Hospital Equipment Infected With Conficker

nandemoari writes "Recently, the Conficker/Downadup worm infected several hundred machines and critical medical equipment in an undisclosed number of US hospitals. The attacks were not widespread; however, Marcus Sachs, director of the SANS Internet Storm Center, told CNET News that it raises the awareness of what we would do if there were millions of computers infected in hospitals or in critical infrastructure locations. It's not clear how the devices (including heart monitors, MRI machines and PCs) got infected. Infected computers were running Windows NT and Windows 2000 in a local area network (LAN) that wasn't supposed to be Internet accessible, but the LAN was connected to one with direct Internet access. A patch was released by Microsoft last October that fixes the problem, but the computers infected were reportedly too old to be patched."

Re:Does it bother anyone else.....

[Dyinobal]

Newer isn't always better.

Re:Does it bother anyone else.....

[setagllib]

Why risk having security vulnerabilities on a tried and tested mission-critical system? They should have gone with Linux or BSD from the start and had virtually guaranteed upgrade compatibility from that point on, with plenty of commercial support options.

Here is why and how

[altek]

1) Vendors of these devices almost across the board disallow local IT admins to put any windows patches on the machines
    - this is due to FDA requirements for approval, and the vendor is "covering" themselves
    - also, they usually have a list of "qualified updates" that is usually MONTHS behind MS's patch cycle (not surprising given the sheer number and speed of holes that are found)
    - usually the vendors claim that THEY will apply patches regularly, in practice, they almost NEVER do

2) Vendors typically disallow these machines to be on the active directory
    - this is because they can't stand troubleshooting/supporting issues in their software due to GPO's being pushed down, software management software, etc etc

3) To everyone screaming how idiotic it is that medical devices have Windows on them: you may be a geek, but have clearly never worked in a real enterprise environment. Windows is embedded on so many devices in the world (medical and otherwise) that you would never even know existed. Why? Because it's widely supported, has huge hardware support, and is surprisingly OPEN to developers to hack it into whatever they need it to be. And windows programmers are a dime a dozen.

4) To everyone screaming how idiotic it is that medical devices are connected to the internet getting infected - Do you even know how Conficker spreads? It spreads quite easily across a LAN, attaching to Windows file shares. See MS08-067 for more info. Many of these devices are on a LAN with no DNS (although plenty are on the 'net). Why? Again, because vendors insist that they be connected so they can VPN in and support them (often using LogMeIn, Webex etc).

Re:Sigh.

[AndrewNeo]

Apparently you can't even read what you quoted.

but the LAN was connected to one with direct Internet access.

Internet enabled machine got infected, and bridged over to the closed-off network. Why SMB was enabled on the embedded systems is a better question.

"A patch was released..." Big freaking deal!

The article says "A patch was released by Microsoft last October ..." The availability of a patch doesn't mean squat. Before a patch can bve installed on medical equipment, the hardware vendor has to validate the patch. In other words, the vendor has to test the ever loving crap out of the software to insure it does not conpromise patient safety.

The fact that cornflicker got on life safety and mission critical systems at all raises the question of why anyone would use a consumer grade operating system for mission critical systems or for life support systems. At a minimum, these systems should have been running Unix or Solaris. Vx Works or Linux are also good, but require a higher level of computer engineed to implement.

This is just plain lunacy.

Re:Old Computers

[causality]

Medical equipment has a very long lifespan. Many devices for measurement and monitoring are used for 10 to 20 years before replacement. The general policy is "if it works, don't fix it and, more important, do not touch it". The real problem is that most suppliers of equipment are reluctant to support any type of patches. Many of the suppliers explicitly state that the machines may not be changed in any way (and that includes patching the OS) or you will lose all guarantee and support.

Doesn't Microsoft itself say (perhaps in the EULA disclaimer) that its operating systems were not intended to be used in this sort of mission-critical capacity? That could of course have a very narrow definition, something along the lines of "don't ever use it to operate that iron lung but maybe use it so the receptionist can run MS Office" but if that were the case, then this would be a mere nuisance and not such a real problem. That is, in that case there'd be nothing special about the fact that the affected institution happened to be a hospital beyond the fact that it sounds bad. Because of that, I really get the impression that they were using the wrong tool for the job.

Re:Old Computers

The biggest issue here is that Medical Equipment has to be run through an FDA Validation process. If you make changes to the system, you have to revalidate, and Validation takes months and $100K's. So the vendors leave them as-is.

What's frustrating is that these systems need to be on a LAN, since they need to report their results to other clinical systems. So these small islands need to be linked other islands, and eventually, someone screws up and links an island with an Internet connection . . . .

Virus writers in the pay of computer sellers?

