Slashdot Mirror

← Back to Stories (view on slashdot.org)

Trojan Found In New HDs Sold In Taiwan

Posted by kdawson on from the bourne-again dept.

GSGKT writes "About 1,800 brand new 300-GB or 500-GB external hard drives made for Maxtor in Thailand were found to have trojan horse malwares pre-installed (autorun.inf and ghost.pif). When the HD is in use, these forward information on the disk to two websites in Beijing, China: www.nice8.org or www.we168.org. The article implies that authorities believe the Chinese government is behind the trojans. A later article pins down the point of infection to a subcontractor company in China. A couple of months back the Register was reporting on pre-installed malware detected on Maxtor disks sold in the Netherlands. This earlier report was downplayed by a Seagate spokesman." The more recent Taipei Times article says that Seagate admits the problem on its Web site, but a search there turns up nothing.

18 of 344 comments (clear)

  1. It's times like this... by fractoid · · Score: 1, Informative

    ...that I'm really glad I switched to Linux. :)

    --
    Rampant carbon sequestration destroyed the Dinosaurs' tropical paradise. I'm here to help repair the damage.
  2. Obilgitory HOSTS comment: by killmofasta · · Score: 5, Informative

    Please add to your host files:
    127.0.0.1 www.nice8.org
    127.0.0.1 www.we168.org

    1. Re:Obilgitory HOSTS comment: by Anonymous Coward · · Score: 1, Informative

      Domain ID:D145807509-LROR
      Domain Name:NICE8.ORG
      Created On:11-May-2007 07:20:24 UTC
      Last Updated On:27-Sep-2007 05:57:07 UTC
      Expiration Date:11-May-2008 07:20:24 UTC
      Sponsoring Registrar:Xin Net Technology Corporation (R118-LROR)
      Status:OK
      Registrant ID:JHV8DUH7W9TIL
      Registrant Name:ga ga
      Registrant Organization:gaga
      Registrant Street1:gagaga
      Registrant Street2:
      Registrant Street3:
      Registrant City:gaga
      Registrant State/Province:Beijing
      Registrant Postal Code:126631
      Registrant Country:CN
      Registrant Phone:+86.2164729393
      Registrant Phone Ext.:
      Registrant FAX:+86.2164660456
      Registrant FAX Ext.:
      Registrant Email:safsafsa@ca.ca
      Admin ID:JHV8DUHMSOOFB
      Admin Name:ga ga
      Admin Organization:gaga
      Admin Street1:gagaga
      Admin Street2:
      Admin Street3:
      Admin City:gaga
      Admin State/Province:Beijing
      Admin Postal Code:126631
      Admin Country:CN
      Admin Phone:+86.68492333
      Admin Phone Ext.:
      Admin FAX:+86.4660456
      Admin FAX Ext.:
      Admin Email:safsafsa@ca.ca
      Tech ID:JHV8DUHO9XXZP
      Tech Name:ga ga
      Tech Organization:gaga
      Tech Street1:gagaga
      Tech Street2:
      Tech Street3:
      Tech City:gaga
      Tech State/Province:Beijing
      Tech Postal Code:126631
      Tech Country:CN
      Tech Phone:+86.68492333
      Tech Phone Ext.:
      Tech FAX:+86.4660456
      Tech FAX Ext.:
      Tech Email:safsafsa@ca.ca
      Name Server:NS2.XINNETDNS.COM
      Name Server:NS2.XINNET.CN

      I'm assuming "ga ga" is fake; XINNet is not accessible without a Chinese proxy. The Registrant's Phone number: +86.2164729393 links to the contact information to http://www.sogle.com/ a partner of http://68l.com/ which both appear to be web hosting companies.

      So if this is one big Chinese government conspiracy, it seems to be run through a number of companies, including dedicated hosts, not just hardware manufacturers.

  3. Comment removed by account_deleted · · Score: 3, Informative

    Comment removed based on user account deletion

  4. Seagate admits it by Camael · · Score: 3, Informative

    The more recent Taipei Times article says that Seagate admits the problem on its Web site, but a search there turns up nothing. Untrue. The Seagate article can be found here: http://www.seagate.com/www/en-us/support/downloads/personal_storage/ps3200-sw/
    So this is not a hoax, after all.
    1. Re:Seagate admits it by ColdWetDog · · Score: 2, Informative

      Well that link throws a 404 error. Searching for "Trojan" on the Seagate site just gave me a couple of links to a Terms of Use agreement. I just didn't have the heart to explore that concept further.

