St Vincent's Hospital flushes out Conficker worm

Administrators at the St Vincents and Mater Health Sydney have revealed that a software transfusion last year uncovered some 300 unpatched PCs in which Conficker malware was festering.

The hospital group this week revealed details of a $400,000 endpoint security project completed in August 2009.

It took IT staff four years to secure funding and approval for the project, said St Vincents' IT security manager Peter Param, describing it as "massive" for the organisation.

Param kicked off discussions with Internet Security Systems - with a view to adopting its Proventia software suite - in 2005, after deciding to migrate from "firewall-type" to "host-based" defences.

"We had reasonably good perimeter defence, but it was not in-depth," Param said.

After obtaining project approval, Param established a three-year contract for the Proventia Desktop Endpoint security and Endpoint Secure Control suites plus PGP Corporation's encryption software and support.

But it wasn't the security aspects that prompted Param to choose Proventia, which was acquired by IBM in 2006, over Check Point's ZoneAlarm, he said.

More compelling was IBM's automated deployment paradigm, which St Vincents now employs for a host of other software upgrades.

Param blamed the group's previous software management process, which relied on Microsoft's Active Directory, for gaps in its application of system upgrades.

Some 300 of the organisation's 2,700 PCs had never been patched for Microsoft's critical MS08-067 vulnerability, which could be exploited by the malicious Conficker worm.

In September 2009, just weeks after the Proventia suite was deployed, the worm slowed part of St Vincents' network to a halt.

Param said the effects were similar to those of a Denial of Service (DoS) attack, as Conficker launched repeated attacks on the newly deployed security software.

He said the network could have been more vulnerable as staff transitioned to the new security suite, abandoning antivirus software by Trend Micro.

The malware was found to have been festering on the hospital's network for nearly two weeks after users downloaded research files or transferred them to the hospital's network from infected home PCs.

"It was not a good circumstance, I guess, but it helped us find out what was going on," Param said.

St Vincents now uses the Proventia suite in conjunction with a legacy firewall solution and Symantec Hosted Services's MessageLabs anti-spam service.

Param also planned to establish a secure sockets layer virtual private network (SSL VPN) to allow researchers to access their work documents from home.