There's never any way to be 100% certain an infected server is totally clean (see last month's discussion of BIOS-based malware). However, with an accurate diagnosis, effective response and careful monitoring, it's possible to achieve a high degree of reliability.
First, determine how the botnet infection affects new PCs. Unless you're dealing with a USB worm, it's probably spreading via the network. If you know the name of the malware or specific characteristics (such as related processes and ports), then look for details in online antivirus databases, such as the McAfee Threat Center. Otherwise, take a machine you know is infected, and monitor it closely, logging activity until it's clear how the bot communicates and spreads. Also consider sending a malware sample to a professional malware analysis lab for a detailed report.
To contain the botnet infection, block the bot traffic within your hospital IT network. Consider blocking all unnecessary workstation traffic; generally there's no reason for workstations to talk directly to each other. If the bot is spreading via USB, you can disable USB device connections using Group Policy (or hot glue; use at your own risk).
Monitor internal network traffic carefully. Even if you're short on staff or funding, you can configure Snort, a popular intrusion detection tool, to monitor traffic on key segments and trigger alerts when suspicious activity arises. Especially in an environment such as a hospital, where confidential information abounds, consider monitoring traffic content for protected health information (PHI), and block any inappropriate outbound transfers.
Integrity-checking software is a great idea. Host integrity checking tools such as Osiris allow you to establish a baseline for critical files on servers, and then later check to see if anything has changed. You can use this to detect compromises and assess the scope of a breach. Of course, you need to create the initial baseline while the server is in a known, clean state.
"Disinfecting" hospitals is a challenge, but it certainly can be done. Planning ahead is key. The better you have outfitted your network, the easier it is to contain malware and recover from attacks.
This was first published in July 2009