Malware Distribution Through Physical Media a Growing Concern

twitter brings us a story about the increasing number of digital devices reaching consumers with malware already installed. In this case, digital photo frames from three different Sam's Club stores were found to contain the same type of malicious code. We discussed a similar problem with iPods a while back, as well as a more recent situation with Maxtor hard drives. Quoting the Register: "While a compromise at the manufacturer is the most likely scenario, ISC's Sachs also pointed to retailers as a possible point of infection. Returned products, which could have been infected by the consumer, are frequently put back on the shelf, if they are in sale-able condition, and attackers could take advantage of a store's poor digital hygiene, he said. 'Trying to (infect a product) all the way back at the factory — getting it through all the checks and balances — would be pretty hard to do,' he said. 'But doing it at the store, where there might be loose return policies, and (where) they put it back on the shelf - you are not going to get a million infections, but you might get a person from an investment bank next door.'"

Pretty bad when photo frames spread computer virus

[Secrity]

I bet that most people would have NO idea that this could possibly happen.

It's only a problem if you use Windows.

These days, it's really only a problem if you use Windows. Those of us using Linux, *BSD, Solaris, Mac OS X, and other non-Windows operating systems have little to worry about.

Now, someday this may start to affect other, non-Windows operating systems. But in many ways I don't think it will be as much of an issue, because many of the alternative OSes have a far more sensible security model than that of Windows. So what easily causes problems with Windows has little to no effect on Solaris, Linux or OpenBSD.

Malware Economics 101: It's a quantity game

[G4from128k]

I'd seriously doubt that malware distributors would focus on returned products as a vector for infection. The value of a pwned PC is simply too low to justify the labor of buying a product, infecting it, and returning it in hopes that it will infect another machine.

Rather, I suspect infection at or near the source -- slipping malware into the firmware or shipped software that goes with the device. At that point in the software delivery chain, a single act of infection can be distributed to tens or hundreds of thousands of machines. I could also imagine targeting highly promiscuous machines (e.g. WiFi routers) that have a high chance of being in contact with other promiscuous machines (i.e. other routers or laptops).

Although I'm sure some people get their grins by infecting one machine at time, the malware industry is more about collecting the largest quantity of machines at the lowest possible cost.

Re:Malware Economics 101: It's a quantity game

[garett_spencley]

I agree with you, but never think that there aren't assholes out there who get kicks off of sticking it to random strangers. Money can greatly escalate a problem and it's scope, but sometimes people are just jerks and gladly act as such for free.

If the world was asshole-free then people would never get their cars keyed, tires slashed or houses egged unprovoked.

Sony? Sears?

[dotancohen]

The cases mentioned were just the accidents. What about deliberate malware installations, such as those done by Sony and Sears?

Special software included. Yay.

[cliffiecee]

"Trying to (infect a product) all the way back at the factory - getting it through all the checks and balances -- would be pretty hard to do"

No, it isn't anymore. Somebody in marketing had the bright (read: revenue-producing) idea of loading up a new storage device (which should be blank, damnit) with a bunch of advertising crap. Combine this with Windows' oh-so-helpful autolaunch features. Frankly I'm surprised it took this long to become a problem.

I long for the days when you could buy an UNFORMATTED device. The OS would tell you it's unformatted, so you formatted it. Done.

the pervasiveness of malware contributes

[Grampaw+Willie]

The pervasiveness of the malware problem contributes to this

Our shop had one shrink wrapped package that had malware included and when this was tracked down the vendor didn't know they had become infected and were distributing shrink-wrapped malware

this underscores the importance of putting a stop to malware

the fundamental error is at the concept level: it is wrong to think it is OK to run your programs on someone else' computer without their knowledge or permission

to invert this properly back to the other end of the pole it is wrong to think that a computer should run anything and everything that anyone sends to it which is what is going on with the promiscuous Ms Window

and so this is a concept that has to change

programming changes have to be proper documented, authenticated and approved before they are applied. and this should apply to everything from cell phones to computers

ya think ya wanna argue with this? don't bother: the security mess we got on our hands say all that needs to be said. the concept of promiscuous remote updates has caused nothing but trouble. It's a concept that is a disaster and that has to be corrected, PDQ

NO SIGNATURE? NO EXECUTE.

Re:Stupid idea

[garett_spencley]

While I agree that auto-executing anything is very bad practice, most average users would go ahead and run the program anyway without giving any consideration to it's safety (or just assuming that it's safe because it wouldn't make sense for the manufacturer to harm their costumer's computers ... never thinking about a man-in-the-middle type of scenario).

I plead guilty... sort of

[dbc]

Once upon a time I managed a software product testing team. Part of our standard flow for all release candidate CD's was to get fresh signatures and virus scan as both step one and also with refreshed signatures as the last step (2 or 3 weeks later) of declaring a release candidate ready for release. We *still* shipped a CD with malware once, a virus that was too new to show up in the signature files from the scanning software company. Lukily, it was a beta that went to less than 100 customers, and it was a relatively benign Word macro virus. Still, I had to explain to a Vice President how we did virus scanning for releases.

As a result of this, we started using virus scanners from three different manufacturers. As a software vendor, the risk of shipping a nasty virus to your best customers is very real, no matter how hard you try to prevent it.

Autorun is evil

[kybred]

A better way is to turn off autorun,

I almost got some malware from autorun off a thumb drive, fortunately the anti-virus recognized it and stopped it from running. When that happened, I looked for a surefire way to turn off autorun (and autoplay) but all I found was a bunch of registry edits that may or may not (according to different accounts) turn off autorun/autoplay. Why is there no global option in a Windows control panel for that?

Re:Autorun is evil

hold shift when you connect/insert media and auto-run wont go

Re:Stupid idea

[mstahl]

This is just what I've always been talking about with Windows. Why does it take this level of deep knowledge of the operating system to secure against the most idiotic of exploits? Ask an engineer of any other operating system about autorunning executable code from just any media that's inserted and they'll look at you like you've been taking crazy pills.

This is along the same lines as many other questions I have about Windows, like why can image files execute code? Why is it possible for ActiveX scripts to change system registry values and download software to your hard drive? Why is everything not named the same between versions? Why does everyone still use it?

Le sigh....