back to article Virus infects killer US air drone fleet

Computers controlling the US Air Force's killer Predator and Reaper drones have been infected by a key-logging virus, according to a mole who spoke to Wired. And the malware is not going away despite serious efforts to nuke it. The remote-controlled bomb planes have flown in missions since the discovery of the virus two weeks …


This topic is closed for new posts.


  1. Rameses Niblick the Third (KKWWMT) Silver badge

    "It is believed that the malware won't be able to transmit the information it collects beyond the classified military network hosting the equipment; the network is insulated from the public internet."

    This isn't some two-bit home network NAS we're talking about here ffs! How can they be so relaxed about it? It got in to an isolated (allegedly) network, until you can PROVE otherwise, you have to assume it can get out, not go, "well, we'll probably be ok, so bollocks to it".

    What if it got there via an infected USB stick? Is it plausible to think that maybe the stick captures info from the virus the next time its attached to the network?

  2. Solly

    They should hook it up to the advanced AI of Skynet, it's been alleged that it should be able to squash the virus in seconds.....

  3. Andrew 25

    Sir, I owe you a beer

  4. Anonymous Coward
    Anonymous Coward

    You have it wrong, it *is* Skynet

  5. Scorchio!!


    "You have it wrong, it *is* Skynet"

    Not to be over pedantic, but Skynet is a British/MoD system, used since 1969:

    Just like the cracking the Enigma, America did not have the idea first...

  6. Anonymous Coward
    Anonymous Coward

    Looks like they have still not wised up

    to the threat that Windows brings to critical systems

  7. ShelLuser


    Windows? The only threat I see here are people presumable thinking that "the computers" will keep them safe and thus assume they can stop thinking for themselves.

  8. Beachrider

    So control-B is 'Bomb'?

    I heard about this in the US press last week. I saw some analysis that showed a strict ACL-set firewall that controlled access to the drone-managing subnet. I would have expected that. We do that with our Intensive Care ward for patients. I certainly hope that they do it with their most sensitive areas, too.

    If it is as the analysis (and common sense) dictates. Then the firewall should insulate the key machines.

  9. Inachu

    Firewalls can not stop everything.

    Firewalls can not stop everything.

    Try sneaker net onto a non networked pc.

  10. Arkasha


    I'd hope by "isolated" they mean no physical connection, otherwise all bets are off. One slip on the firewall and it'll get out.

  11. Daniel B.


    I assume they're talking about SIPRNet. If that's the case, then yes, it is completely separated from the "public" internet.

    Then again, Manning was able to get stuff out of there via "sneakernet".

  12. Fatman

    RE: So control-B is 'Bomb'?

    No, I thought that action was accomplished through the use of the "Destroy" key (aka "Delete").

    Ah, yes, WindoZE for reconnaissance aircraft, (ad tag line: "Where do we want to crash today?") or,

    WindoZE for drones (ad tag line: "Who do we nuke today?")

    Perhaps the reason they are using WindoZE is because the vendor modded M$ Flight Simulator into a control system for those drones.

  13. K. Adams

    “We keep wiping it off, and it keeps coming back..."

    Seems to me they're looking in the wrong place, then.

    It could be that the malware had the capability to attach itself to the system firmware via a BIOS (or EFI) flash operation. Case in point: Trojan.Mebromi, which was recently discovered running around China:

    -- -- The Register: Malware burrows deep into computer BIOS to escape AV

    -- -- -- --

    Personally, I've always thought that PCs, Laptops, Servers,and other BIOS/EFI-based devices should come with a "flash inhibit" switch or jumper that disables BIOS/EFI updates at the hardware level. Granted, this is something that Joe Average Non-Techie User would likely never use, but could be a boon for system admins and technicians trying to secure company assets...

  14. ratfox Silver badge


    Is this the best that the US can do? "We have viruses on our top-notch weapons and we can't get rid of them"?

    I assume they have been cutting corners on security measures in the rush to bring drones to combat, but still...

  15. Anonymous Coward
    Anonymous Coward

    Yeah, well I guess their government contractors cut corners by either offshoring the work or on shoring the employees. :-)

  16. Anonymous Coward
    Anonymous Coward

    They don't operate on "Windows" so this was tailer made. They can't possibly know what this thing does. Hell, the "users" have to log in to operate it, so. There's the authentication. Obviously someone has the software because they were able to right the virus.

