Agent.btz – The Enemy May Be Us

On November 28, the Los Angeles Times reported on a “Cyber-Attack” on Defense Department networks caused by a virus named, Agent.btz. The Los Angeles Times story indicated that the attackers were possibly from Russia or China.

It might turn out that the culprits are a bit closer to home than Russia or China.  This malware has been around in one form or another for several years, and is not “designed specifically to target military networks.

Agent.btz is a form of the SILLY.FDC which has been around since at least 2007. Agent.btz has the capacity to carry a payload and can execute commands upon infecting a computer.

Did this come from the Russians or the Chinese?

Maybe.

However, consider this possibility – with thousands of military and civilian personnel walking around with thumb drives around their necks, and with CD’s and other memory sticks freely available to stick into networked computers, it just might turn out that the enemy is us and our lax network security practices.

A good number of corporate computer virus infections arise from employees bringing games, software, CD’s and other infected software to work and injecting virus infections into the network. There’s no reason why the same wouldn’t be true for military networks.

The below is from the Symantec Forum for viruses:

There are many policy- and configuration-based mitigations that can be used to adequately limit the propagation of these threats. Network administrators are advised to:

•    Ensure that antivirus software is up to date.
•    Disable AutoRun functionality for removable media, which should be possible using endpoint security systems. For personal computers, there are many detailed tutorials on how to disable AutoRun. Also, holding down the SHIFT key while inserting a USB flash drive can temporarily disable AutoRun.
•    If removable drives are not required, endpoint security systems can distribute policies to prevent removable media from being recognized.
•    User education should be a priority to educate network users about these threats.”
This indicates that Symantec is detecting and removing the infection and its variants…plus provides what is needed to prevent it in the first place.
shield_001

Tags: , ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: