Slashdot Mirror
Malware Distribution Through Physical Media a Growing Concern
twitter brings us a story about the increasing number of digital devices reaching consumers with malware already installed. In this case, digital photo frames from three different Sam's Club stores were found to contain the same type of malicious code. We discussed a similar problem with iPods a while back, as well as a more recent situation with Maxtor hard drives. Quoting the Register:
"While a compromise at the manufacturer is the most likely scenario, ISC's Sachs also pointed to retailers as a possible point of infection. Returned products, which could have been infected by the consumer, are frequently put back on the shelf, if they are in sale-able condition, and attackers could take advantage of a store's poor digital hygiene, he said. 'Trying to (infect a product) all the way back at the factory — getting it through all the checks and balances — would be pretty hard to do,' he said. 'But doing it at the store, where there might be loose return policies, and (where) they put it back on the shelf - you are not going to get a million infections, but you might get a person from an investment bank next door.'"
and it wants its headline back.
(yes I know this is a different story than back then, but it's the same headline)
I bet that most people would have NO idea that this could possibly happen.
These days, it's really only a problem if you use Windows. Those of us using Linux, *BSD, Solaris, Mac OS X, and other non-Windows operating systems have little to worry about.
Now, someday this may start to affect other, non-Windows operating systems. But in many ways I don't think it will be as much of an issue, because many of the alternative OSes have a far more sensible security model than that of Windows. So what easily causes problems with Windows has little to no effect on Solaris, Linux or OpenBSD.
Trying to (infect a product) all the way back at the factory - getting it through all the checks and balances
... well. This whole scenario is hardly surprising.
Apparently this guy has never worked in a production firmware environment before: there are fewer checks and balances than you might think, especially because embedded-system guys generally don't have much awareness of Windows malware issues. Unfortunately, more and more embedded devices are being plugged into desktop machines, and with auto-run enabled
The higher the technology, the sharper that two-edged sword.
I've always said that autoexecuting stuff on any media inserted was the stupidest feature ever created. It's just asking for viruses to be installed. Actually strike that. It's the second stupidest thing. The stupidest thing is Windows being configured by default to restart for updates after the user doesn't respond for some very short amount of time.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
I'd seriously doubt that malware distributors would focus on returned products as a vector for infection. The value of a pwned PC is simply too low to justify the labor of buying a product, infecting it, and returning it in hopes that it will infect another machine.
Rather, I suspect infection at or near the source -- slipping malware into the firmware or shipped software that goes with the device. At that point in the software delivery chain, a single act of infection can be distributed to tens or hundreds of thousands of machines. I could also imagine targeting highly promiscuous machines (e.g. WiFi routers) that have a high chance of being in contact with other promiscuous machines (i.e. other routers or laptops).
Although I'm sure some people get their grins by infecting one machine at time, the malware industry is more about collecting the largest quantity of machines at the lowest possible cost.
Two wrongs don't make a right, but three lefts do.
The cases mentioned were just the accidents. What about deliberate malware installations, such as those done by Sony and Sears?
It is dangerous to be right when the government is wrong.
I bought a new 80386 (maybe a 486 - I forget) motherboard a long time ago and it had a 5 1/4 floppy disk included with the board drivers software. It was also infected with the Michaelangelo virus. I never knew it until I saw a message on the FIDOnet BBS from some idiot in Bulgaria talking about how his virus was coming and it was going to kill everyone's computers.
I downloaded a free copy of McAffee and it found the virus on my computer as well as every floppy that I had inserted since then that wasn't write protected. McAfee's software offered to clean it but all it did was wipe out the MBR making it where I had to reformat and reinstall everything.
I told a friend at school who had just bought a similar motherboard. He broke the seal on his driver disk, scanned it, and found the virus there too. It was coming from the factory infected.
That was a lesson I will never forget and it happened almost 20 years ago.
"Trying to (infect a product) all the way back at the factory - getting it through all the checks and balances -- would be pretty hard to do"
No, it isn't anymore. Somebody in marketing had the bright (read: revenue-producing) idea of loading up a new storage device (which should be blank, damnit) with a bunch of advertising crap. Combine this with Windows' oh-so-helpful autolaunch features. Frankly I'm surprised it took this long to become a problem.
I long for the days when you could buy an UNFORMATTED device. The OS would tell you it's unformatted, so you formatted it. Done.
The pervasiveness of the malware problem contributes to this
Our shop had one shrink wrapped package that had malware included and when this was tracked down the vendor didn't know they had become infected and were distributing shrink-wrapped malware
this underscores the importance of putting a stop to malware
the fundamental error is at the concept level: it is wrong to think it is OK to run your programs on someone else' computer without their knowledge or permission
to invert this properly back to the other end of the pole it is wrong to think that a computer should run anything and everything that anyone sends to it which is what is going on with the promiscuous Ms Window
and so this is a concept that has to change
programming changes have to be proper documented, authenticated and approved before they are applied. and this should apply to everything from cell phones to computers
ya think ya wanna argue with this? don't bother: the security mess we got on our hands say all that needs to be said. the concept of promiscuous remote updates has caused nothing but trouble. It's a concept that is a disaster and that has to be corrected, PDQ
NO SIGNATURE? NO EXECUTE.Nice try; according to TFA, Digital Photo Frames are small flat-panel displays for displaying digital images. TFA didn't specify, but it was implied that they were sold by mainstream retailers.
I bought a digital photo frame from Microcenter that was infected. I can't recall what the specific trojan was, but it was fairly benign in so far as it just replicated itself. As I recall it was a fairly old trojan and not very sophisticated... but none the less, it was on the brand new frame that was still sealed in the original factory stuff.
I told Microcenter about it and they were like "Huh." Didn't ask anything more, nor did they remove the frames or check them. I was somewhat pressed for time, so I didn't try going up the chain of management to get someone to acknowledge that there was a problem.
It's a good thing I found it though, since it was a gift for my technologicallly illiterate parents. I had taken it out of the package to load pictures up on it. If I had just given it to them directly, I'm not sure what would have happened. AVG caught it when it was plugged in via USB, so probably nothing drastic, except a phone call from my Dad asking me what the pop-up box meant.
Digital devices reaching consumers with malware already installed?
Computers have been shipping with Microsoft products preinstalled for some time, I believe.
I work in manufacturing in China, and I would not be surprised in the least to find a worker who accepted a shockingly small bribe to place malware directly into factory produced firmware. Not saying that's what happened, but I sure wouldn't be surprised if it did. I also would not be surprised to discover that a worker's Windows PC transferred its infection to the master used for production.
Shutting down free speech with violence isn't fighting fascism. It IS fascism!
Once upon a time I managed a software product testing team. Part of our standard flow for all release candidate CD's was to get fresh signatures and virus scan as both step one and also with refreshed signatures as the last step (2 or 3 weeks later) of declaring a release candidate ready for release. We *still* shipped a CD with malware once, a virus that was too new to show up in the signature files from the scanning software company. Lukily, it was a beta that went to less than 100 customers, and it was a relatively benign Word macro virus. Still, I had to explain to a Vice President how we did virus scanning for releases.
As a result of this, we started using virus scanners from three different manufacturers. As a software vendor, the risk of shipping a nasty virus to your best customers is very real, no matter how hard you try to prevent it.
Sophia, Bulgaria was the home of the Dark Avenger one of the most notorious virus authors in history. He was quite active during the 80386/80486 time period. Some interesting reading about what is known of him can be found in these links: http://en.wikipedia.org/wiki/Dark_Avenger http://www.research.ibm.com/antivirus/SciPapers/Gordon/Avenger.html http://www.wired.com/wired/archive/5.11/heartof.html http://findarticles.com/p/articles/mi_m1511/is_n2_v14/ai_13381563/pg_9
-- I'd give my right arm to be ambidextrous
I almost got some malware from autorun off a thumb drive, fortunately the anti-virus recognized it and stopped it from running. When that happened, I looked for a surefire way to turn off autorun (and autoplay) but all I found was a bunch of registry edits that may or may not (according to different accounts) turn off autorun/autoplay. Why is there no global option in a Windows control panel for that?
1) Right before the equipment is put in the box it should have its memory reset to factory condition AND have the firmware compared to what it should be.
This will offer some protection against factory sabatoge.
No it won't - if the "factory sabotage" consisted of (deliberately or accidentally) having malware as part of "what [the firmware] should be".
2) Any time a unit is returned it should be reset to factory condition.
This will take care of shoppers who buy, infect, and return merchandise.
And how is a reailer supposed to do this? Do you know of ANY product that comes with a (true) "reflash to factory status" utility that doesn't depend on what's in the device itself - let alone a cross-industry standard for this? (And you can't trust the media returned with the device, either. If it's writable it also needs "resetting" - and if it's read-only it needs replacing with a fresh copy.)
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Erm - a single script file can easily update thousands of different configuration files on any platform. And for all the world-famous Windows user-friendlyness, I'll take editing some bizarre Linux scripts where key=value over trying to remember hexadecimal codes for Internet Explorer registry entries :-)
Lets not overlook the dangers of having a single, unrebuildable registry for all the system settings... What happens when it gets hosed? I seem to remember that Windows 95 used to keep two copies of the registry around and could rebuild it if you deleted it. Windows XP seems to have lost that ability - I have no idea if Vista has recovered it.
Cheers,
Toby Haynes
Anything I post is strictly my own thoughts and doesn't necessarily have anything to do with the opinions of IBM.