think the United States' space agency, which conducts highly sensitive research and has had its servers hacked before would be extremely thorough about computer security, but that does not appear to be the case. A worm that steals online gamers' user names and passwords has been running rampant on laptops on the International Space Station (ISS).

Fortunately, there is no risk of the ISS hurtling out of control back to Earth. Antivirus vendor Symantec's malware database entry said the code is only used to steal account information to online games.

The worm, known as W32.Gammima.AG, is spread through removable media such as USB drives and external hard drives. Gamimma steals sensitive information for various online games, including ROHAN, R2 (Reign of Revolution), Talesweaver, Seal Online, and several games popular mainly in China, including ZhengTu and HuangYi Online, according to Symantec, which wrote up the Gamimma worm on August 27, the day it was discovered.

In its paper on Gamimma, Symantec said the worm offers a very low risk. It affects all Windows systems, copying itself to all drives from C through Z and modifying the registry so it executes whenever Windows starts.

This is not the first infection at the space agency, either. "It has happened before, but it's not a frequent occurrence," National Aeronautics and Space Administration (NASA) spokesperson Kelly Humphries told InternetNews.com. He confirmed that NASA is a high-security organization, but would not discuss why its computers keep on getting infected if that's the case. "We continually refine and update our procedures and do our best to protect the systems on the station," Humphries said.

However, Humphries would not discuss how the laptops were infected. "I'm not going to speculate on how this could have happened," Humphries said. He would not confirm the type of malware that hit the laptops either, "because of IT security."

Humphries said that security would be tightened up. "Our Expedition 17 crew on the station is working with flight control and engineering teams and with our international partners to identify and eradicate the virus that's on board and we'll look for any actions we can take to prevent that from happening again," he added.

NASA partners with the Russians, Canadians, the Japanese Space Agency and the European Space Agency. Humphries said the European Space Agency is a multinational organization.

Perhaps NASA should try harder, said one security researcher. "This issue could be a whole lot worse," security research organization McAfee Avert Labs' director of security research and communications, Dave Marcus, told InternetNews.com. "Gamers are the second most targeted group malware authors go after, and chances are that any password and account combination that's stolen could be reused on other sites."

Password stealing malware accounts for 90 to 95 percent of the approximately 3,000 pieces of malware Avert Labs sees every day, Marcus said. NASA "needs to look at this as a wake up call, and they need to look closely at their policies."

According to a white paper by Avert Labs researcher Igor Muttik, data-stealing Trojans (like Gamimma) record user IDs and passwords as well as the IP addresses or the names of the servers they use. This information lets cybercriminals log into the victims' accounts and steal anything of value, which they then sell.

Because NASA computers have been infected before, the agency needs to take a very close look at what it's doing, Marcus said. "Things are not locked down or as tight as they should be," and Marcus recommended NASA "look at real strong management and real strong policy enforcement."

Media reports say the infected laptops were used to run nutritional programs and let the astronauts e-mail their families back on Earth occasionally, but Humphries declined comment.

The Expedition 17 crew on board the ISS consists of flight commander Sergei Volkov; flight engineer Oleg Kononenko; and the only American in the crew, flight engineer Gregory Chamitoff. The crew launched for the ISS April 8.

On October 12, the next crew, consisting of Commander Mike Finks and flight engineer Yuri Lonchekov, will take off for the ISS with a passenger, video game developer Richard Garriott, according to NASA's Humphries. After a week, Volkov, Kononenko and Garriott will return to Earth and the rest will stay on the station.