      --
      Faster! Faster! Faster would be better!
  5. Re:How would that even work by totally+bogus+dude · · Score: 2, Informative

    Autorun can definitely run exe's, that's its main purpose. That's how the installer automatically starts up when you insert a game or application CD. It's possible that the exe needs to be signed or something, but it's more likely that whatever program you were using simply "did it wrong".

    Don't forget that you can also disable autorun permanently, rather than having to remember to hold shift every time you insert a disc.

  6. Nope by The+MAZZTer · · Score: 2, Informative

    Default Windows settings would run the trojan once you plugged the drive in. To avoid this you either have to hold shift for an indeterminate amount of time while plugging the drive in, which can be difficult or impossible. With such a drive you're likely to use a more inaccessible port because you likely won't be needing to unplug it much. The only other alternative is to disable autorun for removable drives. This option is not available in the standard GUI and third party tools (or TweakUI) are needed.

    1. Re:Nope by LurkerXXX · · Score: 5, Informative

      3rd party tools? Who needs 3rd party tools?

      gpedit.msc

      It's a windows GUI tool.

      Computer Configuration > Click "Administrative Templates" > Click "System" > Double-Click "Turn off Autoplay", set it for "All Drives" and click the "apply" button.

  7. Comment removed by account_deleted · · Score: 4, Informative

    Comment removed based on user account deletion

  8. More Info on the Worm by essinger · · Score: 2, Informative

    The article doesn't state it but this seems to be the worm W32.Drom. Symantec rates the threat as Very Low with 0-49 total infections. Take that with however many grains of salt you wish.

  9. Re:First off... by colfer · · Score: 5, Informative

    Overriding autorun can be done in the registry, so you don't have to remember to hold down the shift key. Does it work for USB hard drives? Probably. These are the notes I have.

    Works for USB drives and CD-ROMS.
    [2007/10, from:
    http://www.mydigitallife.info/2006/09/11/disable-auto-run-and-auto-play-of-u3-smart-drives-launchpad/%5D

          1. Click Start -> Run.
          2. Type RegEdit in the Open text box, then press ENTER.
          3. In the Registry Editor, locate and click the following registry key:

                HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDRom
          4. Modify the value of the Autorun to 0 (zero) so that CD-ROMs and Audio CDs do not run and start automatically when inserted.
          5. Next navigate to the following registry subkey:

                HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
          6. Modify the value of the NoDriveTypeAutoRun entry to 0xb5 value to turn off the AutoRun feature for CD-ROMs by right-click NoDriveTypeAutoRun and then click Modify to type B5 in the Value data box. Select Hexadecimal, and then click OK.
          7. Quit Registry Editor.
          8. Restart your computer.

  10. Re:First off... by networkBoy · · Score: 3, Informative

    Um... I've always found it more convenient to mount drives as a subdir in windows, doubly so if you have tons of drives.
    -nB

    --
    whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
  11. Doesn't work for XP Home by Anonymous Coward · · Score: 2, Informative

    > It's a windows GUI tool.

    Not for XP Home or other crippled MS products...

  12. Technet says 0xff not 0xb5 by Anonymous Coward · · Score: 1, Informative

    MSS: (NoDriveTypeAutoRun) Disable Autorun for all drives (recommended) DWORD 0xFF

    from http://www.microsoft.com/technet/security/guidance/serversecurity/tcg/tcgch10n.mspx

    and http://www.microsoft.com/technet/security/prodtech/windowsxp/secwinxp/xpsgch03.mspx

    just FYI

  13. Re:Troll Alert... by Jugalator · · Score: 2, Informative

    OK, then use msconfig for a built-in autostart UI, if you must. :-p

    --
    Beware: In C++, your friends can see your privates!
  14. Re:Threadjack: WTF? by Lennie · · Score: 2, Informative

    The problem is most Windows users format the disk from within Windows.

    Then the malware already automatically gets run.

    --
    New things are always on the horizon
  15. Re:Troll Alert... by ozmanjusri · · Score: 2, Informative
    use msconfig for a built-in autostart UI,

    That won't work.

    msconfig is a diagnostic tool for disabling programs which are loaded at boot time. It has nothing to do with autoloading CDs.

    There is no built-in autostart ui. If you're scared of the registry, you can download TweakUI, but you'll still need to disable autostart on a drive-by-drive basis.

    --
    "I've got more toys than Teruhisa Kitahara."