14 DAY TRIAL // The operating system on almost eight hundred computers used by Norfolk City employees was thrashed during a single hour last Tuesday. IT specialists are still working to restore the affected systems and think that the malicious code acted like a time bomb.
The city of Norfolk, Virginia is home to the largest naval base in the world and NATO's Allied Command Transformation (ACT) headquarters. According to Hap Cluff, director of the city's information technology department, the security incident occurred on February 9.
Reports of computers failing to boot up on restart started flowing in after 4:30 p.m. last Tuesday. The city's computer technicians acted quickly and managed to contain the problem by 5:30 p.m.; however, a number of 784 PCs were already affected by that time.
The malware manifested itself by deleting two thirds of the system32 folder and altering the boot.ini file. "We don’t believe it came in from the Internet. We don’t know how it got into our system. We speculate it could have been a ‘time bomb’ waiting until a date or time to trigger. Whatever it was, it essentially destroyed these machines," Mr. Cluff told independent security reporter Brian Krebs.
The point of origin for the malicious code seems to have been a City Hall print server, which unfortunately was immediately rebuilt without a forensics analysis being performed. Officials are now hoping to recover some useful samples from other machines that have been quarantined.
Apparently, in some cases, it's not just the operating system that has been destroyed, but user data as well. City employees are instructed to store work files on dedicated servers; however, the sad reality is that many fail to follow such recommendations.
If the incident was indeed caused by a computer time bomb, it could be the work of a disgruntled ex-employee. A year ago, we reported about a Fannie Mae IT admin who planted a malicious script timed to destroy data from over 4,000 company servers. Fortunately, the rogue program was discovered and neutralized in time. Mr. Cluff noted that the FBI was notified and an official investigation would be underway.