UK Windows 10 school laptops shipped with Gamarue malware

[German]The British Ministry of Education has delivered several thousand Windows notebooks to schoolchildren, some of which may have been infected with malware ex works. The malware 'phoned' Russian servers diligently on affected devices.


Advertising

In the UK, there is theGet help with technology program, where UK schoolchildren can receive notebooks and tablet PCs to enable them to study and participate in home schooling even during the COVID-19 pandemic. The Register reports here that the U.K. Department for Education delivered notebooks preloaded with malware to students to help them learn from home during the lockdown.

Gamarue malware on board

Windows 10 laptops supplied to schools as part of the government's Get Help With Technology (GHWT) program contained the pre-installed Gamarue malware. This is a remote-access worm from the 2010s that is currently low profile, according to The Register.

German BSI writes, that it is a malware downloader that can reload further malware and execute it on the infected system. In the case of Andromeda/Gamarue, this could be the banking Trojans Citadel, Rovnix or UrlZone/Bebloh, for example. Furthermore, Andromeda/Gamarue can be extended by additional functions with the help of plug-ins. Among other things, there is a plug-in that intercepts access data from both email accounts and FTP programs and forwards it to the malware operators. As The Register was able to find out, a batch of 23,000 computers is potentially affected.

These devices were shipped in the last three to four weeks, though it is unclear how many are infected. The BBC writes,that only a few devices are infected. An official said, "We are aware of an issue with a small number of devices. And we are investigating it as an urgent priority to resolve the matter as soon as possible."

Specifically, the affected devices are the GeoBook 1E,manufactured by the Shenzhen-based Tactus Group. It is currently assumed that the malware was preinstalled on the devices by the manufacturer. The manufacturer could not be reached for comment.


Advertising

A source from a school told The Register that the notebooks in question were likely manufactured in late 2019 and were fitted with the software specified by the UK Department for Education (DfE) last year. The Register was able to view emails sent to and from the Department for Education (DfE), which runs the GHWT program. These addressed concerns about the laptops in terms of malware contamination.

In online forums, staff from Bradford schools reported that the council contacted them on Wednesday to warn them about the problem. One email said, "While unpacking and preparing, a number of the laptops were found to be infected with a self-propagating network worm … that looks like it contacts Russian servers when active."

In at least one school, the laptops were formatted as a precaution and then reinstalled with a clean build before the devices were issued to students. People familiar with the GHWT rollout told The Register that not all machines in the batch were contaminated with the malware, however. Currently, it is unclear how many machines from the batch were affected and where the infection happened.

Weak GeoBook 1E for students

Specifically, the device in question is the GeoBook 1E, a weak 'low-end' device running Windows 10 Pro Education, manufactured by Shenzhen-based Tactus Group. The 11.6-inch device (with 1920×1080 IPS display) is touted by the manufacturer as an ultra-portable notebook for learning for users of all ages.

GeoBook 1E für Schüler

It is equipped with an Intel quad- or dual-core processor (e.g. Intel Celeron N3350), and meanwhile 4 GB of RAM memory and 32 or 64 GB of eMMC storage. Some USB 3.0/2.0 ports, SD card reader, HDMI output and a basic webcam are included. The devices are then preloaded with special educational software from the UK Department of Education. In this forum post, the discussion is about the performance of the device and the price that the British might have paid for the delivery.


Cookies helps to fund this blog: Cookie settings
Advertising


##1

This entry was posted in devices, Security, Windows and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *