Joint Chiefs mull a $5M reward for "agent.btz" virus author
You may have read the news that an "agent.btz" virus has crippled the military. This one is truly a horrifying terror attack against our men and women in uniform. It's far worse than the devastating Solar Sunrise computer attacks that crippled the U.S. Air Force in the 1990s. The Air Force is now failing to launch dozens of "ATO" missions every day because of "agent.btz," and we're actually losing soldiers' lives as a result. You heard what I said, folks. Two soldiers DIED in Afghanistan because the Air Force couldn't launch all of its aircraft due to the "agent.btz" virus. Our death toll is going to mount until we get a handle on this terrorist cyber-weapon.
An AMHS message sent today from U.S. Strategic Command reveals that General James Cartwright, the Vice Chairman of the Joint Chiefs of Staff, has proposed a $5 million reward for the capture of the "agent.btz" virus author. The money would come from STRATCOM's pot, and U.S. Special Operations Command would be given OPCON to build a JTF to hunt down the virus author.
As for me, I'm all for it. Whoever wrote "agent.btz" deserves to die. I lost all respect for his life the day I learned his virus led to the death of two soldiers on patrol in Afghanistan.
An AMHS message sent today from U.S. Strategic Command reveals that General James Cartwright, the Vice Chairman of the Joint Chiefs of Staff, has proposed a $5 million reward for the capture of the "agent.btz" virus author. The money would come from STRATCOM's pot, and U.S. Special Operations Command would be given OPCON to build a JTF to hunt down the virus author.
As for me, I'm all for it. Whoever wrote "agent.btz" deserves to die. I lost all respect for his life the day I learned his virus led to the death of two soldiers on patrol in Afghanistan.
How about a little inter-agency rivalry between the Seals, Rangers and the PJ's... The group that catches the perp gets to take him up on a one-way helo tour. And, the command gets the $5 Million!
Seriously, **ALL** mal-ware authors and intentional purveyors should be handled and tried as terrorists...
Until it's a federal crime with life or death sentence... We won't begin to see a dent.
And, yes, that would go for "children" who do so.
If they're smart enough to program such a thing they are smart enough to know better!
Reply to this
you know, $5M would buy the AF an awful lot of Macintosh, Linux, and Sun systems.
NONE OF WHICH ARE AFFECTED BY AGENT.BTZ
NOR ANY OTHER VIRUS DESIGNED FOR WINDOWS.
Reply to this
isn't Agent.btz an AutoPlay/AutoRun trojan?
So, how come nobody ever thought to turn off AutoPlay for ALL Drives using gpedit.msc????
So we lose our USB capability because the "EXPERTS" didn't ~really~ protect our systems or allow us to do so!
Of course to completely turn off all Autoplay functionality you'd need to get rid of Media Player...
BTW: X=Unknown Quantity Spert=is a drip under pressure!
Again, I thing a one way helo ride is in order...
Reply to this
'EXPERTS' AT GROUND ZERO: yes, we are monitoring these blogs...ok, first off, NO Agent.btz is not just an auto play/auto run virus-worm, instead, it immediatley detects and copies itself from one medium to the next once, say for instance, you plug in a thumb drive without any group policy settings or provication. What I can tell you is that if found on a DoD system, the system is completely wiped. The origin, currently, according to selected media sources, suspected of being either China or Russia, is most certainly not Russia. Do the math. I am an analyst at ground zero studying this virus-worm ..... I can also tell you that measures we are taking now ARE working to beat this thing.....the rest is Classified ... you know the rap.
Reply to this
YES, BUT, for any code to function it must be transferred to memory and then the OS has to vector to it for it to run. HAD Autorun/Autoplay been turned off for all drives in the Registry that particular vector would have been a non-issue. As it is... All of DoD is suffering the loss of a ubiqitous aid to productivity.
(It wouldn't have helped a Windows Media based bug, though, because you can't turn Scan/Sync drives off for Windows Media... There are much safer alternatives. But, of course, we don't have the access to get rid of Windows Media or load a safer app in in't place!)
Computers are not *just* an information source for a Calibration or Electronics Tech. They are essential tools!
Many of which only have USB as a means of getting data to/from Test Equipment for Upgrades and Patches.
Or, transferring part of a Tech's 40 years of experience from his "SAFE" home storehouse to share at work...
The problem didn't come from me! Because I *CAN* control my home systems better than my DoD system! From which I am completely locked out and can't do *ANY* proactive prevention except sit and stare and **hope** that the IT "spooks" get it right.
But, of course, they didn't this time because the end user isn't being allowed to be part of the cure.
Sorry, if you think there is a bit of animosity towards the "experts". Oh there most certainly is...
Reply to this
USB wasn't around 10 years ago(far as the public knows), when we had computers, and we handeled the wars just fine. If an E.M.P. took out all comms today, we'll still have paper and pen. Trust me, we'll be fine; it really isn't that serious. This is the Military, Sir. We are built to survive with almost nothing at our disposal, and we're damn good at it, so with all due respect, don't downplay the Military's abilities based on the use or lack of a piece of equipment that is no more different than the beeper, before it was obsolete. It too, will be replaced very soon.
Panic, is the cry of the weak minded...
Reply to this
I'm interested in talking with you. You can reach me at keith_epstein@businessweek.com.
Reply to this
I worked on the FQT of TAIS 10 at General Dyanamics. Some Idiot General in the US Army didn't want TAIS operating on Sun Solaris so he had it rewritten at millions of dollars of cost into Windows XP. Now we get this. TAIS 10 is the software that is running to handle ATO's. Similar Idiots are running around in the US Army wanting XP or similar OS because it is easy to run and common platform etc. They don't want Linux or Solaris because they are not DOD Certified. MS paid for the Cert. Linux will because of Open Source never pay for Cert and Sun Solaris probably will not get the money either. So we cert as safe the OS that kills our troups. How do we ID the real terrorist?
Reply to this
maybe the soldiers died because if our inept ability to foster gains in Afghanistan. It's only been 7 years and still foundering away.
To blame a virus is nothing more than searching for another scapegoat.
Reply to this
... not necessarily. Actually since the discovery of this virus-worm, we have had to halt certain Tactical assets that can significantly affect a mission... There really is no way to put a happy face on dead Soldiers, but we are doing our best by curbing certain missions that would otherwise be affected if we put into play those assets that were affected by this virus-worm. I apologize for the cryptographic explanation, but the details are Classified. I could say, with almost absolute certainty, that if the AF had an infected system, and that system had to be taken off line to be wiped, then it is possible that the AF couldn't dedicate certain platforms to that mission, thereby resulting in potentially loss of life ... what some people easily forget is that the military is large machine; throw a wrench in that machine ........
Reply to this
Let me think, ATO is based off of a classified network, which means some dumb ass AF guy put his USB stick into a classified computer. #1 rule in IT administration, TRAIN YOUR USERS! 2. Get rid of the most security flawed OS and train administrators like me that SHOULD BE DOING THIS JOB ANYWAY!!! Send me to classes to use a Unix/Linux based OS, or come up with one specifically used for the military. AND DON'T GIVE ME THAT CRAP THAT YOU'D HAVE TO TEACH THE ENTIRE ARMED FORCES ON HOW TO USE MAC OS. WHY DO YOU THINK THAT THEY PUT IT IN ELEMENTARY SCHOOLS FOR CRYING OUT LOUD. AND THE LAST TWO MAC OS UPGRADES DON'T LOOK ALL THAT DIFFERENT LIKE VISTA DID FROM XP PRO. REMEMBER... IT WAS THE AF J-TAC WHO WAS THE ONLY GUY RUNNING AROUND IN A BRIGHT RED BERRET IN TRANSFORMERS. Leave the sophistication and the cryptographic talk to the Navy. They're good at it. Rangers lead the way
Reply to this
Still... An ounce of prevention is always better than a pound of cure...
Especially if you have a half-pound stomach.
I agree that loss of assests, especially human assests is (no word to describe)...
But, so many shops were wide open to such an infection. For a very long time. Abd, no one ever was able to raise an alarm and get it corrected.
Everyone assumed our systems had the best protection available.
Afterall, they were Military and Tactically and Strategically Important...
But, By, locking the end user out of the loop, and then, additionally, making it so hard to raise a red flag because someone might think you are a terrorist or worse a trouble-maker...
The experts allowed us to shoot ourselves in the foot...
