Ever heard of a hospital administrator killed by a computer virus? It’s one of those great problem examples that came our way, and our forensic geeks, Patrick Hubbard and Lawrence Garvin, cracked the case.

 

The story involves a midsize hospital with ~1,000 workstations, 100 servers, and a few campuses, and many dependencies on outsourced services like diagnostic imaging, web-based patient care services, offsite billing and telepresence. Basic network monitoring revealed their firewall CPU was hammered and though they were doing some flow analysis, they couldn’t quickly isolate the contagion.

 

Here’s the 10,000ft view of their environment looked when it came to us:

 

HGpic.png

The firewall was locked up, the network was busy with random, unknown traffic and user workstations had become unusable. There was a whole bunch of traffic coming in two different waves:

  • ICMP traffic randomly scanning subnets
  • TCP attempts to connect to external addresses

 

There were simply too many connections through the firewall that it filled its memory and overwhelmed its ability to serve.  It was code blue at the SonicWALL. We brought in the firewall logs crash cart and discovered a spreading virus: virulent, stealthy and overlooked by antivirus sanitation protocols.

 

As a first step, they checked the logs and looked back at the original waves of the ping traffic, identifying the first machine to be affected.  Next, they hacked a custom patch to clean individual workstations, but reinfection soon began again, exponentially as before.

 

So, what was the final fix? Tune in to see how the Geeks healed the patient and helped the hospital IT team get better visibility on their entire IT security infrastructure.