Time Bomb May Have Destroyed 800 Norfolk City PCs' Data

krebsonsecurity writes "The City of Norfolk, Virginia is reeling from a massive computer meltdown in which an unidentified family of malicious code destroyed data on nearly 800 computers citywide. The incident is still under investigation, but city officials say the attack may have been the result of a computer time bomb planted in advance by an insider or employee and designed to trigger at a specific date, according to krebsonsecurity.com. 'We don't believe it came in from the Internet. We don't know how it got into our system,' the city's IT director said. 'We speculate it could have been a time bomb waiting until a date or time to trigger. Whatever it was, it essentially destroyed these machines.'"

Re:Essentially destroyed?

[CorporateSuit]

Hardly. It's just something that messed with the Win32 folder. This could be fixed by a few temps over the weekend if the city government was half-competent.

A healthy System32 dir is 1.5 GB

[caseih]

At first glance that blows my mind. That's absolutely huge. Then I check my linux box and /usr/lib64 is 1.7 GB.

Re:Just so you get the pronunciation right...

[Overzeetop]

Byoo'-nah Vis'-tah

The locals have taken the whole diphthong pronunciation (when two vowels go walking...) to an extreme.

We also have Staunton, which is pronounced Stan-tun (short a sound).

Re:No explaination

[wiredog]

Explanation here [krebsonsecurity.com].

Re:I bet they just got Religion

[theJML]

From working in the backup industry for years, I'm sure they have backups, the problem is that they never tried to verify or restore them. but is there really isn't any data there, compression is great when you just "tar cv * > /dev/null" ...

Heck one time I had a guy who was getting Parity Errors decide that the best way to solve them was to just shut off Parity Checking... Ignorance is bliss I suppose.

Seriously I can't count the number of times I tried to help someone restore their backups after a critical loss that turned out to never have actually verified that they worked in the first place. Just as bad as when I worked in a photo shop and someone said they couldn't get their film out... put the camera in the light locked compartment, stuck my hands in, just to find that he had taken 36 'priceless vacation pictures' on the back of the camera body instead of film.

Re:Feh.

[mcgrew]

From TFA:

Cluff said the malicious software appears to have been designed to trash vital operating files in the Windows\System32 folder on the infected machines. Cluff said a healthy, functioning System32 directory weighs in at around 1.5GB, but the computers infected with this as-yet-unidentified malware had their System32 folders chopped down to around a third of that size, rendering them unbootable. Cluff added that city employees are urged to store their data on file servers, which were largely untouched by the attack, but he said employees who ignored that advice and stored important documents on affected desktop computers may have lost those files.

Re:Norfolk's IT is fail.

[Darth_brooks]

Umm, yeah. When the article uses the phrase "Shut Down" in quotes, you can pretty much bet that the reporter got a dumbed down explanation and then dumbed it down even further for their audience.

In this case, it's really easy to sit back and armchair QB, or bullshit about how full of fail the IT department is. But all that does is reinforce that false sense of security most people seem to have here regarding their own systems. Look at the domain admin next to you. Or the group of people that have local admin rights on PC's. Now think about these lines in a batch file:

bootcfg /delete /ID0

del C:\windows\system32\*

Now think of someone pushing that in a batch file into scheduled tasks on a Thursday night. Would you notice? Does your super-duper-uber AV console notify you of new scheduled tasks? You think AV is going to stop a task like that, being run by an admin? here, just for fun, throw this in from of those lines:

Net Stop YOUR_AV_SERVICE_HERE

There are a million and one legitimate ways that this could be done by a rouge admin. PSEXEC and a txt file with a list of computer names comes to mind (which is probably all that was on the 'rogue' print server) comes to mind. Snigger and snort all you want. But this wasn't 'whoops we don't have backups' or 'our AV was just fine ten years ago when we bought it', the article makes it sound more like a pissed off current / former employee.

Either way the city's in a world of pain now, but no where near the world of pain the guy that did this is going to be in. Something like this won't be that hard to figure out. Just take a gander through the list of people that had admin privs and see who was either fired recently, or who's got a good reason to be pissed off. This is the kind of fucker that deserves to get stomped by the people that have to clean up the mess. Thanks asshole. Your super-l33t skills are nothing more than a long inconvenience.

Remind me the next time I write malware...

[davidwr]

* Check every few seconds to see if network goes down
* Write a bogus entry in the log files that points to some oddball behavior, like a disk-read error or something
* If network is down freeze screen so it looks like computer just locked up
* Ignore all input
* Wipe key parts of disk so forensic recovery is impossible or at least very difficult
* Wipe key parts of memory so forensic recovery is impossible or at least very difficult
* Wipe key parts of cache so forensic recovery is impossible or at least very difficult
* Force or fake a BSOD screen so a casual user will think his computer crashed and blame any resulting data loss on the crash

Re:Dealing w/ something similar at work

[Itninja]

Microsoft really needs to add the ability to set user profiles on a different partition, as you can w/ UNIX.

Um, they're called 'roaming profiles' and have been around for some time. You can store users' profiles anywhere you want...different drive, or even a remote server.

no major problems

[DaveGod]

Re-worked summary of TFA:
- All that has been damaged is the System32 folder of user machines.
- 'Destroyed' I imagine is an IT staff trying to dumb down his language to his perception of the level of the reporter's IT knowledge
- Their IT may have done quite well, the only 'damage' is to PCs that were shut down in the 1 hour window between the attack starting and IT containing it
- Employees were supposed to save to the network. The only issue stated is that some staff were breaking the rules and saved things to their own PC.

All they need to do with the affected machines is to boot from a Windows or Linux CD, copy the files to memory stick and throw their standard "new install" image on. No data loss. No network down time. All they're looking at is some hassle for the ~ 18% of users affected and a very busy IT department. Provided the affected users have other machines to work on (or however not losing much productivity) they're not far off having the best scenario any It department can realistically hope for (well, I'd like to say it's reasonable to hope for not having pissed off employees). Sure, no doubt a dozen IT managers can post their "perfect" system, and another dozen IT managers can show how they could destroy it.

Re:It happened on Patch Tuesday.

[idontgno]

I knew some pedanto-troll would say that.

No one cares. "Bricked" means non-responsively broke. Repairable or not.

Get over yourself.