As for the "outside" sources of infection...
I'll say it again... the lower the technical competency of the user the tighter the level of lockdown...
IDIOTS who do not have their non-Military Networked Computers (home or shop) properly locked down and protected are as much a threat as Al Queda!
But, by having a single level of "User" the Experts have locked a valuable assest out of the Protection Scheme...
You can have the best security in the world... But, if the lowest level person leaves the door unlocked...
Then you have double-sided locks on the doors so than only a "General" can re-lock the door!
Mike Sr.
Reply to this
With all due respect, I could take every precaution in the world, but it won't stop me from getting hit by a car if the circumstances for that day are just right; the same goes here. How are users to differentiate between real emails and mallicous code born messages? They can't, because they are not trained to, and man is fallible, plain and simple. Any man who want's to do something bad enough, can do it, make no mistake, we took every precaution, but ..... shit happens
Reply to this
Has anyone checked to see if the machines they are running have memory on the video cards? Virus scanners and HIDS do not scan external memory sources, at least not the common ones, they monitor the memory boards native to the mother board.
Reply to this
... The Military has for the most part migrated to laptops, so, not so many memory-resident video cards around anymore...We ARE using AV on our systems, but we are not using virus scanners to detect this, because they can't, at least not yet anyway. We are using more sophisticated software, much like forensic scanner software...once a system is identified by the software as carrying the virus-worm, or any malicious code, for that matter, the system is immediately isolated from the network, seized, and completely wiped, then reimaged, and placed back in play.. Software specifics are Classified.
Reply to this
The only threat is not allowing the end user to take part in the cure!
Granted sinowal is a very bad rootkit compared to agent.btz (which may be coded to carry it.)
And, even though I have no access to "real" hard information I have no doubt that the "sino" in that viruses name means China!
aVast does include a rootkit scanner, now.
And, granted, one downfall to turning off drive insertion notification is that even the virus scanning software may not get alerted that a new potential source is available for scanning.
(That means on access scanning remains important.)
Hueristics and Signatures both have strengths and weaknesses.
Both McAfee and Symantic make some very good AV scanners.
But, the problem with corporate grade AV is that it is complex and intended for physcally secure networks.
Without end user involvement you can't run a "personal" firewall on the end users computers with active alerting because then you'd have to let the user know what to allow to pass and what is suspicious.
You make all the prevention and remediation secret then blame the user anyway!
The fact that you state a system is wiped and reimaged indicates something far more sinister than agent.btz..
That sounds like a rootkit remediation to me...
And, the really bad ones can do a lot of damage between scans.
A Trained, Informed and Involved user base, IMHO, remains the key to protecting the network.
I can't do my own "due diligence" if I remain so completely locked out of the game.
Mike Sr.
Reply to this
MY POINT is that an obvious preventative measure was _NOT_ taken.
AND, the cure is worse than castor oil by the gallon! OVERKILL.
As, far as being "angry", yes I'll adjust...
BUT, my efficiency and ability to do my job has been and will continue to be affected.
Not to mention morale and blood pressure issues everytime I bump my head against this insane overkill "cure".
You're also dealing with major morale issues "in country" where the troops, whether they are supposed to or not, download music and video to help stay sane. (Can you calculate *that* impact?)
I regularly see "additions" on the Laptops assigned to support a particular piece of test equipment.
So far I haven't had to cure even one virus...
Have had a few run over by vehicles, though. And, btw even a "Toughbook" doesn't like that...
Maybe the Marines just "play" better???
Mike Sr.
Reply to this
My personal view is the military should migrate to a mil grade linux developed by there own, as the future of microsoft computing bases will get worse according to blackhat specialists, the next wave of trojans coming will write to specific hardware devices not just the hard drive.....
Reply to this
It's always unfortunate to loose our military personnel. This particular incident leaves a very bad taste...
However, those repsonsible for this "agent.btz" are most probably not the authors of the program. Having said that, it's an imperative that this problem is solved and the appropriate response maybe very surprising to some. Just terminating the life or lives of those responsible aren't enough.
There are underlying opportunities to be exploited...
Reply to this
Mal-ware authors and those responsible for knowingly distributing such garbage should be prosecuted as the terrorists they are.