    So I can see it now, someone logs in with correct credentials, takes over, does whatever they want remotely.

    Wasn't this drone or something like it reported as sending video unencrypted not too long ago?

  17. slooth

    What do you mean they 'don't operate on Windows' ? Their host based detection system found at ( is reported to have "Numerous program enhancements and a new baseline on the Windows Server 2008 R2 platform are now available". Also strange how the worms affecting their networks are all related to:

    • %windir%\system32\muxbde40.dll

    • %windir%\system32\winview.ocx

    • %temp%\6D73776D706461742E746C62FA.tmp

    • %windir%\system32\mswmpdat.tlb

    This can be found at

    Now, in my world, if that is not Windows then I have no hope in hell of being safe

  18. Goat Jam

    Who is this "tailer" person

    and why has he not been arrested yet?

  19. Scorchio!!

    "Wasn't this drone or something like it reported as sending video unencrypted not too long ago?"

    ISTR the Talibs could snoop on the drones. Can't find the reference now, but I have it somewhere.

    Perhaps this is Iran, practising for its day of revenge for Natanz.

  20. Miek

    Maybe they meant "Trailer Person"

  21. Anonymous Coward
    Anonymous Coward

    I heard that on NPR yesterday... that the drones were rushed into combat in 2001-02, video encryption was left out, and Iraqi insurgents have been intercepting it for years.

  22. Anonymous Coward

    Hang on

    Equipment that is being used to direct lethal force is being operated while it is known to be infected with malware? What on earth are they playing at? Who decided it was OK? And are they prepared to carry the can if something untoward happens as a result?

  23. Dan 10

    Upvote from me - but in the eventuality that a Predator, say, drops something that goes bang on allied forces in Afghanistan, it will simply be reported as 'insurgents with an RPG'...

  24. Captain Scarlet Silver badge

    We don't know

    Get someone who knows what they are doing and flame the virus.

  25. Inachu


    Demand that those computers connecting to the drone are built using computers not allowed on network or remove the nic card or build computers without any nic cards in them and do not use any USB thumb drives. Burn programs onto DVD.

    Use a computer with no hard drive that boots from DVD(WIN PE)

    That pc can have 2 DVD drives. Lets DVD drive 1 scan and confirm DRIVE 2 DVD is clean then allow programs onto computers that dircetly communicate with the drones.

    Of course now you must flash wipe the drones that are infected.

    Then once the above is done and any future infection happens then put those troopers in jail for not following directions and mark them as foreign agents and remove their US CITIZENSHIP.

  26. dylan 4

    "not allowed on network"?

    If the computers aren't allowed a network connection, how exactly are they supposed to control the drones? Very long wires?

  27. Anonymous Coward
    Anonymous Coward

    Can't you read. Its not the drones. They are not affected. Only the machines that control the drones appear to have some sort of key logger.

    Note that these systems don't appear to be attached to anything external.

    Its quite possible that they picked up the bug from some hardware and that its the virus acting normally. Meaning that the virus wasn't targeting the US systems per se but any machine. Corporate or Home.

    So while *this virus* is *trapped* on their systems, what does that mean for the rest of us?

  28. Goat Jam
    Paris Hilton

    "using computers not allowed on network or remove the nic card"

    erm, how do the computers then communicate with the drones?

  29. Martin Usher

    Please don't tell me that the command and control for those things is running Windows!

    I can see it now "Microsoft XP for Death".....

  30. Michael Dunn

    BSOD has a really new meaning!

  31. stupid-frakking-handle

    All may not be as it seems

    Apparently there is a possibility that the logger has been deliberately installed by the US government, presumably on a need to know basis with the local admins left out of the loop...

  32. Anonymous Coward
    Anonymous Coward


    That's the problem with unofficial anonymous guys talking to the press. You don't know who they are, what rank they hold, if they are privvy to all the information, or just some junior who is kacking himself silly because he doesn't have all the facts. Of course, sometimes what they say is true, there is just no way to tell.

  33. Bill Cumming

    From other sources..

