How poor IoT security is allowing this 12-year-old malware to make a comeback

Conficker peaked in 2009, but unsupported connected devices are allowing it to spread in 2020 - and the healthcare sector is where it's infected the most targets.
Written by Danny Palmer, Senior Writer

The proliferation of Internet of Things devices and unsupported operating systems is leaving networks open to simple cyberattacks which, in many cases, should have already been consigned to the dustbin of history.

Conficker first emerged in 2008, exploiting flaws in Windows XP and older Microsoft operating systems to spread itself to vulnerable machines and rope them into a botnet. An estimated 15 million computers had fallen victim to Conficker by 2009 - but over ten years on, the malware remains an active threat to organisations around the world.

While this form of malware hasn't been particularly damaging – its authors are thought to have been reluctant to use the Conficker botnet after it drew so much attention – it serves as a reminder about the dangers worms and other malicious software can pose to organisations; especially as the worm remains active and hundreds of thousands of machines are thought to be infected.

In 2015, this figure stood at 400,000 machines, but according to the new Unit 42 IoT Threat Report from Palo Alto Networks, there's been a resurgence in Conficker infections, with researchers indicating that now the figure is around 500,000.

SEE: Cybersecurity in an IoT and mobile world (ZDNet special report) | Download the report as a PDF (TechRepublic)

One of the ways Conficker continues to spread is through infecting connected medical devices thanks to their use of outdated or unsupported versions of Windows; the problem has grown to such an extent that researchers note that nearly one in five Palo Alto Networks customers have detected Conficker at some point over the past two years.

One particular incident was brought to the attention of researchers when Palo Alto Networks' Zingbox IoT security software detected unusual traffic in the network.

"We observed anomalous network traffic such as excessive Server Message Block (SMB) traffic, Domain Generation Algorithms (DGA) being used by the infected devices, as well as specific patterns in Conficker shell code execution attempts," May Wang, Senior Distinguished Engineer at Palo Alto Networks and former Zingbox CTO told ZDNet.

The unusual activity was coming from a mammography machine and within a few days, it was discovered that Conficker had also infected medical additional devices on the network, including another mammography machine, a digital imaging unit, a radiology machine and others.

Hospital staff attempted to remove the infections by rebooting these connected devices, but within hours of the machines coming back online, Conficker had infected them again, because these devices hadn't received security patches, leaving them vulnerable to old malware like this.

In this case, the unnamed hospital ended up taking all the devices offline, installing the latest security patches and then bringing them back onto the network one by one. It took a week before all of the devices could be re-connected to the network.

One of the key reasons that the 12-year old Conficker worm was allowed to spread across medical devices was because many of these IoT machines aren't monitored like other computers on the network, thus providing a gateway for malware – or cyber attackers – to gain entry to the network.

Hackers know this and are therefore increasingly turning their attention towards developing IoT-specific botnets such as Mirai. Versions of the Mirai source code have helped power a number of IoT-based attacks.

However, organisations can secure IoT devices on their network and help protect against cyberattacks by following some simple steps as outlined by Palo Alto Networks.

Firstly, organisations should scan their networks to discover all the IoT devices on it, because it's much easier to protect against threats when you have an idea as to where they'll come from.

Secondly, common IoT devices such as printers and security cameras – as well as patient-monitoring systems in the healthcare sector – should receive routine security updates and patches to ensure that if a vulnerability is uncovered, the device is protected from being exploited.

Thirdly, IoT devices should be segmented on a separate network to desktops and laptops in order to stop hackers moving around if a device is compromised, as well as reducing the potential attack surface for hackers. 

SEE: Raccoon malware targets massive range of browsers to steal your data and cryptocurrency

It ultimately means that if attackers do somehow gain access to the IoT device from outside, they won't be able to exploit it for moving onto the rest of the network, meaning computers will remain safe from the intrusion.

But the key thing is to ensure that potentially vulnerable devices are patched, especially as the vulnerability Conficker exploits is over ten years old, so the update should've been done a long time ago.

"You're at risk if you're running an unpatched, legacy OS like Windows XP, Windows Vista, Windows Server 2003, or Windows Server 2008. Users should disable SMB when not needed; upgrade windows OS to latest build and version; restrict internet access on mission-critical devices, and monitor Windows OS devices 24x7," said Wang.

"As long as legacy Windows systems are around or SMB protocol continues to be used, there will be Conficker or another type of malware family with a similar mechanism," she added.


Editorial standards