olly - Fotolia

Gamarue malware found on government-issued school laptops

Devices handed out by the government to support vulnerable children contain malware that appears to be contacting C2 infrastructure in Russia

An undisclosed number of refurbished laptops given to vulnerable children in England have been found to be loaded with malware that is communicating with command and control (C2) server infrastructure located in Russia.

The laptops were handed out to support home-schooling efforts during the current national lockdown, according to BBC reporting, and the suspicious software – found to be the Gamarue trojan – was discovered on a small number of devices by teachers at a school in Bradford. It is not yet known exactly how many devices were compromised, or to how many schools they were inadvertently sent.

Also known as Andromeda, Gamarue is part of a family of trojans that compromises victim devices via malicious attachments to spam emails. It is capable of using its victims to send more spam email messages, downloading and installing other malwares, and copying itself to removable media, such as USB drives.

Gamarue was first identified nine years ago, and prior to the 2017 takedown of the botnet behind it in an international operation, was one of the more widespread malwares in circulation.

The Department for Education (DfE) said it was aware of the issue but said it was confined to a small number of devices at a small number of schools, understood to be in the single digits. An investigation is underway, and its IT team is in touch with the school/s concerned.

A spokesperson told Computer Weekly: “We have been investigating an issue with malware that was found on a small number of the laptops provided to schools as part of our Get Help With Technology Programme.

“In all known cases, the malware was detected and removed at the point schools first turned the devices on.

“We take online safety and security extremely seriously and we will continue to monitor for any further reports of malware. Any schools that may have concerns should contact the Department for Education.”

Its discovery is not necessarily a sign that Gamarue is re-emerging as a significant threat at this time, but does indicate some level of failure in the government to adequately prepare the refurbished devices for redistribution.

Read more about IT in schools

  • Welsh council expands its robotic process automation project, which has successfully helped the council deliver free school meals during the Covid-19 pandemic.
  • Limited resources and a shift to remote learning have shown the inequalities across school districts when it comes to data management and the negative impact this can have.
  • The UK government’s sudden decision to close schools left many either unprepared or unable to provide children with online schooling, so what does home learning currently look like for children across the UK?

Tom Lysemose Hansen, chief technology officer of Promon, described the incident as appalling. “When it comes to issuing equipment such as laptops to schools, the bar is very low – ensure the laptops are safe to use and won’t pose a risk to the children using them,” he said.

“As is to be expected, children do not, in most cases, have the technical expertise to recognise that their equipment is compromised in any way. Luckily this issue doesn’t seem to be widespread. However, any parents who receive a free laptop from a school for their child should be on the lookout for any suspicious behaviour such as pop-ups or strange applications appearing.

“Endpoint security should be a top priority for both the government and for schools, who must also put in the work to vet any and all devices issued and, although sad to say, should not assume that just because it’s been issued by a governing body that it is automatically free from malware,” said Hansen.

Redscan threat intelligence head George Glass said: “The fact that these devices were not checked and scrubbed before being sent to vulnerable children is a concern. The Gamarue worm is not a new malware strain, it was first discovered in 2011 and is just one example of hundreds of such threats that may reside on old, unchecked devices. 

“If such an old worm was discovered on these machines it may not be the only nasty surprise. It’s certainly possible that newer and more severe malware strains are present on devices too.  

“Any families in receipt of a laptop should ensure that antivirus software is installed,” said Glass. “As an added precaution, people should also avoid using these devices for anything other than learning. For instance, they shouldn’t be used for accessing email and online bank accounts. If an infection is detected, then the laptop should be powered down immediately and returned to the local authority for inspection.”

Local and national schemes

Comparitech’s Brian Higgins added: “There are many local and national schemes which have been implemented to try to provide devices for school children in an attempt to keep as many as possible engaged in some form of education during school closures and lockdown measures.

“Whilst it is unclear where these particular laptops were sourced, it is absolutely vital that anyone seeking to source devices, whether they are bought using sponsorship or donated directly, be fully aware of the risk that they may contain dormant or active malicious software and research appropriate methods to make them safe before they are distributed to homes and families.

“The potential for malicious software to be used against recipients is not limited to the children for which the devices are intended, as access to the internet will no doubt be useful for other family and friends outside of school hours,” said Higgins.

“I would highly recommend that anyone distributing devices include some information about online safety. The National Cyber Security Centre offer free advice on secure home working and the use of online conferencing services such as Zoom and Teams.”

The incident will pile further pressure on education secretary Gavin Williamson, who is already facing calls to resign over his handling of his ‘beat’ during the pandemic.

Williamson is somewhat familiar with potentially compromised hardware, having been sacked as defence secretary in disgrace in 2019 after he leaked details of National Security Council (NSC) discussions about the inclusion of Huawei equipment in the UK’s 5G mobile networks, and lied to the then prime minister Theresa May to cover his tracks.

Read more on Hackers and cybercrime prevention

Data Center
Data Management