Conficker worm hits hospital devices

Apr 30, 2009 By Elise Ackerman

A computer worm that has alarmed security experts around the world has crawled into hundreds of medical devices at dozens of hospitals in the United States and other countries, according to technologists monitoring the threat.

The worm, known as "Conficker," has not harmed any patients, they say, but it poses a potential threat to hospital operations.

"A few weeks ago, we discovered , MRI machines, infected with Conficker," said Marcus Sachs, director of the Internet Storm Center, an early warning system for Internet threats that is operated by the SANS Institute.

Around March 24, researchers monitoring the worm noticed that an imaging machine used to review high-resolution images was reaching out over the Internet to get instructions -- presumably from the programmers who created Conficker.

The researchers dug deeper and discovered that more than 300 similar devices at hospitals around the world had been compromised. The manufacturer of the devices told them none of the machines were supposed to be connected to the Internet _ and yet they were. And because the machines were running an unpatched version of Microsoft's operating system used in embedded devices they were vulnerable.

Normally, the solution would be simply to install a patch, which Microsoft released in October. But the device manufacturer said rules from the U.S. Food and Drug Administration required that a 90-day notice be given before the machines could be patched.

"For 90 days these infected machines could easily be used in an attack, including, for example, the leaking of patient information," said Rodney Joffe, a senior vice president at NeuStar, a communications company that belongs to an industry working group created to deal with the worm. "They also could be used in an attack that affects other devices on the same networks."

Joffe, who is scheduled to testify before Congress on Friday, said he will ask lawmakers to remove the barriers to coordination between federal agencies so that cyberthreats like Conficker can be addressed.

In addition to the medical-imaging machines, Joffe said the working group has seen thousands of other machines located in hospitals reach out to the Conficker mastermind by contacting another computer on the Internet for instructions. Researchers have not determined the function of these machines. They could be a personal computer sitting on a secretary's desk or more sensitive medical devices linked to patient care.

"Hopefully, the malware writers didn't have a lot of insight into how these medical devices work," said Patrik Runald, chief security adviser for F-Secure, a computer-security company based in Finland. Runald said the worm had also been found at a hospital in Sweden and several hospitals in England earlier this year.

And the danger isn't contained to hospitals.

"Microsoft Windows is a common operating system for embedded devices that is used in all industries," Joffe said. "There is no reason to believe that other industries don't have the same problem."

At the peak of the worm's infection in early spring, the Conficker Working Group estimated there were more than 10 million devices infected worldwide. Runald, whose company is part of the Conficker Working Group, said about 3 million devices are currently compromised as the others were cleaned up. But while experts have patched infected machines, they have not been able to stop the spread of the worm.

Conficker spreads by copying itself onto machines running Microsoft's Windows that lack the security patch from October. Conficker installs itself and periodically reaches out for directions from its maker that cause it to rewrite its code, increasing its capabilities for malicious action and decreasing its chance of detection.

Joffe said he doubted that whoever made Conficker was specifically targeting medical devices or parts of the country's critical infrastructure, but that doesn't reduce the risk that key industries could be crippled by the worm.

"Once they work out what they've got, who knows who they will sell access to," he said. "This has to be fixed."

___

(c) 2009, San Jose Mercury News (San Jose, Calif.).
Visit the World Wide Web site of the Mercury News, at www.mercurynews.com/
Distributed by McClatchy-Tribune Information Services.

Explore further: Messaging app seeks to bring voices back to phones

add to favorites email to friend print save as pdf

Related Stories

Conficker Worm Prepares For A New Release On April 1

Mar 27, 2009

(PhysOrg.com) -- The conficker worm created havoc last year when it infected over 10 million computers on a global scale. The unique design of the conficker worm allowed for this large scale attack to over ...

Huge computer worm Conficker stirring to life

Apr 09, 2009

(AP) -- The dreaded Conficker computer worm is stirring. Security experts say the worm's authors appear to be trying to build a big moneymaker, but not a cyber weapon of mass destruction as many people feared.

Don't fret about Conficker: Here's what to do

Mar 31, 2009

(AP) -- The Conficker worm, a nasty computer infection that has poisoned millions of PCs, will start ramping up its efforts Wednesday to use those machines for cybercrimes. It's unclear whether everyday PC users will even ...

Conficker worm digs in around the world

Apr 01, 2009

Computer security top guns around the world watched warily as the dreaded Conficker worm squirmed deeper into infected machines with the arrival of an April 1st trigger date.

Recommended for you

Where's the app for an earthquake warning?

18 hours ago

Among the many things the Bay Area learned from the recent shaker near Napa is that the University of California, Berkeley's earthquake warning system does indeed work for the handful of people who receive its messages, but ...

