Medical equipment. (Flickr/cote)

Even in the best hospitals there is a danger of acquiring vicious bugs like flesh-eating bacteria, pneumonia or even a new strain of tuberculosis. MIT's Technology Review blog reports that medical facilities nationwide are now dealing with an entirely different class of bugs: malware.

Computerized equipment manufacturers apparently have an affection for out-of-date versions of Windows that may eventually put entire hospital computer networks in jeopardy.

Speaking last week in a Washington, D.C., meeting of a medical device panel, security expert Kevin Fu was unequivocal:

"I find this mind-boggling," Fu says. "Conventional malware is rampant in hospitals because of medical devices using unpatched operating systems. There's little recourse for hospitals when a manufacturer refuses to allow OS updates or security patches."

As an example of critical equipment compromised by malware, expert Mark Olson cited pregnancy monitors. Mr. Olson, who is chief of information security at Beth Israel Deaconess Medical Center in Boston, said it isn't unusual for monitors "to become compromised to the point where they can't record and track the data" physicians need to evaluate the health of expectant mothers. According to Mr. Olson, equipment prone to malware infection include devices used to prep intravenous drugs and half-million dollar MRI machines.

Nationwide, the malware problem in hospitals hasn't reached critical mass, but it is on the rise. The experts quoted by Technology Review seem to agree that wider public awareness is crucial to dealing with the issue, in addition to hospital chief technical officers implementing safety measures like firewalls and speaking out in general on the importance of the matter.

It looks like Kaspersky Lab may have found a new target market for its ultra-secure industrial operating system.

Countries where MiniFlame and Flame have been found. (Kaspersky Lab)

Researchers at Kaspersky Lab have been patiently picking apart the ingenious malware packages that romped through computer networks in the Middle East, sucking up data and destroying Iranian nuclear centrifuges and it seems Kaspersky finds a new addition to the allegedly U.S. and Israeli-sponsored family of cyber-weapons every other month. Monday they announced the discovery of the Flame malware's baby cousin, MiniFlame.

Kaspersky's bug hunters found that MiniFlame's association with Flame and related infections was Transformers-like in nature:

In early July 2012, we discovered a smaller Flame module, which appeared to be able to work by itself. The module had many similarities with Flame, so we thought it might simply be an earlier version. In the months that followed, we not only studied the connection of this malware with Flame, but also came across examples of this module being used concurrently with Gauss and being controlled by the Gauss main module.

Researchers found that MiniFlame was something of a ninja assassin compared to the other programs. Whereas Flame, Duqu and Gauss had large missions to infiltrate multiple computers in countries like Iran, Syria and Lebanon, MiniFlame targeted just a few select victims in what Kaspersky calls "highly targeted attacks." Kaspersky reported that MiniFlame, while rare compared to the more well-known malware packages, was more likely to show up in a variety of countries, including a computer located at the Francois Rabelais University in Tours, France.

Wired also noted that Kaspersky determined that one machine in Lebanon is the lucky recipient of every nasty cyber weapon in the family:

[There] is one machine in Lebanon – what [senior Kaspersky researcher Roel] Schouwenberg calls "the mother of all infections" – which has Flame, Gauss, and miniFlame/SPE on it. "It is like everybody wanted to infect that specific victim in Lebanon for some reason," he says.

Kaspersky knows there are two more malware packages still in the wild, currently code-named only SP and IP. They may function much like the previously known malicious programs, churning through the guts of target computers for sensitive data to send home to their controllers before they execute the final trick in their arsenal, deleting themselves and vanishing from the infected system as if they'd never been there at all, like ghosts. Or ninjas.

What Flame did to Iranian computers. (Image: William Warby, Flickr)

The Cold War is over and Russia and America are getting along. So surely the Men in Black behind the United States' cyber weapons program based at Area 51 or wherever will not be too concerned that a Russian researcher cracked an encoded password associated with the now infamous, allegedly American-made Flame malware.

Symantec and Kaspersky recently teamed to pick apart Flame's command and control systems, discovering at least three previously unknown infectious scripts in the process. The researchers also discovered a great deal about how the weapons were assembled and launched against enemy targets, but were left with a hashed passcode they couldn't break. They put out a call for help but didn't need the assistance of anyone outside either outfit, after all:

Kaspersky analyst Dmitry Bestuzhev cracked the hash for the password Sept. 17 just hours after Symantec put out a public request for help getting into the control panel for Flame, which infected thousands of computers in the Mideast. [...]

The hash - 27934e96d90d06818674b98bec7230fa - was resolved to the plain text password 900gage!@# by Bestuzhev.

So now the whole world knows the password that once protected the servers behind Flame, a complex and sophisticated cyber weapon that was a major blow to Iran's nuclear program.

Which is a little scary, because if someone can crack the password that once protected such a covert weapon created by a nation state, the average Internet user's method of password protecting their GMail with a pet's name plus grandma's birthday doesn't seem too safe anymore.

Attack workflow for Flame controllers (Symantec)

Kaspersky Lab and Symantec have teamed up to peel apart the United States' cyber warfare efforts. So far, they have uncovered the command and control systems behind the sophisticated malware as well as three previously unknown chunks of malicious code possibly related to alleged American cyber superbugs Flame and Duqu.

Reuters reports that researchers from the security firms discovered how the malware was disseminated--through an outwardly innocent-seeming content management system (CMS) named Newsforyou:

It was designed to look like a common program for managing content on websites, which was likely done in a bid to disguise its real purpose from hosting providers or investigators so that the operation would not be compromised, Kaspersky said in its report.

Newsforyou handled four types of malicious software: Flame and programs code-named SP, SPE and IP, according to both firms. Neither firm has obtained samples of the other three pieces of malware.

According to Symantec, Newsforyou allowed attackers to "upload packages of code, to deliver to compromised computers, and to download packages containing stolen client data." Symantec writes that the mystery chunks of code were "likely unknown variants" on Flame but could have been "totally distinct malware."

More intriguing, researchers uncovered nicknames for a handful of programmers who worked on the malware over the course of the last six years or so:

The attackers were not thorough enough, however, as a file revealing the entire history of the server‘s setup was available. In addition, a limited set of encrypted records in the database revealed that compromised computers had been connecting from the Middle East. We were also able to recover the nicknames of four authors—D***, H*****, O******, and R***—who had worked on the code at various stages and on differing aspects of the project, which appear to have been written as far back as 2006.

Symantec and Kaspersky have an additional mystery for which they seek the public's help--this mysterious encoded password: 27934e96d90d06818674b98bec7230fa.

Researchers say they have attempted "brute-force" cracks of the hashed code, to no avail. If you're up for a juicy password cracking challenge that may also put you on a government watchlist, hit them up on Twitter.