Hospital Equipment Infected With Conficker 289
nandemoari writes "Recently, the Conficker/Downadup worm infected several hundred machines and critical medical equipment in an undisclosed number of US hospitals.
The attacks were not widespread; however, Marcus Sachs, director of the SANS Internet Storm Center, told CNET News that it raises the awareness of what we would do if there were millions of computers infected in hospitals or in critical infrastructure locations.
It's not clear how the devices (including heart monitors, MRI machines and PCs) got infected. Infected computers were running Windows NT and Windows 2000 in a local area network (LAN) that wasn't supposed to be Internet accessible, but the LAN was connected to one with direct Internet access.
A patch was released by Microsoft last October that fixes the problem, but the computers infected were reportedly too old to be patched."
Re:Any lawyers here (Score:3, Informative)
Won't happen. Life-critical devices are embedded systems.
Re:Does it bother anyone else..... (Score:3, Informative)
It bothers me that "critical medical equipment" was running Windows at all.
Another reason to choose open source (Score:5, Informative)
I can totally understand why these systems were still running NT or 2000. If it ain't broke, don't fix it, right?
But if it ain't supported anymore, and it's completely closed-source, you literally CAN'T get fixes for vulnerabilities discovered later on. At least with an OSS product, you'd be able to hire a developer to fix the specific vulnerability on the existing system.
Re:Does it bother anyone else..... (Score:1, Informative)
Its possible that they can't upgrade to a newer OS. To do so may require them to upgrade the modality attached to the OS. Hospital systems have to be validated to conform to FDA requirements and the vendor just may no longer support that OS and its just not possible to do it in house.
Re:Any lawyers here (Score:1, Informative)
wow. that's some real strong faith there.
#1 that's not necessarily true
#2 the idea that an embedded system can't be exploited or negatively impacted by the exploitation of a 2ndary system is naive at best.
welcome to the real world. you're gonna have a tough time here.
oops. sorry. just checked your profile...more than your fair share of troll and flamebait. i get it. well done sweet stuff. now go stroke it...you're a soopahstah.
The question (Score:5, Informative)
Re:Any lawyers here (Score:2, Informative)
Bingo. Proximate cause and negligence on the hospitals part would definitely create a low probability that the virus writer could be charged with the manslaughter successfully. Basically the virus writer could not have reasonably foreseen the writing of this virus as causing someones death due to the huge time, distance, and number of events involved before someone died. Also if any internal policy is set so that these computers are not supposed to be connected to the internet then it pretty much absolves the virus writer and puts the liability on the hospital.
Someone could certainly take it to court but I don't think the virus writer would lose.
Now if the virus was written to fuck with only medical software and then the virus writer attempted to get it on medical computers you have a different case.
p.s. I am not a lawyer.
Removable Drives (Score:4, Informative)
As I unfortunately found out yesterday, one of the more common ways the virus spreads is through removable drives. If autorun is enabled for removable devices (which it is by default, and no MS basher responses please), Windows will load autorun.inf straight away, infecting you.
A work colleague brought over a USB stick with some music on it, which I happily acquired, along with Conficker. For some retarded reason the resident shield was disabled. After we received an email about it, I noticed this and re-enabled it. I didn't realise I had the virus until this guy came over again with some more music and the AV software exploded in my face with a nice "warning conficker detected and removed" message. Of course that meant "removed from the USB stick" and not "removed from the PC".
Virus scans would no longer run, and I couldn't access most conficker-removal-related websites unless I went through a proxy. Incredibly, the Microsoft Malicious Software Removal tool worked a treat. After using that, rebooting, and disabling autorun in the registry, it's gone.
I blame partly myself for not disabling autorun (security lockdown on these work PCs is ridiculous; I would have had to ask an admin to do it), and for whoever disabled my bloody resident shield.
I hinted to our admin that I wanted Debian instead, but that didn't go down well. :)
tl;dr version: Conficker is bad, mmkay.
Re:Does it bother anyone else..... (Score:3, Informative)
Re:Any lawyers here (Score:2, Informative)
and the design flaw was a redundancy fail
Re:Here is why and how (Score:3, Informative)
Most devices that physically touch you and control something which can harm a person are coded in hardware, not windows, and have hardware in place to prevent such a thing from harming someone.
Oh, you must be new here. Have you ever heard of a silly little thing called Therac-25? Here's a summary from Wikipedia [wikipedia.org]:
The Therac-25 was a radiation therapy machine produced by Atomic Energy of Canada Limited (AECL) after the Therac-6 and Therac-20 units (the earlier units had been produced in partnership with CGR of France). It was involved with at least six accidents between 1985 and 1987, in which patients were given massive overdoses of radiation, approximately 100 times the intended dose. Three of the six patients died as a direct consequence. These accidents highlighted the dangers of software control of safety-critical systems, and they have become a standard case study in health informatics.
Apparently, some bonehead decided that the hardware lock is too expensive since it can be implemented in software - and removed the physical hardware circuit. So, you never know what those machines can and can't do :)
Re:Old Computers (Score:5, Informative)
Shouldn't they be using OpenBSD, then?
Then the hospitals all complain because the in-house IT generally only understand MS, so they will have to pay for even the simplistic things.
I work for a medical software company and we had a program that ran on Linux only for a long time. We eventually ported it to Windows because the majority of the support calls required an on site visit since no one in IT support was willing and/or able to touch a Linux box. Several times I went to sites and the only problem would be that the hard disk was full and they simply needed to delete some old/unneeded data.