Bug that infected Royal Melbourne Hospital is a Qbot worm

Update: Royal Melbourne Hospital is reimaging all of its PCs running Windows XP after it was discovered that the bug that infected its systems on the weekend is a new variant of the Qbot or Qakbot worm, a known piece of malware that exploits a security vulnerability in XP.

A source at Royal Melbourne told Pulse+IT that the malware particularly affected the pathology department, where the majority of PCs run on XP and the laboratory information system runs on Windows Server 2003.

The source said the worm had infected other machines in the hospital running newer operating systems, but when it infected an XP machine, it effectively “killed” it. However, the hospital also has a few PCs attached to aged medical equipment running on Windows NT that are still working fine.

It is understood that the emergency department system had to go offline over the weekend but is back up and running. However, the source said there was still a lot of work left to check the hundreds of different software applications used in the hospital.

“They have ensured that we've got the right virus scan and the software in place to stop the infection but it will take weeks to get it all cleaned up,” the source said.

Information security experts from the state and territory health departments are aware of the issue and are taking action, the chief information security officer (CISO) at eHealth NSW, Gilbert Verdian, said.

“We are working with the anti-virus vendors to find out exactly what it is,” Mr Verdian told Pulse+IT. “It's a variant of an old virus so we are trying to figure out how bad it is, why it wasn't picked up and do something proactive on our end so we don't get it.”

While Windows XP is still used to varying extents in health facilities throughout the country – many older medical devices and bespoke software will not work with newer operating systems – most health departments have or are phasing it out. It is not widely used in NSW, Mr Verdian said.

“We kicked off a program about two years ago to get rid of it and we've done quite a lot of that work. There's not many left out there.”

It is not yet known where the worm first gained entry, but one of its main features is its ability to evolve and it seems to have bypassed the hospital's antivirus protections.

Melbourne Health issued a statement yesterday saying most computers were now clear of the bug and IT staff were working to restore the remaining Windows XP computers as quickly as possible.

“As of 10am [November 19], many programs affected by the virus are up and running including pathology and pharmacy,” Melbourne Health said.

According to Sophos, Qbot or Qakbot is a worm that can steal passwords, log keystrokes and perform remote FTP commands.

It affects not just Windows XP but Windows Server 2003, Windows Server 2008, Windows NT and Windows 7.

Trend Micro says it has been around since at least 2009 and is best known for trying to infect banking systems.

The security software vendor says the malware has the ability to block access to antivirus sites and delete itself if found running on a virtual machine.

This story was updated on Friday, January 21 to include more information on the steps being taken by Melbourne Health to clear the virus.


Posted in Australian eHealth

Tags: Royal Melbourne Hospital, Qbot, Qakbot

Comments   

# Terry Hannan 2016-01-22 11:20
There are many concerns about this type of "infection" of hospital systems. This posting reminds me of an interesting paper several years ago where one of the high risk access points to hospital networks was the use (permitted/ not permitted) of USB drives into hospital terminals. These acted like accessory drives to the hospital networks with all the associated risks for 'infection' and data security. I think one excellent example of data loss and access to patient data was on a research study in Stanford.
# Terry Hannan 2016-01-22 11:24
As a follow up to my previous posting here is an authoritative reference on this topic-date 2007!
J Am Med Inform Assoc. 2007 Jul-Aug;14(4):3 97-9. Epub 2007 Apr 25.
Encryption characteristics of two USB-based personal health record devices. Wright A1, Sittig DF. Personal health records (PHRs) hold great promise for empowering patients and increasing the accuracy and completeness of health information. We reviewed two small USB-based PHR devices that allow a patient to easily store and transport their personal health information. Both devices offer password protection and encryption features. Analysis of the devices shows that they store their data in a Microsoft Access database. Due to a flaw in the encryption of this database, recovering the user's password can be accomplished with minimal effort. Our analysis also showed that, rather than encrypting health information with the password chosen by the user, the devices stored the user's password as a string in the database and then encrypted that database with a common password set by the manufacturer. This is another serious vulnerability. This article describes the weaknesses we discovered, outlines three critical flaws with the security model used by the devices, and recommends four guidelines for improving the security of similar devices.
# Terry Hannan 2016-01-22 11:47
On final posting on this topic.
http://www.databreachtoday.com/stanford-breach-lawsuit-settled-a-6670

You need to log in to post comments. If you don't have a Pulse+IT website account, click here to subscribe.

Sign up for Pulse+IT eNewsletters

Sign up for Pulse+IT website access

For more information, click here.