Nasty worm gives state computers indigestion

KENNETH P. VOGEL; The News Tribune
Last updated: March 24th, 2005 07:37 AM

The FBI and the Washington State Patrol are investigating the source of an Internet worm that crippled the state Department of Revenue’s computer network this week and double-billed 1,400 businesses for tax payments.
The worm, a variant of a computer program that infected state government networks a few months ago, most likely entered the system over the weekend, according to Ralph Osgood, the Revenue Department’s deputy director.

As employees logged onto their computers Monday morning, Osgood said “it multiplied very rapidly and took the system down.”

The department, which collects state business and sales taxes, began rebooting its computers Wednesday afternoon and planned to be fully operational today.

As of Wednesday evening, department officials said they had not found any lasting damage. No confidential taxpayer information was lost or compromised. The agency issued credits to the businesses that were charged twice and planned to contact each to explain what happened.

Osgood said the worm “doesn’t appear to scramble data or retrieve data and send it different places.” The goal, he said, seemed to be “to cause chaos.”

FBI Special Agent Roberta Burroughs wouldn’t say if the bureau’s Northwest cyber crimes task force had any leads. “Just trying to figure out what happened,” she said.

The 21/2-day system shutdown made the crash among the most debilitating to strike a state government agency, according to interviews with state agency technology officers.

Worms are independent programs that replicate themselves, spreading from computer to computer on a network.

This particular worm is a variation of a program known as Rbot that has periodically infected the state network over the last few years, said Nancy Jackson, the Department of Information Services’ spokeswoman.

“It has never had a major impact on the state network,” she said. “It has, throughout the years, had some limited impact on specific agencies. But if they don’t call us we wouldn’t know.”

Revenue Department officials realized the magnitude of the problem Tuesday morning and called security experts from the Department of Information Services, Microsoft and its contract software consultant.

“We’ve never had this type of thing before,” said Vikki Smith, the Revenue Department’s assistant director for taxpayer services.

The agency continued to accept tax filings from businesses around the state, but its 1,060 employees were unable to enter information into the system. A handful of employees whose jobs are inextricably tied to computers voluntarily took vacation time, Osgood said, while others had to use pens, papers and fax machines.

“We do not have people just sitting around their offices. Everyone is working,” he said. “This should not really be that noticeable to the business taxpayers.”

Other department functions that don’t rely on the network, including answering tax questions on a telephone hot line and conducting field audits, continued as usual, Osgood said. The department also caught up on a training backlog.

The worm was isolated in the Revenue Department’s computer network and did not spread to other agencies on the statewide system, according to Jackson, the Department of Information Services spokeswoman.

Worms can enter a network via e-mail or if someone with access to a network computer downloads or installs infected software.

The state’s Public Disclosure Commission, which accepts streams of data from computer users around the state, relies on a system of electronic firewalls, virus monitoring and other filters to block the procession of worms trying to burrow into the system, said chief technology officer Michael Smith. “It happens constantly,” he said.

“I can literally sit there and watch our firewall logging and say, ‘Look, there’s another worm scanning for an open port.’”

Worms haven’t done much damage to the Department of Transportation’s system since a January 2003 worm forced a brief system shutdown, said Jeremy Bertrand, the agency’s assistant Web manager.

“Ever since then, we’ve made significant investments” in security, he said. But he added, “There’s always a hole somewhere.”

Osgood said the Revenue Department hasn’t figured out how the worm got in, and hasn’t ruled out the possibility that an employee might be the source. If it can be traced to a person or group, he said the agency might pursue criminal charges.

A variation of the worm shut down the Department of Revenue’s computers for a few hours several months ago, said Osgood. But it could not be tracked because the evidence was erased when the computers were cleaned before rebooting.

This time, Osgood said, “our main goal is getting our system up and running, while at the same time actually preserving an audit trail for the investigation to try to find the point of entry for the worm. And of course that will help us reduce the risk of something like this happening again.”

Kenneth P. Vogel: 360-754-6093

Where to call

If you have questions about the computer worm and how it has affected tax billing, call the Revenue Department’s general information line at 1-800-647-7706.

What is a worm?

Computer worms are like computer viruses in that both replicate themselves and are usually designed to mess up computers or programs.

Unlike viruses, worms are self-contained entities that can spread themselves through a network without being attached to an e-mail or another file.

A worm can cripple a computer network just by the amount of traffic it generates replicating itself.


In accordance with Title 17 U.S.C. Section 107, any copyrighted work in this message is distributed under fair use without profit or payment for non-profit research and educational purposes only. [Ref.]

Back to Current Edition Citizen Review Archive LINKS Search This Site