Laptops given to British schools came preloaded with remote-access worm
Department for Education says: 'We believe this is not widespread'
Updated A shipment of laptops supplied to British schools by the Department for Education to help kids learn under lockdown came preloaded with malware, The Register can reveal.
The affected laptops, distributed to schools under the UK government's Get Help With Technology (GHWT) scheme, which started last year, came bundled with Gamarue – an old remote-access worm from the 2010s. This software nasty doesn't just spread from computer to computer, it also tries to connect to outside servers for instructions to carry out.
The Register understands that a batch of 23,000 computers, the GeoBook 1E running Windows 10, made by Shenzhen-headquartered Tactus Group, contained the units that were loaded with malware. A spokesperson for the manufacturer was not available for comment.
These devices have shipped over the past three to four weeks, though it is unclear how many of them are infected. One source at a school told The Register that the machines in question seemed to have been manufactured in late 2019 and appeared to have had their DfE-specified software installed last year.
We have been shown emails sent to and from the Department for Education (DfE), which oversees the GHWT scheme, flagging up concerns about the laptops. It appears that at least one school is formatting and reimaging the laptops from a known clean build as a result of the infection before issuing them to pupils.
We've also seen online forums where Bradford school employees discuss the council contacting them on Wednesday to warn them of the problem, saying in an email: "Upon unboxing and preparing them it was discovered that a number of the laptops are infected with a self-propagating network worm ... that looks like it contacts Russian servers when active."
People familiar with the GHWT rollout told The Register that not all the machines in the batch phoned home, however.
Forget Snow Day: Baltimore's 115,000+ public school kids get Ransomware Day, must check Win PCs for infectionREAD MORE
The GeoBook 1Es are intended for use by schoolchildren isolating at home during the pandemic as well as in schools themselves. The Reg understands that 77,000 Geo units have shipped so far under GHWT, with several thousand left to ship.
A DfE spokeswoman told The Register: "We are aware of an issue with a small number of devices and we are investigating as an urgent priority to resolve the matter as soon as possible. DfE IT teams are in touch with those who have reported this issue. We believe this is not widespread."
Of the Geo brand, another source said: "I'd never heard of Geo before; it's not a known manufacturer. There have been availability issues for a while now, the world has been buying lots of laptops and sometimes they are buying what they can get because the media and opposition parties are saying: 'You've got to roll this out quicker'."
Sources told us reseller XMA sourced the kit but was not asked to configure it. It was among three resellers supplying the GHWT contract. Computacenter initially bagged an £87m contract to supply GHWT last year and was joined by IT resellers SCC UK and XMA later that year. XMA inked a 12-month contract worth £5.7m covering 26,449 devices, in October 2020. The £2.1m SCC deal, also inked that month, covers another 10,000 devices.
XMA told us it had no comment.
Antivirus firm Sophos described Gamarue in a blog post from 2016 as "a worm that enables remote access to affected systems" which typically "spreads via removable drives".
"When first run, W32/Gamarue-BJ connects to a C2 site to download updates and further instructions," said Sophos.
The malware, well known to antivirus vendors since its inception in 2011, was also distributed in the mid-2010s by the Andromeda botnet. That was KO'd by an international coalition in 2017. Gamarue's C2 – its command-and-control server – may also be dormant by now.
If you are worried about your child's laptop, contact their school for help. If the GeoBook has antivirus software, manually update that (if you can) to the latest version and run a full system scan. That should remove any trace of Gamarue. ®
Updated on January 22, 2021
A Geo spokesperson told The Register: "We have been working closely with the Department of Education regarding a reported issue on a very small number of devices. We are providing our full support during their investigation. We take all matters of security extremely seriously. Any schools that have concerns should contact the Department of Education."
A Department for Education spokesperson told us: "We have been investigating an issue with malware that was found on a small number of the laptops provided to schools as part of our Get Help With Technology programme.
"In all known cases, the malware was detected and removed at the point schools first turned the devices on.
"We take online safety and security extremely seriously and we will continue to monitor for any further reports of malware. Any schools that may have concerns should contact the Department for Education."