back to article Laptops given to British schools came preloaded with remote-access worm

A shipment of laptops supplied to British schools by the Department for Education to help kids learn under lockdown came preloaded with malware, The Register can reveal. The affected laptops, distributed to schools under the UK government's Get Help With Technology (GHWT) scheme, which started last year, came bundled with …


  1. Anonymous Coward
    Anonymous Coward

    DfE IT teams are in touch with those who have reported this issue. We believe this is not widespread."

    AKA, they don't f*cking know what is happening, and how widespread it is.

    How many people monitor their internet packets to determine the phone home ???

    1. Anonymous Coward
      Anonymous Coward

      Since the laptops are going to the kind of people not privileged enough to know what tcpdump is, I expect someone in a bit of a crappy school IT role stumbled on it.

      1. monty75

        > Since the laptops are going to the kind of people not privileged enough to know what tcpdump is

        Poor kids aren't allowed to know about computers?

        1. Anonymous Coward
          Anonymous Coward

          They don’t get the eyeball time... Helps to have a computer of your own for that.

        2. Blazde Bronze badge

          Back in my day it was the poor kids, who genuinely valued their hardware access, that knew the most about it. The rich kids had far too much cool stuff to play with to care why or how one flashy gizmo among many actually worked.

    2. sanmigueelbeer Silver badge

      We believe this is not widespread.

      Translation: Only <22,990 laptops are affected, ergo, "not widespread".

  2. Danny 2 Silver badge

    "Okay Year Two, have you finished your finger art? It's time for our IPSec PKI VPN and OS config class. Can anyone tell me what a virus is? Not you Mr Williamson, put down your hand. "

  3. Anonymous Coward
    Anonymous Coward

    We knew the Tories were in bed with the Russians, but we didn't realise it had gone so far that government-issued laptops now come with pre-installed malware that calls home to Moscow!

    1. Muppet Boss

      I would be curious to learn what sort of IP addresses the laptops would try to connect to, the malware's C&C. Is this a Russian hosting provider, a residential IP network, or an IP address hosting

      Also, whether they asked the Russians to investigate.

    2. pintofbitter

      and I got a load of down votes for asking why the hell we let a "red" Chinese company into our networks ! Well done Boris !

      1. BigSLitleP

        aaaand you're going to get more downvotes for equating two things that are not related.

  4. Zebo-the-Fat


    What does Moscow need to know what the kids are doing? What interest is it to them?

    1. druck Silver badge

      Re: Question

      Once it's on the home network, they'll be able to see whatever the parents working from home are doing too, one or two of them may be employed by someone of interest.

      1. 0laf Silver badge

        Re: Question

        Some schools are on networks shared with local authorities.

        Local authorities have network links into central government departments.

        Hitting schools is a low cost, low risk supply line attack so well worth doing even if the chance of a big payoff are low as well.

        If nothing else hitting schools causes a general disruption especially if kids going home affects industry, government and decreses general trust in the goverment as a whole.

    2. RM Myers Silver badge

      Re: Question

      Hmmm, let's see - a "...number of the laptops are infected with a self-propagating network worm ... " Now what could you do with a network worm on a child's laptop? Maybe propagate to dad or mom's computer that connects to their work network? Or that they use for banking? Seems like a possibility to me.

    3. steelpillow Silver badge

      Re: Question

      "What does Moscow need to know what the kids are doing? What interest is it to them?"

      They are probably more surprised than we are that this thing has risen from the dead courtesy of DfE. The Russian equivalent is surely a lot more IT aware.

  5. chivo243 Silver badge

    Can only trust myself

    I source the gear my kid uses, if there's a meltdown, I know who to blame.

    1. Jason Hindle

      Re: Can only trust myself

      Unfortunately, a lot of children are burdened with normals* for parents.

      * Defined as someone who has never heard of The Register.

      1. Tomato42

        Re: Can only trust myself

        I believe the term of choice is "muggle"

    2. PickledAardvark

      Re: Can only trust myself

      'Meltdown' is an unfortunate term owing to the number of bedroom fires caused by overheating computer devices and power supplies.

    3. NightFox

      Re: Can only trust myself

      Fine for those who can afford to - thousands are struggling just to 'source' the food their kids eat.

  6. b0llchit

    Getting Pwned must be learned

    It is a very good education indeed. The young ones have to be taught that getting Pwned is a fact of daily life and work and certainly not to be confused with contradictory to privacy and independent thought. Its like the old motto: "Get'm while they're young".

    The ministry and the chain of command has been effective in setting up the future of computing and the next generation of voters. Today it is only calling Moscow to test the back door links to other three and four letter agencies. Next up, automatic thought correction by subliminal computing.

  7. Pascal Monett Silver badge

    'we believe this is not widespread'

    Aka : It only affected a small number of customers.

    Yeah. it affected at least 23000 children.

    How on God's Green Earth did you order stuff from children without bothering to order from a properly vetted supplier ?

    Oh, right, stupid me. It would have cost more.

    Well, enjoy your savings now.

    1. Tom 7 Silver badge

      Re: 'we believe this is not widespread'

      "Oh, right, stupid me. It would have cost more." but it never does does it? This lot really would let the ship sink than spend the money on a haperth of tar, especially when they can spend the money in a mates pub.

    2. Dan 55 Silver badge

      Re: 'we believe this is not widespread'

      Another one to add to the pile for Good Law Project?