Hit 'Just Dance' game goes mobile Sept. 25

Sep 18, 2014

Smartphone lovers will get to show off moves almost anywhere with the Sept. 25 release of a free "Just Dance Now" game tuned for mobile Internet lifestyles.

Indie game developers sprouting at Tokyo Game Show

Sep 18, 2014

Nestled among the industry giants at the Tokyo Game Show Thursday are a growing number of small and independent games developers from Asia and Europe, all hoping they are sitting on the next Minecraft.

Review: Ambitious 'Destiny' lacks imagination

Sep 18, 2014

Midway through "Destiny," the new science fiction epic from "Halo" creators Bungie, a smug prince is musing on the hero's desire to visit a mysterious site on Mars.

User comments : 10

Adjust slider to filter visible comments by rank

Display comments: newest first

vlam67
2 / 5 (4) Apr 30, 2009
I fervently hope the author(s) of the virus were in the hospital when it hits!
Sean_W
1.7 / 5 (6) Apr 30, 2009
One more reason to make computer crimes (including spamming) capital crimes. I don't care if the perp is 13 years old; string him up.
frajo
2.6 / 5 (5) May 01, 2009
Everybody knows about the uncertainties of Windows systems. Thus part of the responsibility lies with those who install and those who use windows even for dangerous tasks.
Hospitals should not be run like anyone's home office.
Scire
1 / 5 (1) May 01, 2009
I'm just wondering how my computer escaped this worm if even hospital equipment has been infected. Maybe I didn't escape...
Icester
1 / 5 (1) May 01, 2009
Once again, another story that shows how the US is woefully unprepared for any type of cyber-war. Sad really - here we are, one of, if not the top, technologically advanced country and our highest echelon and lawmakers are completely clueless.

Guess it will take a 911 on the cyber-side to wake them up. Of course, just like 911, I'm sure our vigilance will lag or, indeed, become sympathetic towards the terrorists just like today.

Conflicker so far has been relatively harmless, but consider the implications if it was designed with a really nasty payload. Power grid, hospitals, and more could be severely impacted. It could literally make 911 look like a walk in the park. I am not an alarmist, but, think about it, how severely would we be affected if our computer systems were basically nullified?
docknowledge
not rated yet May 01, 2009
One more reason to make computer crimes (including spamming) capital crimes. I don't care if the perp is 13 years old; string him up.


There's an underlying battle going on, between get-rich-quick Internet companies and the law protecting personal information and property. Being in Silicon Valley, I say that, naturally, companies such as Yahoo! and Google look for youth who have high expectations for themselves, impatience with the adult world, and little understanding of law. (After all, they don't need to know law to answer any questions on the SAT.)

These younger types would cause havoc on your home computer, if they could break in, and tell you that "they were teaching you a lesson". (That's a literal quote from one of the tech gurus at Excite@Home, a major Internet ISP from a few years ago.)

But "stringing them up" is not the answer. These people act as they do because either: 1) They've been left behind by normal society, and have a grievance, or 2) They are the catspaws for amoral big business interests that are perfectly willing to pay them $100,000 USD a year -- just so long as they return $10,000,000.
vze2jsgs_verizon_bet
4 / 5 (1) May 01, 2009
The point many are missing is the developer of these things want to be benign in the beginning. Being a subtle problem people do not get overly excited as if it did dangerous things at the get-go. Keep it benign but study how it transfers around and what is done to stop it. Each time around they learn how to make it more dangerous but still under the radar. Once they feel they have learned what they wanted to, BAM the lethal version is released. They slipped to us and we did not see it coming!

VaGent
Bob_B
not rated yet May 01, 2009
Anyone here think the NSA has not sent a worm into the wild, too?
wclark2048
not rated yet May 04, 2009
One key point: the vendor's claim that FDA regulations "required that a 90-day notice be given" before patching is disingenuous. The FDA requires that a deliberate and well-documented assessment and validation process be followed by the vendor before approving the patch, and these things do take some time...and are expensive. The vendor is trying to shift the blame to the FDA for their own sluggish response.
Velanarris
not rated yet Jun 01, 2009
One key point: the vendor's claim that FDA regulations "required that a 90-day notice be given" before patching is disingenuous. The FDA requires that a deliberate and well-documented assessment and validation process be followed by the vendor before approving the patch, and these things do take some time...and are expensive. The vendor is trying to shift the blame to the FDA for their own sluggish response.

The problem here is the fact that the FDA declines standard OS patches as "necessary utilization and productivity enhancement."

Effectively, if I have an FDA dosing device that runs off the windows OS I'm not allowed to patch it, use antivirus on it, or install ANYTHING, that was not in the original manufacturing specification until the FDA signs off on it on a device by device basis. Two identical devices each require an individual sign off. 90 days per device, you do the math.