Malware, Security Strategy, Plan, Budget

Trojan may have contributed to fatal 2008 Madrid air crash

An investigation into the 2008 crash of Spanair Flight 5022, which killed 154 people, has revealed that a trojan-infected system may have contributed to the fatal accident, according to a report in the Spanish daily newspaper El Pais.

An internal Spanair report indicated that a central computer system used to monitor problems in the aircraft was infected with malware, according to El Pais. The infected computer system, which was located at the airline's headquarters in Palma de Mallorca, failed to detect several technical problems with the airplane. Had the issues been identified, the plane should not have been able to take off, the newspaper states.

The flight, destined for the Canary Islands, crashed on Aug. 20, 2008 after takeoff from Madrid Barajas International Airport in Spain. Of the 172 people onboard, 154 died, including the six crew members.

The malware could have made its way onto the airline's diagnostic computer from an infected portable media device, such as a CD or USB drive, Rick Wanner, handler at the SANS Internet Storm Center, told in an email Monday.

It is important to note, though, that the malware did not cause the plane to crash, Graham Cluley, senior technology consultant at anti-virus firm Sophos, wrote in a blog post Friday.

The malware, however, could have caused Spanair's central computer system to fail, Wanner said.

“I don't have the expertise in airline operations…but my guess is that the malware didn't prevent the information from being communicated from the plane, but that the malware was consuming so many resources on the computer that it delayed the ability of the computer to process the information in a timely manner,” Wanner said.

A preliminary investigation of the accident, released in August 2009 by the U.S. National Transportation Safety Board, states that the probable cause of the crash was the flight crew's failure to ensure that the plane's flaps and slats were extended for takeoff.

Contributing to the accident was the absence of electrical power to the airplane's takeoff warning system, which did not warn the flight crew that the airplane was not configured properly for takeoff, the report states. The reason for the absence of electrical power could not be determined.

The incident should highlight the importance of ensuring that control systems used to prevent, detect and correct issues are operating correctly, Wanner wrote in a blog post Sunday.

“In information security, the stakes are rarely so high as human lives, but failures in controls often lead to unexpected consequences,” Wanner wrote. “A misconfigured firewall rule allowing more permissive access to systems, a false negative in an IDS [intrusion detection system] or IPS [intrusion prevention system], a user violating policy by plugging in a personal USB stick, etc. The moral of the story is: Don't take your control systems and processes for granted. Audit and test them regularly.”

A judge has ordered Spanair to provide all computer logs from the days before and after the crash. The final report from crash investigators is due in December.

Meanwhile, mobile media infections are common and will continue to surface as long as unverified external media are permitted into control systems, Wanner said. In 2008, for example, a virus made its way onto laptop computers used at the international space station due to an infected removable media device.

And just last month, control systems manufacturer Siemens warned customers that the Stuxnet malware was spreading via infected USB devices to penetrate industrial control systems.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.