We were recently hit by what seems to be a botnet infection on our hospital IT network. The botnet executes a process regsrvc.exe and runs a service which is called remote service controller. We can get rid of these with removal tools and Windows updates, but it keeps on infecting, going to random PCs in the network. We have about 5,000 users. We think our servers have been cleaned and patched, but is there any way to confirm this or perhaps trace the origin of the malicious code?
Networks are constantly infected with new and different kinds of malware, and hospitals are among the most challenging environments to manage because of the variety of equipment, 24x7 operating requirements, as well as the high level of distributed confidential information.
There's never any way to be 100% certain an infected server is totally clean (see last month's discussion of BIOS-based malware). However, with an accurate diagnosis, effective response and careful monitoring, it's possible to achieve a high degree of reliability.
First, determine how the botnet infection affects new PCs. Unless you're dealing with a USB worm, it's probably spreading via the network. If you know the name of the malware or specific characteristics (such as related processes and ports), then look for details in online antivirus databases, such as the McAfee Threat Center. Otherwise, take a machine you know is infected, and monitor it closely, logging activity until it's clear how the bot communicates and spreads. Also consider sending a malware sample to a professional malware analysis lab for a detailed report.
To contain the botnet infection, block the bot traffic within your hospital IT network. Consider blocking all unnecessary workstation traffic; generally there's no reason for workstations to talk directly to each other. If the bot is spreading via USB, you can disable USB device connections using Group Policy (or hot glue; use at your own risk).
Monitor internal network traffic carefully. Even if you're short on staff or funding, you can configure Snort, a popular intrusion detection tool, to monitor traffic on key segments and trigger alerts when suspicious activity arises. Especially in an environment such as a hospital, where confidential information abounds, consider monitoring traffic content for protected health information (PHI), and block any inappropriate outbound transfers.
Integrity-checking software is a great idea. Host integrity checking tools such as Osiris allow you to establish a baseline for critical files on servers, and then later check to see if anything has changed. You can use this to detect compromises and assess the scope of a breach. Of course, you need to create the initial baseline while the server is in a known, clean state.
"Disinfecting" hospitals is a challenge, but it certainly can be done. Planning ahead is key. The better you have outfitted your network, the easier it is to contain malware and recover from attacks.