    Can't find the link at the moment but their was a report that the "Virus" / "Key Logger" is actually part of a Department of Defence Security Package installed in some DoD machines.

    It was just not supposed to be in the UAV Control machines, but when equipment was shared between internal departments in cost cutting exorcise, it spread.

  34. Anonymous Coward
    Anonymous Coward

    It was just not supposed to be in the UAV Control machines, but when equipment was shared between internal departments in cost cutting exorcise, it spread.

    Ghost in the machine?

  35. Miek

    It does sound like some form of Exorcism is required

  36. Inachu

    LOL If that was true!

    Hey boss we need to add the entire fleet of drones to the domain so the auto logon scripts can do their magic!


  37. Anonymous Coward
    Anonymous Coward

    "Windows NT was designed to be administered by an idiot and usually is..."

    This sort of console is usually dedicated to showing the application and nothing else. You don't need icons or desktop environments for that. All you need is a system scriptable enough to boot the app and restart it should it crap out. Then why run something that can catch such a wide variety of malware offering itself to every host on the public internet with regularity?

    Probably the same reason they run too many ATMs on the same sort of vulnerable system. The lowest bidder did it. How's that for an epitaph?

  38. Anonymous Coward
    Anonymous Coward


    ATMs run on Windows because it works, if it didn't the banks would run something else. In fact, they used to run OS/2, they when a new OS was needed because OS/2 went out of support the OS adopted was Win NT, because it does the job and does it well. It doesn't phone home if you don't want it to and appropriately installed on a secured network it's just fine. If it wasn't the banks would be losing money through ATMs and you know that they wouldn't tolerate that. What would you rather? Your bank runs its ATMs on Solaris or Red Hat and you incur the extra costs for licensing? (Oh, and yes, Red Hat does cost as much, if not more to license than Windows.)

  39. Anonymous Coward
    Anonymous Coward

    Yes they do

    And that's why I've been ever more wary about ATMs in general. At least the OS/2 ones were trustworthy; now I fear for the Windows brethren of those. Especially considering how I know they run Windows .... the "ATM" app crashed, leaving the woman in front of me in shock as she watched a Windows NT desktop on the screen.

    Then that other one showing some app error message ... which mentioned some kind of spyware/malware.

  40. Chemist

    "What would you rather? Your bank runs its ATMs on Solaris or Red Hat"

    ANY time, absolutely any time

  41. Sarev

    Check the Chinese hard drive firmware, anyone?

  42. Tubby21288

    Does anyone else have the concern that if the US military is having issues with this thing that common end user machines will have one hell of a battle on there hands? I have faith in my home security however this is worrying, especially if its some kind of super bug.

  43. Anonymous Coward

    Windows Everywhere!


  44. ShelLuser

    Darn kids...

    I mean, how easy is it to detect the origin of this? VERY easy.

    Just wait for some spam to appear which starts to advertise "Viagra delivery by air, no matter where you are on the globe!".

  45. Anonymous Coward
    Anonymous Coward

    Subcontractor originated?

    I know of at least a couple of DoD, prime contractors, who have made use of keyloggers on their internal machines, for "security purposes". Since at least one component in this system makes use of Windows, it's very plausable that an infection could have come from a laptop or other piece of sub-contractor gear.

  46. Alan Brown Silver badge

    Isolated, firewalled....

    ... but it didn't stop Bradley Manning, did it?

  47. Scorchio!!

    Re: Isolated, firewalled....

    "... but it didn't stop Bradley Manning, did it?"

    Yeah, but he only had to copy down the passwords that users kindly left scribbled on post it notes. On the frames of their monitors. How /embarrassing/.

  48. Miek

    Windows + Military Computers == MAJOR FAIL

  49. defiler Silver badge

    Didn't you hear?

    Major Fail retired. His duties are now carried out by General Protection Fault.


  50. melts

    go go windows for weapons 3.11

    hard to tell if its something thats supposed to be there or not, but you'd expect the maintainers to have some idea, surely it would be an action against a direct order to remove software that mr 3 star general said had to be installed..

    i just laugh thinking that they are sure its not phoning home yet don't know where its coming from.

    'we dont know where you came from but you're surely not phoning back to that unknown place'

    on second thought it sounds terrible and scary, hopefully it doesn't escalate.


This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2018