Conficker in Carinthia: first the state government, now the hospitals
Following infections on Carinthian state government computers, the Conficker worm has attacked PCs in at least three hospitals run by KABEG, an operating company that runs the state's healthcare institutions. Similar in dimension to the state government outbreak, some 3,000 of KABEG's computers are affected. However, unlike the state government, the hospital system had apparently already installed the relevant security update. A further difference is that the worm evidently succeeded at installing additional viruses on the infected hospital computers. Situated within the Eastern Alps, Carinthia is the southernmost state in Austria.
According to unconfirmed reports, Conficker slipped into the KABEG network via a laptop. From the laptop, it supposedly disseminated itself to thousands of shared directories that were not password protected. The weak security was apparently due to the hospitals using various medical devices that transfer data, but cannot handle password-protected directories. In order to keep the systems running smoothly, passwords were not used – this has now proved a costly mistake. Other sources point to a USB stick as the source of the infection. Patients had occasionally brought in their diagnostic findings on such data storage devices.
Both of the affected institutions have entrusted Carinthian company Net-Solutions with the de-worming. Net-Solutions is replacing the previous virus scanner, which did not detect the Conficker worm, with more recent and successful software. The Microsoft Malicious Software Removal Tool (MSRT) was not used, since the application, which is supposed to combat circulating viruses, has occasionally triggered security warnings itself. Just like the Conficker worm, MSRT tries to scan shared directories without using their passwords. The failed login attempts then show up in the security log.
As Net-Solutions CEO Wolfgang Frei said to heise online "The biggest problem with Conficker is that it interrupts operations. That costs the affected institutions a lot of money," – "The worm tries to replicate itself within the network by trying out a number of specific passwords. After a few failed attempts, the accounts are automatically locked for password protection purposes. Within minutes, hundreds of employees no longer have access to their computers."
A large Carinthian furniture dealer has also reported infection, but, within Europe, Conficker is not just a Carinthian problem. There are reports of infections of a private Viennese bank and in Bulgaria of infections on interior ministry, police, and border police systems.
Conficker attempts to download updates from a list of pseudo-random domains. Symantec was able to evaluate this routine and register the corresponding domains. According to a 6th of January Symantec report, within a 72 hour period, more than 600,000 IP addresses accessed the server that hosted these domains. There could be thousands of infected computers behind each IP address. Most of the systems that accessed the server were running Windows XP, either without any service pack, or with service pack 1; these were followed by computers running XP with either service pack 2 or 3. According to the report, PCs running other versions of Windows made up only a very small portion of the computers accessing the server.
Symantec say the A-variant of Conficker spread with particular voracity on the Indian subcontinent in the two months prior to January 9th, while infections of the B-variant were particularly prevalent in the US.
(Daniel AJ Sokolov)