Update: State Department visa system disrupted by virus
The agency is still investigating the incident
Computerworld - WASHINGTON -- A computer virus yesterday disabled a portion of the State Department's domestic enterprise network, forcing the agency to halt overseas screenings of visa applicants for criminal histories and links to terrorism, a department official confirmed today.
The virus, identified as the Welchia virus, forced the State Department to quarantine the network used by its Consular Lookout and Support System, known as CLASS, which contains nearly 15 million records on known or suspected terrorists and other criminals. As a result, the system was unavailable between noon and 9 p.m. EDT yesterday, said Mary Swann, a State Department spokeswoman.
However, Swann denied earlier reports that indicated the virus had infected the CLASS system and was the cause of the shutdown.
"At no time was the department's classified network infected," nor did it infect the visa screening system, she said. Although e-mail communications were slowed because of the virus, Swann said the interruption of service in the CLASS name-checking system was due solely to security precautions taken by the department.
No visas were issued until applicants could be checked against the system, she said.
The CLASS name-checking system is designed to make it difficult for visa applicants to hide relevant information on criminal histories or terrorist links from State Department consular officers. Complex algorithms are used to provide uniform and consistent translations of names in non-Roman alphabets. The system displays a wide range of potential name matches that a consular officer must review prior to issuing a visa. Other documentation is necessary as well, including a passport, job letters and other data the consular officers cross-check.
The outbreak affected only Windows systems on the State Department's unclassified network in its Washington\ facility, according to Swann. That network hosts the agency's unclassified e-mail system as well as other unclassified network resources.
Swann defended the State Department's IT security system, saying that the agency has a "very elaborate system" of firewall, intrusion-detection system and antivirus technologies that were all up to date at the time of the outbreak.
The agency couldn't provide statistics on how many Windows systems were infected or how the worm was introduced to the Department of State's network, she said.
Swann also couldn't comment on why State Department systems were vulnerable to the Welchia worm.
Infections on the agency's internal network suggest that Windows systems hadn't been patched with either one of two critical Microsoft software updates that plugged the security holes exploited by Blaster and Welchia, but Swann couldn't confirm the existence of unpatched systems on the network.
First identified on Aug. 18, Welchia spreads by exploiting the same Windows security hole as the W32.Blaster worm.
It doesn't rely on e-mail messages to spread. The worm exploits machines by sending an improperly formatted remote procedure call message to vulnerable systems, causing a buffer overflow on the machines that allows the worm code to spread.
After infecting vulnerable Windows 2000 or Window XP machines, the new worm searches for and removes the Blaster worm file, Msblast.exe, and attempts to download and install a Windows software patch from Microsoft that closes the security hole used by the worm, according to antivirus companies.
Although the number of new Welchia infections is down since August, copies of it are still circulating on the Internet. Today, antivirus company Symantec Corp. still had Welchia rated a Category 4 threat on a scale of one to five, indicating a "severe" threat that is "difficult to contain."
As of 12:30 p.m. today, Swann said the majority of the State Department's desktops were back up and running properly. Officials expect to have the entire domestic network fully functioning by the end of the day.
Paul Roberts of the IDG News Service contributed to this report.
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- HP HAVEn: See the big picture in Big Data HP HAVEn is the industry's first comprehensive, scalable, open, and secure platform for Big Data. Enterprises are drowning in a sea of data...
- What Datapipe customers need to know about the new PCI DSS 3.0 compliance standard This handy quick reference outlines what PCI DSS 3.0 is, who needs to be compliant and how Alert Logic solutions address the new...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Malware and Vulnerabilities White Papers | Webcasts