Slashdot Mirror
Walmart Photo Keychain Comes Preloaded With Malware
Blowit writes "With the Christmas holidays just past and opening up your electronic presents may get you all excited, but not for a selected lot of people who got the Mercury 1.5" Digital Photo Frame from Walmart (or other stores). My father-in-law attached the device to his computer and his Trend Micro Anti-virus screamed that a virus is on the device. I scanned the one I have and AVAST did not find any virus ... So I went to Virscan.org to see which vendors found what, and the results are here and here." Update: 12/29 05:44 GMT by T : The joy is even more widespread; MojoKid points out that some larger digital photo frames have been delivered similarly infected this year, specifically Samsung's SPF-85H 8-inch digital photo frame, sold through Amazon among other vendors, which arrived with "W32.Sality.AE worm on the installation disc for
Samsung Frame Manager XP Version 1.08, which is needed for using the SPF-85H as a USB monitor." Though Amazon was honest enough to issue an alert, that alert offers no reason to think that only Amazon's stock was affected.
No one has disassembled the binary yet to see what it does? Does it call SetWindowsHookEx or something?
According to those links you provided, Trend Micro did not find anything wrong. (could be different settings, version, &c.) However... many of the positives were heuristic and, as further evidence of this, the identifications were not consistent.
Maybe it's just badly coded junk; nearly as bad, perhaps, but exactly what you'd expect from the Wal*Mart holiday special.
(insert obligatory comment about slashdot editors)
"They were pure niggers." – Noam Chomsky
Keep in mind that it might be a false positive. Those happen, and sometimes you find the same false positive in more than one AV product when they simply copy from each other instead of creating their own definitions from the real thing.
An example is the game The Witcher, which triggered a false AV protection in ESET Nod32 antivirus. Then, suddenly, a couple of months later, a couple of other products also started seeing a virus here. There was none -- the packer that had been used by the game had also been used for a virus, and the signature was copied from NOD32 to some less successful AV programs without further ado.
So, don't just take it on face value that there is a virus -- especially not when none of the really big players with low false positive rates can detect it. It may be one, but don't blindly assume so.
Sure, but as long as it's up on /. I'm sure people who have one of these things will appreciate the warning. Just my opinion, but it's not all that bad to repeat similar stories every once in a while if it's the kind of thing that people are likely to get complacent about and/or forget about.
Hmm... I see a bunch of AV's that are prone to give false positives give positives, while F-Secure, Kaspersky, Antivir, AVG, McAffee don't give anything off, Gee, could it possibly be that it's a false positive? [Hurr]OH I DUNNO[/Durr]
For those sarcastically challenged.
Yes, it's to 99.99% sure it's a false positive.
I suppose it's no surprise then that Trend Micro (and likely Mcafee) went berserk while Avast did not? Although I think we had that controversy with the "clamAV vs Mcafee" virus scanning thing a year or two back.
if it's already known to be such a problem, then why does Microsoft continue to enable autoplay by default in Windows? it's annoying enough to have autoplay applications pop up on the screen every time you insert a CD, but with USB flash drives it's just plain reckless.
USB storage devices are today's floppy disks. people use them to move files between computers, and a single device may get plugged into dozens of computers. so a lot of trojans/malware now detect when a removable drive is connected to the computer and automatically infect the drive and create an autorun.inf file so that the next computer that the thumbdrive/digital camera/iPod/PSP/etc. gets connected to will be infected as well.
yet most Windows users seem completely oblivious to this danger. and with the proliferation of USB storage devices this problem will just get worst. at the very least users should be prompted before executing an autoplay program.
Care to explain how a rootkit could be considered anything but malware?
If they do nothing else, they compromise the security of a system.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Erh... not entirely true.
Yes, some virus scanners label anything that is runtime packed as malware, mostly because malware writers have been using packers as a cheap and easy disguise. But c'mon, that's so 2006.
Most AV suits today are able to unpack those runtime packers. I know of a suit that even sandboxes the program and executes it in a virtual machine to see if it results in some unpacked code.
Exepackers do NOT save you space, though! If anything, they're a memory bloat because more often than not you have the packed and the unpacked version of the program in ram, eating up space needlessly, so I stopped using them. Ram is precious, HD space isn't.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
And about every security researcher on this planet agrees with me. Now, who would you rather listen to when it comes to the security concerns of your computer?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
> Ram is precious, HD space isn't.
Speed is precious too. Executable packers make sense when your .exe is something like 40MB, because your stupid project manager forced you to include a bunch of idiotic resources into it, something along the lines of bitmaps and uncompressed wave files (true story!). It may sound funny, but with current run-of-the-mill consumer CPUs it is actually faster to read a small file from the HD and uncompress a resource than to wait for the whole executable to load all this bloat. Still, we're talking about a speed difference of around 300-400ms (yes, i took these out from my ass, but those were results of our crappy testbed), so it's not something a typical consumer would notice, although pretty numbers are a good thing when your boss doesn't know shit about computers.
"We are the music makers, and we are the dreamers of dreams [...]."
Technically, kernel level debuggers can be classified as rootkits, as they use rootkit techniques to gain the level of access they need to be able to work.
I think that's _exactly_ the wrong way to go about this.
"Here, in order to stop your OS from doing stupid things that get you infected, download this FREE utility from an obscure site that's too hip to spell '4' as 'for'. It's harmless, I PROMISE!"
That's the other kind of attack vector that ends people in trouble with their machines.
And reading the other post above suggesting different obscure registry settings: EXCUSE ME, this is 2009 (almost), I thought we were _advancing_ on usability. This is just sick.
Of course it runs NetBSD. BTC: 1NT7QvbetmANwaMzhpVL6
Unfortunately, advanced packers can detect this and can unpack differently if they are being unpacked by a virus scanner. Part of the point of using a packer for a virus is its ability to disguise the signature, so looking for a signature without unpacking is pointless.
If the virus can detect the antivirus, then your antivirus fails at sandboxing.
That's frankly nonsense about disabling USB ports. The military uses USB sticks extensively to transmit bulky data in the field relatively securely, without relying on vulnerable network connectivity or complex intervening VPN or unreliable transfer technologies. And far too many peripheral devices, from mice to graphics plotters to speakers, are now USB, so you can't simply plug that port or disable them in the BIOS.
More sophisticated tools to block digital storage on removable media are available, but their use seems particularly likely on those only lightly secured machines for office or semi-personal work, and the presence of malware or keystroke loggers would certainly cause a Pentagon security effort such as we saw referenced.
Not particularly actually. They'll still leave traces usually, just like most malicious rootkits. In any event the original/old definition of malware just being any malicious software isn't strictly true anymore. In most cases I find most people seem to classify "bad things" as either virus, spyware, malware, or now rootkit. I should not I see this from the semi-technoliterate initially and then the AV vendor types seem to start using the same 'definitions' to describe the "bad things" a PC can get, adding validity in a bad way.