Malware knocks out U.S. Marshals Service network

Windows-based machines at U.S. Marshals Service thought to be hit by Neeris worm

Malware Wednesday crippled Windows-based computer systems at the U.S. Marshals Service, which hunts federal fugitives and operates the country's witness protection program, knocking the agency’s network offline.

The agency's press office confirmed it was having network problems and that its e-mail system was down this morning, but it was unclear if the outage extended across the entire network.

The press office said a statement would be issued today, but has yet to be released.

Per government regulations agencies are required to report security incidents to the US-Computer Emergency Readiness Team (US-CERT). A call to CERT was not returned by press time.

It was not clear if the malware was the cause of the network outage or if the agency took down systems to stem the spread of what was believed to be the Neeris worm, which saw a new version appear last month that copies Conficker's evil ways.

The agency was running desktop malware software, but it had not been updated for more than three years even though the agency had paid for upgrades to newer versions that protect against Neeris. In addition, Microsoft has issued two patches, one in 2006 and one in October, to close holes in its software exploited by Neeris.

The agency's Web site was up and running this morning, but a receptionist in the press office said "the agency's whole e-mail system is down, and the agency is unable to receive e-mail."

Later, another press office staffer confirmed that there were network problems.

Members of the agency's IT staff were communicating with vendors via Gmail accounts as they attempted to work through the issue.

The U.S. Marshals Service, a division of the Department of Justice, is the oldest federal law enforcement agency and has served the country since 1789.

There was no word if the problems had spread to the DOJ or to other agencies under the DOJ.

The U.S. Marshals Service has approximately 4,901 employees, which includes 94 U.S. marshals and 3,324 deputy U.S. marshals and criminal investigators. The agency's fiscal 2008 budget was $864 million.

There were reports that the agency was hit with the Neeris worm, which infects desktops and can enable a remote user to execute malicious commands on the affected system.

Neeris and its variants are capable of propagating using multiple avenues including network shares and removable drives, via software vulnerabilities in servers to propagate across networks, and via Microsoft's instant messaging clients.

Trend Micro lists the risk rating for Neeris as "Low" but the damage potential as "High."

Michael Sweeny, global public relations director for Trend Micro, said the U.S. Marshals Service had contacted his company last night for help with its network issues.

He did not detail what those problems were and said he had not heard anything about Neeris being the culprit.

But Trend Micro's daily statistics on Neeris worm infections showed a spike from 7 p.m. to 8 p.m. May 20 that rose from nearly zero to 700 computers. Another smaller spike of about 100 computers was detected from 6 a.m. to 7 a.m. this morning (May 21).

The Washington D.C. office of the U.S. Marshals Service has approximately 400 people.

The statistics, posted online, are based on detections made by Housecall, Trend Micro's online scanner.

The U.S. Marshals Service runs Trend Micro’s OfficeScan, an anti-malware software that installs on desktops, laptops and mobile devices.

The agency, however, runs the 5.0 version, which is more than three years old. Trend Micro says protection against Neeris has been in OfficeScan since version 8. The current version is 10.

"[Their version] is a vastly out-of-date, end-of-life product," said Sweeny.

In addition, Sweeny said the U.S. Marshals Service maintenance contract was up-to-date, meaning the agency had paid for upgrades to the software but had failed to install them.

Problems with security on government networks are not new.

An updated Government Accountability Office report issued this week said agencies have made progress in implementing information security requirements but that significant weaknesses persist. The report found 23 of 24 major federal agencies had weaknesses in their agency-wide information security programs. Those agencies included the DOJ.

While the Neeris worm has been around since 2005, a new version was discovered just last month that used the same vulnerability targeted by Conficker. The new version spreads via the Windows "autorun" command.

A patch to close the critically-rated vulnerability that Neeris and Conficker exploit was issued in October by Microsoft.reported this week that Conficker was still infecting 50,000 PCs per day.

Still, security researchers

Earlier versions of Neeris exploited a vulnerability patched by Microsoft in August 2006.

Follow John on Twitter.

Learn more about this topic

Conficker copycat prowls for victims, says Microsoft

Conficker still infecting 50,000 PCs per day

Security lacking at most government agencies, GAO says

From CSO: 7 security mistakes people make with their mobile device
Join the discussion
Be the first to comment on this article. Our Commenting Policies