[Nefarious+Wheel]

Sometimes I wonder if the writers of viruses aren't secretly in the pay of computer sales organisations, or even manufacturers. After all, isn't the common message "you need to keep your software up to date"?

It's extremely cynical of me perhaps, but I wonder if this isn't some type of pernicious planned obsolesence. Some car makers for many years deliberately made cars to last 20,000 hours (pure folklore, overheard) because they needed cars to fail after a few years to keep the volume of new car sales going.

Wouldn't the same principle work with computers? Something has to make them fail over time or people will make do with the old. Unfortunate that this means NT4 boxes in hospitals might get people killed, but when have the truly greedy ever really cared?

Re:Virus writers in the pay of computer sellers?

[couchslug]

"A simple $10 part can cost you (at the dealership, of course) $1000 to get to and replace, the Ford Ranger/Explorer clutch slave cylinder INSIDE the transmission bellhousing...$30 part, $500 job, being a good example (most manufacturers put it on the outside). It also discourages the "shade-tree mechanics" from doing their own work."

The concentric slave cylinders were more likely some bean counter idea to save the cost of a clutch fork, pivot ball, and associated hardware. The quick-connect hydraulic fitting is a breeze to connect and would male for speedy assembly.

Never put down to malice what can be ascribed to total indifference to making a system friendly to maintainers.
The company has only to build and sell the system at the highest practical profit. They don't give a shit about the line mechanic in their dealerships, let alone the home mechanic.

Re:Virus writers in the pay of computer sellers?

[Kaboom13]

I have to agree. You think a car maker gives a crap about the cost of a repair job down the line? I know several engineers personally that work in the auto industry. Their priorities go something like this:
1. Meet bare minimum, required by law emissions, safety, and quality standards.
2. Be as cheap to make as possible
3. Be as cheap to assemble as possible
4. Require the minimum retooling for factories making it.
5. Require minimum retraining for workers assembling it.
6. When it fails (and it will) make sure it doesn't make the car catch on fire, or slam on the gas, or lose the ability to brake, or otherwise hurt/maim/kill the driver (lawsuits cost money).
7. Make it implement some sort buzzword marketing tech that doesn't do much but sells cars.
8. Make it implement some tech that actually improves the car in a way that sells more cars.
9. Make it look cool.
10. Be durable enough to last past the warranty in 99% of vehicles, and not blatantly defective enough to force a recall/inspire a class action lawsuit.
11. Be servicable.

Notice thats a long list of conflicting goals, and how easy it is to service is on the bottom. Few people even look at the (estimated) total cost of ownership of a car, much less personally inspect how easy it looks to surface. And since systemic, hard to service problems tend to show up 5 years down the line, when the engineers responsible have long ago moved on to other projects, and that particular model has already been replaced anyways, noone really cares.

The idea that some sort of sneaky conspiracy of planned obsolescence is going on is bogus. The reality is the engineers and designers have different priorities. Replacement parts are often expensive because the machines required to make them are expensive, and they want to retool them to make something else as soon as possible, so they often make a bunch of extras and shove them in a warehouse somewhere. If those run out, and they have to make more, it means they have to spend a ton of money to make another run of them.

When people are buying cars, they want the latest and greatest. A car made using the tried and tested tech from 10 years ago would last longer, and be more reliable, but would offer less performance,comfort, and safety for pretty much the same price or more.

Re:Old Computers

[Jeremy+Erwin]

The real problem is that most suppliers of equipment are reluctant to support any type of patches. Many of the suppliers explicitly state that the machines may not be changed in any way (and that includes patching the OS) or you will lose all guarantee and support.

Shouldn't they be using OpenBSD, then?

Re:Does it bother anyone else.....

[miggyb]

Why are you getting modded as "Funny?" That's the first thought I had. Shouldn't heart monitors and MRI machines have an embedded OS of some sort? MRIs are more complex, but (AFAIK) things like heart monitors do one thing and one thing only.

Re:Old Computers

[plover]

Because the network admin should have the laboratory equipment firewalled off with a "deny all" preceded and followed by comment lines that read " # DANGER -- MEDICAL EQUIPMENT ON THIS SEGMENT -- If you permit so much as one stinking port to pass through this firewall, I will hunt you down and leave nothing behind for the doctors to patch together."

There is no excuse on the planet for letting health care equipment see the cloud. If data has to enter or leave, it should pass through a bastion host. If the requirements are that the equipment really has to reach the internet, the requirements are faulty.

Re:Old Computers

[plover]

Yes, an air gap would be even better, but I read the above to say "we had an air gap but some idiot bridged it." My intent was to provide the bridge as part of the design to let people know that you've already created the path, but to then plaster it with the equivalent of "Road Closed", "Keep Out", and "No Trespassing" signs.