Malware connecting to servers hosted in Russia has been found on laptops provided to schools. The malware was found when laptops provided by the Department for Education (DfE) arrived at a Bradford school. The problem, first reported by the BBC, raises concerns over failures in the supply chain.
The malware involved, Gamarue has been around for almost a decade. It is often installed on machines by an exploit kit via an infected email or through a file on an infected USB drive. It can also infect other computers on the same network. As such, the infection here raises significant questions as to at what point were the laptops infected. Was it at the company Geo who makes the laptops, at the schools that received the laptops or somewhere in between?
What is Gamarue?
Gamarue, called Win32/Gamarue by Microsoft, was seen as far back as 2012. There have been several versions of the software over the years. Each has come with a new technique and approach. The version detected here is Gamarue.L, capable of spreading from one computer to another across a network. It means that once an infected computer is attached to a network, Gamarue.L will spread itself to other computers.
Once introduced to a computer, the malware starts by disabling local security software. It then downloads other software from the Internet, depending on the campaign those controlling it are running. Of particular concern is that it changes the local registry on the Windows machine. It sets the malicious programs it installs to load when the computer starts. It also gives those programs elevated permissions which means they can access data, connect to the Internet, steal passwords and spy on the user.
How did the malware get onto the computers?
As already mentioned, the initial infection can come in many different ways and from several points in the supply chain. That will make tracking this infection down especially hard. Ideally, the investigation will discover the first machine to be infected, but that is a long shot. So what are the infection routes?
Manufacturer: This is the least likely because manufacturers use a standard image installed onto all devices. That means a large number of machines would have been infected.
Refurbisher: Like manufacturers, they have processes to clean and reset machines using master images. Given the low number of laptops, it is also unlikely to be an organisation with experience of refurbishing laptops. However, someone cutting corners could have just passed the laptops on without checking them.
An infected company: It is possible that these laptops came from a company who didn’t know it was infected. They might have bypassed the refurbishment channel altogether.
Deliberate infection: Malware as a Service sites pay people based on the number of machines they can infect. Therefore, one can’t discount the deliberate infection of machines. This could be related to a malicious employee at a refurbisher who installed the malware after the machines were cleaned.
School network: Early reports suggest that laptops sent to more than one school are infected. According to a Department for Education spokesperson: “We have been investigating an issue with malware that was found on a small number of the laptops provided to schools as part of our Get Help With Technology programme. In all known cases, the malware was detected and removed at the point schools first turned the devices on.”
Unsurprisingly, the story has drawn many comments from the IT industry. Many in the security community believe that the problem is more to do with a failure to properly prepare the laptops. Given the controls that Microsoft and others have in place for refurbishers and the small number of infected machines, this increasingly looks like a donation from an already infected source.
Oliver Cronk, Chief IT Architect, EMEA at Tanium, commented: “It’s unclear if all of the devices had been previously used. Nevertheless, we know that they have either not been reimaged properly, or that they didn’t have up-to-date and adequate anti-malware software installed when they were handed out.”
According to George Glass, head of threat intelligence at UK cybersecurity business, Redscan: “The fact that these devices were not checked and scrubbed before being sent to vulnerable children is a concern. The Gamarue worm is not a new malware strain, it was first discovered in 2011 and is just one example of hundreds of such threats that may reside on old, unchecked devices.”
ET also spoke with Glass who commented: “The onus is on the people during the refurbishment and supply to the children to make sure that those are secure and safe devices.” Glass continued: “Gamarue can put up some pretty nasty pop up ads and things like that, that you definitely do not want children to see. Maybe there’s nothing really worth stealing from a child’s computer, but it’s the things that it could potentially expose them to, which is the main worry.”
Enterprise Times: What does this mean?
Infecting devices in the supply chain is a big win for cybercriminals. There have been numerous instances of this happening with mobiles. However, it far less common with laptops and desktops as manufacturers take a lot of care to protect master images. The same is true of refurbishers who also have processes for resetting laptops.
This seems like an isolated instance of a few laptops that were donated and not cleaned properly. However, until all other laptops from the same source are traced, the source and the spread of the infection are hard to establish. What is needed now is for all schools to go through a full scanning process of their networks and laptops to detect any signs of Gamarue. It will not be easy, and given the pressure on education, it is unlikely to be exhaustive.
What is important about the DfE statement is that the schools detected the Gamarue infection. Just turning the machines on would not be enough, so it is likely that the schools were updating. This may well have included installing and updating security software which is why the infection was discovered.
This case should not prevent companies, charities, and individuals from donating laptops. Such an action would do more harm than good, especially for the underprivileged families that this is expected to help. The DfE needs to establish better processes to ensure that all its refurbishers have quality checked and reviewed processes. It also needs to make sure all laptops go through that route.