German ministry replaced brand new PCs infected with Conficker worm, rather than disinfect them

Filed Under: Featured, Malware

Computer equipment in bin. Image from ShutterstockIf your computers become infected by malware, do you simply chuck them on the garbage heap and buy a new one?

I hope your answer would be no. After all, most malware infections can either be removed by decent anti-virus tools, or infected drives can be wiped clean and restored from a recent backup.

There really should be no need to dump the hardware entirely.

And yet, it has come to light that after computers at German teacher training institutes in Schwerin, Rostock and Greifswald became infected with the notorious Conficker worm in September 2010, 170 of them were disposed of and replaced with new equipment at the taxpayers' expense.

In all, the replacement of the infected computers (some of which were considered brand new), and subsequent restoration of data, cost 187,300 Euros.

The vast bulk of the cost was not spent resinstalling the hard drive images, but on purchasing new PCs. Ouch! I just hope that they securely wiped the computers they were chucking away.

German report

An official report has revealed that the affected organisations did not have an up-to-date IT security policy, and that the the teacher training insitutes were not following it anyway.

More details are revealed on page 154 of a report [PDF] by auditors at the State of Mecklenburg Vorpommern.

German report

According to the report, "it remains unclear if the anti-virus product had some issues, or if the outbreak was caused by technical or human failure".

Just one employee at the Ministry of Education in Schwerin, Germany, was dealing with the Conficker outbreak, and there was heavy reliance upon external companies to backup and restore data, and install software on the new computers.

In my opinion, it seems likely that a decent anti-virus and backup protocol could have reduced the chances of German taxpayers being stung with this unnecessary bill.

After all, there are numerous free anti-virus tools available which can disinfect the Conficker malware, and even if there were difficulties their friendly anti-virus vendor (if they were using a product at all) would surely have assisted.

Thanks to SophosLabs expert Dirk Kollberg for his assistance with this article.

Image of Computer equipment in bin courtesy of Shutterstock.

, , ,

You might like

17 Responses to German ministry replaced brand new PCs infected with Conficker worm, rather than disinfect them

  1. Paul Ducklin · 488 days ago

    Hmmm. Because of the intense media interest in Conficker, it's probably one of the best understood and most broadly analysed viruses of recent times. And as far as anyone has found, there's no reason why you would forever distrust a PC that had been infected and cleaned.

    The amusing thing in this story (if wasting some $200,000 of taxpayers' money can ever be amusing) is that if there really were concerns about whether the security policy was any good, or whether it was likely to be correctly followed anyway, then disposing of the computers would surely be the last thing you'd want to to, for fear of data leakage.

    As you point out in the article, if you can't trust yourself to clean Conficker off a PC, do you trust yourself to clean *everything* from the hard drive before you dump it?

  2. gmd · 488 days ago

    Is it a case of budgetary insanity? I have been in UK universities where there was the budget to upgrade machines but none left for the software and maintenance and money could not be transferred between budget holders. So the solution of purchasing new machines was perfectly logical within the budgetary restrictions!:-(

  3. Nigel · 488 days ago

    And what guarantee was there that the expensive new computers would not suffer the same fate?

    I thought the British Civil Service was wasteful, but this gives us a whole new perspective.

  4. Mick A · 488 days ago

    This sort of crass stupidity is the result of other crass stupidities; such as not employing a competent team of security professionals to 'save money'?! Good old EU... Are we still in it?

  5. witchsue · 488 days ago

    I do hope those computers were donated to some group that could clean them and donate them to people who could not afford one. Honestly some people have more money than sense, But who ever heard of any government having common sense?

  6. Larry M · 488 days ago

    Not really good shoppers either, are they? 170 computers for $187,000? That's over $1000 per computer. They ought to be able to get destops for 1/5 of that price, considering the effects of quantity and government pricing, and laptops for 1/3 of that price.

    Just like the US: "It's only the taxpayers' money. Go ahead and spend it."

  7. MikeP_UK · 488 days ago

    If they were that worried, why did they not just change the hard disks? Much cheaper anyway and means all infection has gone (unless the BIOS has been targeted, which is extremely unlikely).
    This is a typical effect of 'bean counters' affecting operational integrity and how poorly informed some people are, in education this time - which doesn't surprise me but is a worrying trend. What's taught in schools doesn't measure up to what businesses need so they have serious problems with new staff not knowing how to use business software nor even many 'mainstream' application suites. And hence pupils, and clearly some staff, have little idea about what to do to prevent, protect and eliminate such infections and attacks.

  8. Juve · 488 days ago

    In 2010, Microsoft free malware removal tool was already able to clean a system, without any data destruction. I only see incompetence. The manager who has made the decision to replace the computers should be fired!

  9. Andrewc · 488 days ago

    How about if the computers were all due for replacement anyway? Perhaps simple math that showed the cost of weeks of someones time to disinfect all the computers ( along with associated downtime) plus the fact they needed replacing meant that it made actual financial sense to replace them.

  10. Nigel · 487 days ago

    As crazy as the story in this article sounds, I have direct experience with a variant of the same mentality. I know some folks who run an accounting business, and their Windows computers get infected with some kind of malware about once every year. Their solution? Completely wipe the hard drive and start over! Reinstall the system and all applications. Ouch! (Their clients' data is stored on a system that is backed up daily; they've never mentioned that any of that data was infected.)

    I've never understood the "just wipe the hard disk" approach. It can’t possibly be a Windows problem, because there are lots of folks who run Windows and never have to take such drastic measures.

    It just doesn’t make any sense to me. My workstations and server are configured in a way that makes it easy for me to work. Naturally I don't want to lose any data, which is why I have multiple levels of backup. But the loss of a system disk also would be a catastrophe (albeit of a different kind) in the sense that it would take an enormous amount of time to reinstall, reconfigure, and reauthorize hundreds of applications and plugins.

    The solution is a periodic bootable backup of the entire system volume as well as the data volumes (once every 12 hours), and of course using common sense to ensure that I don't get infected in the first place, which includes running Sophos A-V. Even so, occasionally something manages to sneak through, and Sophos cleans it up. It just wouldn't occur to me to wipe the hard drive, much less discard the entire machine. That mentality kind of pegs the stupid meter.

    • Sootie · 487 days ago

      Nigel,

      If you have a properly setup imaging program and a well maintained image then any operation on a normal workstation machine that takes more than 20 min should be abandoned as a re-image is simpler and takes a known amount of time.

      Server's are obviously a different matter as there is a lot more work involved in the re-setup of a server however depending on the complexity of a re-image there would still be a time limit where it is no longer effective to keep trying for a recovery or removal and it is simpler and faster to give up and go for the re-image/restore.

      Wasting hours and hours trying to defeat malware or other issues might be ok for a small shop but once you get to a big enough size your IT cant afford to waste massive amounts of time tracking down issues you just have to document the issue, re-image and move on.

  11. Eric Pierce · 487 days ago

    The report lacks critical information. Who made the decision? Did the IT shop protest? How many of the machines were near end of life, and not worth fixing anyway? How much of a commitment did the internal IT shop have to solving the problem in a timely manner?

    This is about an education organization. It is not uncommon for IT shops in education to be subject to unreasonable pressures and support cost limits. A non-IT manager (probably not competent in IT) may have invoked some kind of emergency protocol and bypassed normal purchasing protocols, especially if the internal IT shop could not deal with the crisis and no mechanism was available to get outside help quickly (contract approvals, etc.).

    A "business class" PC, at non-discount pricing, with three years of "enterprise support" and "office applications" could easily cost what is described here. Especially if there were monitors, printers, software upgrades, etc.

    Generally speaking, typical user requirements in an education setting would not require that "hundreds of applications and plugins" be configured in a given disk image. It is fairly easy and trivial to reimage a PC remotely, and use a MS "file and settings transfer wizard" from a previous good image to restore a PC.

  12. @Nigel (and Graham): I think the reason that some folks prefer to wipe/reinstall has to do with malware installing additional zero-day viruses or trojans which aren't detected. I've read frequently that while an AV may detect a specific signature, in many instances it won't detect the whole problem. In addition, if files are replaced by malware, there's no guarantee an AV clean-up will fix the damage.

    Here are two major U.S. universities that recommend reinstalls if you get infected:
    http://kb.iu.edu/data/arrg.html http://www.oit.umn.edu/safe-computing/personal-co...

  13. Dennis Mahon · 487 days ago

    To answer the why they tossed 'em & bought new ones, you have to think like a Government manager. Most Government budgets are "use it or loose it" types - if you don't expend your budget, it will get reduced next year. Management hates having their budgets cut, because it means you have to fight twice as hard to expand the budget when your expenses go up.

    My guess is that management saw a chance to upgrade without having to bow & scrape before the comptroller, and jumped at the opportunity.

  14. Ocean Midge · 487 days ago

    There is often an attitude that on systems containing sensitive data it is extremely difficult to say with certainty that you have removed all vestiges of infection.
    If the security posture is that the cost to the organisation of compromise outweighs the cost required to mitigate it completely (aka replace or DoD-wipe the HDD) then it makes sense to do it for the sake of surety.
    But throwing the PCs out, that's a bit bonkers. Would have to be some pretty damn advanced malware to persist in the RAM or BIOS or something...

  15. Bill · 487 days ago

    Teacher training doesn't include IT skills?

  16. We have our data on the LAN. If someone gets a virus that the antivirus can't solve, they take 3 hours to reload the operating system and software instead of trying to figure out the problem.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.