Downadup or Conficker

Conficker Worm snakes its way into medical devices

The widespread Conficker computer worm has crawled into hundreds of medical devices, including MRI systems, at dozens of hospitals in the United States and other countries.The San Jose Mercury News reported that the worm has not resulted in causing harm to patients, but poses a potential threat to hospital operations.Conficker or Downadup or kido or Downup, discovered in November 2008, is a fast-spreading worm that targets a vulnerability (MS08-067) in Windows operating systems.  Conficker spreads by copying itself onto machines running Microsoft’s Windows operating system that lack the security patch. Conficker installs itself and periodically reaches out for directions from its maker that cause it to rewrite its code, increasing its capabilities for malicious action and decreasing its chance of detection.

Conficker has the ability to spread via USB sticks, as well as over a network. Conficker is a blended threat, combining features of several different approaches. Once Conficker infects a computer, it disables many security features and automatic backup settings, deletes restore points and opens connections to receive instructions from a remote computer. Once the first computer is configured, Conficker uses it to gain access to the rest of the network.

The Internet Storm Center is an early warning system for internet threats that is operated by the SANS Institute in Bethesda, Md. Around March 24, researchers monitoring the worm noticed that an imaging machine used to review high-resolution images was reaching out over the internet to get instructions – presumably from the programmers who created Conficker. The researchers discovered that more than 300 similar devices at hospitals around the world had been compromised. Because the machines were running an unpatched version of Microsoft’s operating system used in embedded devices, they were vulnerable. Normally, the solution would be to install a patch, which Microsoft released in October 2008. However, the device manufacturer said rules from the FDA required that a 90-day notice be given before the machines could be patched, the Mercury News reported.

“For 90 days, these infected machines could easily be used in an attack, including for example, the leaking of patient information,” said Rodney Joffe, a senior vice president at Neustar, a communications company that belongs to an industry working group created to deal with the worm. “They also could be used in an attack that affects other devices on the same networks.”

Actually what does  Conficker do is still unknown. The worm has created an infrastructure that the creators of the worm can use to remotely install software on infected machines. The worm will be used to create a botnet that will be rented out to criminals who want to send SPAM, steal IDs and direct users to online scams and phishing sites. ( its just a assumption that  maybe this is happening).

How can we remove conficker if affected?? The Microsoft Windows Malicious Software Removal Tool checks computers running Windows Vista, Windows XP, Windows 2000, and Windows Server 2003 for infections by specific, prevalent malicious software including Blaster, Sasser, and Mydoom and helps remove any infection found. When the detection and removal process is complete, the tool displays a report describing the outcome, including which, if any, malicious software was detected and removed.

To protect your computer from Conficker, please follow these steps:-

  1. Keep your system’s patches up to date.
  2. Maintain a good anti-virus product.
  3. Disable AutoRun.
  4. Use strong passwords.
  5. Ensure that shared folders are secured.
  6. Ensure you back up your important files, the only way for you to fix an infected computer is to erase the hard drive and re-image.
  7. Run a full scan of all files on all systems every week