The Ministry of Health was last week preparing to claim victory after a virulent, 15-day infection of its computer systems.
The ministry has been badly affected by the W32.Downadup worm, also known as Conficker, which attacked its PCs and network for the first half of January.
“It’s particularly smart malware with a number of different vectors,” says Alan Hesketh, deputy director general of the information directorate.
A variant of Downadup A, named Downadup B, was discovered by security firm Symantec on December 30. It typically attacks computer systems through infected USB sticks.
Computerworld has been told this is the likely source of Health’s problem, though Hesketh says there are a number of different vectors and that it is not clear how the worm got in.
“It’s likely we were infected during December and that this version was activated in January,” he says. “We detected it when we returned to work.”
He says the worm communicates with the internet and generates a series of domain names each day. “It’s likely to bring down a payload from those web sites and bring down new variants.”
As Computerworld went to press, security company BitDefender declared Downadup B “extremely dangerous”. The new version, the company says, is now capable of: propagating itself via USB drives, automatically executing itself if the USB autorun feature is enabled; blocking access to security-related websites on the infected machine, filtering every address that contains security-related strings; removing the infected machines’ user access rights except read and execute, safe-guarding itself and preventing infected files from removal, and; disabling Windows updates and certain network traffic to avoid being automatically patched.
The Ministry’s 2,000 PCs were affected. Hesketh said last week the final 80 of these should be confirmed as clean on Thursday January 15. That’s a good 15 days the worm has played havoc with the Ministry’s systems. [Note: Computerworld heard after our print deadline that the ministry was still offline on Friday, 16 January]
“We’ve been using a number of different anti-virus vendors,” Hesketh says. “No one particular vendor has given one answer. It’s a combination.”
He wouldn’t name the vendors, though Computerworld has been told a team from Symantec was called in, along with Microsoft. The worm attacks the Microsoft operating system, particularly older systems from XP backward.
All 12 Ministry locations across the country were affected, but Hesketh says the worm didn’t get out to other health-related sites.
“We cut off the internet last Thursday [January 8] so it couldn’t get out. It’s not spread via email and our external email was up the whole time.
“We do four malware scans before we send anything out.”
The Proclaim system, which handles payments to district health boards among others, was infected but, as a precautionary measure, was taken down on several occasions.
Hesketh says all payments were made within normal service levels. “We were very carefully balancing things.”
The cost of the attack was mostly around the slowed-down PCs and slowed network and the labour involved to find a fix. Hesketh says a number of the security vendors called in were covered by maintenance agreements.
“We’re not talking huge amounts of money.
“I want to stress that there was no impact on health services.”
When asked whether any other government departments had been hit, he couldn’t confirm that. “I don’t comment on rumours.
“It’s a great way to start the New Year!”