Kraken Infiltration Revives "Friendly Worm" Debate

Anonymous Stallion writes "Two security researchers from TippingPoint (sponsor of the recent CanSecWest hacking contest) were able to infiltrate the Kraken botnet, which surpasses its predecessors in size. The researchers have published a pair of blog entries: Owning Kraken Zombies and Kraken Botnet Infiltration. They dissect the botnet and go so far as to suggest that they could cleanse it by sending an update to infected hosts. However, they stopped short of doing so. This raises the old moral dilemma about a hypothetical 'friendly worm' that issues software fixes (except that the researchers' vector is a server that can be turned off, not an autonomous worm that can't be recalled once released). What do you think — is it better to allow the botnet to continue unabated, or perhaps to risk crashing a computer controlling a heart monitor somewhere?"

Vulnerable Monitoring Systems

[AioKits]

I used to work in a hospital on the IT side and the only 'monitoring' systems I can think of where this would be a problem aren't so much the ones that keep track of vitals but the ones used as the primary method of observation (think cath labs). Even then the vulnerable workstations/machines are used more for archiving and cataloging of imagery and procedure. Any real work is done on an embedded system with that particular piece of equipment. So if you have to get your heart cathed, don't worry as that machine probably isn't exposed to the internet. Those machines do not and should never be exposed to an open network. Some embedded systems ran a version of Linux, others were embedded NT and a couple were actually DOS (This varied by maker and age of equipment).

Someone pointed out fetal monitoring systems, I installed one last year a the hospital I worked at and the set up as as follows:
Server - (1x) Win2k3
Polling - (2x) DOS 6.22 (these boxes only relayed mesgs)
Monitoring Stations - (24x) WinXP Pro
The server itself was in a datacenter and the two polling machines were in a networking closet (easier to run lines from the actual monitoring hardware this way). The Workstations were XP and had internet access. They were locked down enough such that net access was allowed for research. Every so often one got infected (research apparently means games too I guess). It was pulled and one of the already staged spares was put into it's place until the infected machine had a chance to go through restaging. Through all this time, the nurses had MULTIPLE workstations, including two huge ass monitors (nice Dell 24inch flat screens with an 89' view angle) at the nurse's desk from which to view the babies. And they had manual procedures if the system went down. Which it was for two days during the initial move from testing into production. If there are no 'manual procedures' in place for when a system goes down the hospital is just ASKING for trouble. Granted in this case manual involved getting more nurses on the floor in that section, but they had it covered in case of a catastrophic event with that system.

While the monitoring systems may be vulernable, any decent hospital will not have it set up so the actual work horses doing the procedures are not exposed and have manual procedure in place should the machines go down.