(Supposedly "innocent" types are still "forcing a safeguard" if they can't show "due dilligence".)
This should be a Federal Felony with the Death Penalty when death results from the effects of the mal-ware.
I don't care if it's a 12 year old!
This isn't a game. It's not just the military that is being "terrorised".
All of us are living under a continual threat of identity theft and loss of all resources.
As I said no matter the age... Whisk them off to GitMo for a spell!
The enemy combatants don't have to make it, they can "accidentally" fall out of the transport with a bag of chum!
As for the Foreign Government involvement it **IS** an act of war and should be treated as such...
Period!
Mike Sr.
Reply to this
That's an interesting point. Wouldn't it be sadly ironic if agent.btz were actually developed by our own intelligence community, and then stolen by and/or leaked to those who wish America harm? Just a thought...
Reply to this
orrrrrrrr maybe it was the Russians!
LOL
who introduced it at a net-cafe in Afghanistan......
LOL
True Story......
LOL
Reply to this
Even with a "Hardened" System the true resolution remains an informed and **INVOLVED** user base.
As long as the "Spooks" are in charge of 100% of the protection all is lost.
Good grief I can't even run a root kit scanner on my system.
And, even if I could, how would I know what was there legitimately?
I mean it's not like I could ask a spook if it's legitimate or not.
This total lack of cooperative involvement is deadly....
How many people died while the spooks tried to figure out what was going on secretly instead of alerting users and asking us to be much more careful?
What kind of idiocy allows a virus to get loose without raising an alert?
And, we don't even hear about it until after the fact when ZDnet reports a 75 percent infection rate at (at least) one in-country base?
Mike Sr.
Reply to this
All I can add is that this is FAIL!! I have been on the front line of this in ASTAN and from the top leadership to bottom has been a giant joke. Symantec didn't catch the virus that is why it was allowed to spread undetected.
This could have been mitigated early on but the folks at the flag pole decided to sit on it and see what happened. All it would have taken is to block the traffic that was being seen and lock down USB right away but instead they allowed it to spread like wild fire. And their answer to this problem was well lets just wipe every machine and start all over. Real nice huh...I pray for those fine soldiers lost because of this stupidity.
Reply to this
I had a thought that this might be the case...
The word is Complicity...
Unless you're a "spook". Then it's called intelligence gathering.
Again, except for the very big hole that Media Player grants all removable media, especially on the USB Bus...
Still, turning off AutoPlay/Autorun for all drives might have, should have, stopped a "standard" Autorun/Autoplay "bug".
The fact the niether Symantec or McAfee have come to their senses and included both Rootkit Detection and USB Firewalling in their AV apps is insane!
I know that even an old app like Sygate Personal Firewall had to be very carefully tweaked to get Active Sync to work at home with my PDA.
So, I know the technology and knowledge exists...
So... We are left with Heartbreak, Grief and Death...
BTW, if I wanted to do this intentionally just getting rid of USB access wouldn't be enough.
Sneaker Net lives and the troops will always find a way to get their apps and Data to and from a system...
I have too many off Network Lab Systems to not have some form of Sneaker Net.
But, I have always been very proactive with my non-network systems because I can, so I do.
The education and involvement of the end user remains the "nail" the allows the shoe to be thrown and the battle lost....
Mike Sr.
Reply to this
Two Things.
1. Can someone please provide me with a Link or a search Phrase to locate additional information of the differences in vulnerabilities between a USB Flash drive and an External USB Hard Drive?
2. Has anyone found out how to completely disable to "Sync" Fuction in Windows Media that allows it to remain aware of Media Changes and attempt to Sync even when AutoPlay has been succesfully disabled for all drives?
Discussion:
I know that Windows mounts an External USB Hard drive as a "permanent" drive and mounts "most" USB Flash drives as "removable".
I suspect that some AV software doesn't handle them the same resulting in increased vulenrabilities for USB "removable" toys?
I also suspect that the Windows "awareness" and application handshaking that allows Windows Media to attempt to Sync a drive is also at the core of the vulerabilities for such media?
So far I have not found anyway to make *all* Media Change Events "manual".
Could just remove Windows Media...
But, that wouldn't eliminate the flaw in the OS that makes it work!
Thanks,
Mike Sr.
Reply to this