Melbourne Health still grappling with Qbot malware

Melbourne Health is still working to contain a dangerous strain of malware that attacked its systems more than two weeks ago due to the virus' ability to mutate and hide itself from discovery.

On January 18 the health network revealed malicious software had infected Windows XP computers through Royal Melbourne Hospital's pathology department.

The malware downed the hospital's pathology systems and forced staff into manual workarounds.

It made its way into the health department through an unnamed zero-day exploit in Windows XP computers, past the agency's full enterprise antivirus suite.

The IT team was able to restore services to the pathology unit in the days after, but was forced to fastrack an underway upgrade to Windows 7 after the malware rendered its Windows XP computers unusable.

The Qbot malware typically attacks banking systems and can steal passwords and capture user keystrokes, however the variant attacking Melbourne Health is a new version that is far more virulent and effective.

Melbourne Health chair Robert Doyle told 3AW radio today the malware had mutated six times in one day last week.

Qbot is able to mutate into new versions with different signatures, making them difficult to detect by antivirus programs.

iTnews understands the health network believes it has the malware contained and it is no longer spreading.

The IT team has moved to looking for particular behaviours within its network that would signal an infection - a technique known as heuristics - rather than solely relying on known signatures.

It is now focused on remediation, with in excess of 600 Windows XP machines needing to be upgraded, and a smaller number of Windows 7 devices still to be restored to full functionality.