Posted by Vince on 5/3/2009, 5:05 am, in reply to "Conficker Worm: fear it!"
68.144.14.16
tonight on the "progress" of Conficker.
The final version (E) to date, generates 50,000 domain names (IP addresses) that *could* be used as a contact site in the future. All of them are fictitious but .... the bot-herd-owner would only have to register ONE of those IP's to make it valid and get only ONE of the worms in the wild to connect with that site ....... and it would be updated. After that, it can connect with some or ALL of the (estimated 10,000,000) infected computers and they all become updated in short order. (It's the avalanche effect).
The "interesting" thing though, is WHOM this virus is affecting. It's hospitals running MRI's and heart monitors etc.
These machines are maybe 10-15 years old and were programed to run on Windows NT and then W2K systems. (At the time, they didn't have much choice because the sophisticated programs likely ONLY ran on Windows systems).
They run as embedded systems (which means they work from a tightly confined "firmware" environment) but they still permit temporary read/writes to hard drives for the sake of scan/printouts etc. I imagine that once they're "rebooted" they lose any and all changes from the previous session and probably aren't DEEPLY plagued by viruses or trojans or worms .... but .... during any given session, they become vulnerable and will run the malware just like any other computer system would.
So, all it takes is for ONE machine to become infected and it will infect all other machines on the LAN of the internal system immediately. Therefore, purging is tricky. ALL machines would have to be rebooted simultaneously to lose the thing and that's not always feasible in such a high stakes environment.
To make matters worse, the FDA has tight restriction rules on these machines. They require something like 90 days notice for any proposed changes made to these embedded systems.
On top of that, Microsoft as stopped all support for NT and W2K now and therefore, no updates/fixes exist for these "ancient" systems.
That leaves the hospitals helplessly hooped. They pretty much have to carry on as they are ....... Conficker be dammed.
-Vince
Message Thread:
« Back to thread