    3. katrinab Silver badge

      Re: 'we believe this is not widespread'

      “ Oh, right, stupid me. It would have cost more.”

      Nope, that’s not how this Tory government works. Contracts go to Tory donors for way above market value, and the donations aren’t that big, typically around £10,000. [1]

      [1] As alleged by The Good Law Project. Court case pending.

      1. Danny Boyd

        Re: 'we believe this is not widespread'

        Tory, shmory... They explained clearly: the supply was short, so they grabbed what was available, because media and opposition put a pressure on them to move fast.

    4. hoola Silver badge

      Re: 'we believe this is not widespread'

      I would have thought this was in the base image, all or nothing. One assumes as it has been found then it is all.

      Utter incompetence on the part of the people procuring them. Presumably the came by the container load and were broken done for distribution without anyone even checking what was in the box.

      I love the phrase about Antivirus software. There appear to be Windows 10 so there is Defender built in by default. It just is limited in the protection it gives compared to other products. If they have installed something else then one assumes that it is a freebee so who knows what it is doing.

  8. DevOpsTimothyC

    Plausible Deniability

    Putting a tinfoil hat on, is this a case of plausable denability or maybe just too much conspiricy theory?

    Either someone in UK Gov is incompetant for giving out comprimised machines OR They are not comprimised and instead contain UK gov approved malware pre-installed with the target being in Russia (rather than GCHQ or similar) for plausable denability purposes.

    1. Test Man

      Re: Plausible Deniability

      Calm down. It's just a cockspur, which is par for the course when it comes to the government.

    2. TDog

      Re: Plausible Deniability

      Of course it could be the Chinese aiming to embarrass the Russians. Or the EU for similar reasons. Or Trump, because Trump. Or maybe the DFE to assist in it's claim for a bigger budget. Oh - the possibilities...

      1. Anonymous Coward
        Anonymous Coward

        @TDog - Re: Plausible Deniability

        OK, everybody stay calm, you hear me ? Stay calm!

  9. JDPower Bronze badge

    Surely if this is a ten year old bit of malware Windows will have long ago been patched against the vulnerability? If so then these laptops are using a Windows image with ten years worth of unpatched vulnerabilities, not just the one that is already there?

    1. TRT Silver badge

      A 10 year old Windows 10 image?

      1. JDPower Bronze badge

        Even more reason why this must be a patched vulnerability.

        1. Kane Silver badge


          1. This post has been deleted by its author

          2. TRT Silver badge

            Of course, one could argue that there's more than 10 yearsworth of unpatched vulnerabilities in a even week old Windows 10 image...


      Malware != vulnerability

      not every malware relies on vulnerabilities. A vulnerability, if at all, you only need as part of an attack vector to infiltrate a system. But as well you can implement a RAT or whatever malware targeted and manually if you can get hold of the machine(s) in question. That doesn't employ a vulnerability.

      1. JDPower Bronze badge

        Re: Malware != vulnerability

        Thanks for explaining what I was missing instead of just posting a smug reply. I presume Windows Defender would block this 10 year old known malware, so whilst it shouldn't have happened it's still a slight non issue (rather than the articles implication that these laptops are all sending data to Russia)

      2. TRT Silver badge

        Re: Malware != vulnerability

        Indeed, the volume just needs to be mounted as a writeable filesystem on an infected host, say a bulk duplicator, in order for whatever installer or package is involved to appear on that media.

  10. blokemoke

    Doesn't Windows Defender pick it up?! We have these laptops so how the bloomin' heck do we clean them...

    1. Dan 55 Silver badge

      Apparently only some builds are infected, Windows Defender does detect it, and the recovery partition does not contain the virus so if your build has it then reinstalling from recovery would be the way to go. Read on from here.

  11. Anonymous Coward
    Anonymous Coward

    Sounds familiar....

    Here in the US, smartphones given out through the government's "LifeLine" assistance program come with preinstalled malware that also calls home to Russian (and Chinese) servers:

    The phones also contain a backdoor that can grant any app any permission, install apps remotely and runs as SYSTEM.

  12. alain williams Silver badge

    Windows telemetry options ?

    I suspect that these were left at Microsoft default so these machines would have been phoning home to Uncle Sam anyway.

  13. Howard Sway

    "We are aware of an issue with a small number of devices"

    Sounds like Baroness Dido Harding has given them a copy of her book of corporate IT fuckup excuses.

    "Chapter 5 : A limited number of users may have been affected by this problem"

    1. chivo243 Silver badge

      Re: "We are aware of an issue with a small number of devices"

      Nice one! A small number is 7 a slightly larger number is 43, a pretty big number is 20,000 + Although, comparing her disaster numbers to this incident, 20,000 can be considered a smaller number, considerably smaller...

      1. katrinab Silver badge

        Re: "We are aware of an issue with a small number of devices"

        The number of people affected is limited by the school population of the country. Therefore it is correct to say it is a limited number.

        1. John Brown (no body) Silver badge

          Re: "We are aware of an issue with a small number of devices"

          And the first Google result tells me there were 11.7 million school age students in the UK in 2016. So 20,000ish is a small number in that respect. It's not a good result, but it's far from being the disaster some are claiming.

    2. Doctor Syntax Silver badge

      Re: "We are aware of an issue with a small number of devices"

      Not needed. Unless they're able to prefix every statement with that and/or "Your security is important to us." as appropriate nobody is allowed into the PR profession.


POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021