Walmart Photo Keychain Comes Preloaded With Malware

Blowit writes "With the Christmas holidays just past and opening up your electronic presents may get you all excited, but not for a selected lot of people who got the Mercury 1.5" Digital Photo Frame from Walmart (or other stores). My father-in-law attached the device to his computer and his Trend Micro Anti-virus screamed that a virus is on the device. I scanned the one I have and AVAST did not find any virus ... So I went to Virscan.org to see which vendors found what, and the results are here and here." Update: 12/29 05:44 GMT by T : The joy is even more widespread; MojoKid points out that some larger digital photo frames have been delivered similarly infected this year, specifically Samsung's SPF-85H 8-inch digital photo frame, sold through Amazon among other vendors, which arrived with "W32.Sality.AE worm on the installation disc for Samsung Frame Manager XP Version 1.08, which is needed for using the SPF-85H as a USB monitor." Though Amazon was honest enough to issue an alert, that alert offers no reason to think that only Amazon's stock was affected.

Disassembled?

No one has disassembled the binary yet to see what it does? Does it call SetWindowsHookEx or something?

Re:Disassembled?

I don't shop at Walmart, but here's my story:

I dropped a brown rope this morning the size of a small black child. At one point, I wasn't sure if I was taking a shit, or it the shit was taking me. And while I'm on that point, what's the deal with taking a shit? Shouldn't it be leaving a shit? I'm certainly not taking anything with me when I'm done.

But back on topic, Walmart sucks ass

Re:Disassembled?

I don't shop at Walmart, but here's my story:

I dropped a brown rope this morning the size of a small black child. At one point, I wasn't sure if I was taking a shit, or it the shit was taking me. And while I'm on that point, what's the deal with taking a shit? Shouldn't it be leaving a shit? I'm certainly not taking anything with me when I'm done.

But back on topic, Walmart sucks ass

Why do we park in the driveway and drive on the parkway? I'll bet that blows the shit out of your mind.

Re:Disassembled?

Say, you wouldn't happen to be a big, beautiful all-American football hero type would you?

Re:Disassembled?

[MadnessASAP]

Perhaps he is the messiah Obama?

Re:Disassembled?

[darkpixel2k]

No one has disassembled the binary yet to see what it does? Does it call SetWindowsHookEx or something?

After seeing the slashdot article, I decided to scan one I recently bought for my wife. Sure enough. Virus.

Funny thing though--it didn't run under Linux.

Re:Disassembled?

twitter, is that you?

Re:Disassembled?

Funny thing though--it didn't run under Linux.

Does anything run under Linux? If only Linux could correctly run even a virus!

Re:Disassembled?

Does anything run under Linux? If only Linux could correctly run even a virus!

HAHA DISREGARD THAT, I SUCK COCKS

Re:Disassembled?

[GPLDAN]

It was compiled from a program called "poorwhitetrash.c"

Re:Disassembled?

[wastedlife]

Troll? I do believe the mods today haven't been reading bash.org.

Re:Disassembled?

[Repossessed]

Linux can infact run windows viruses, sometimes. Some trojans are WINE compatible. I have one on file that I pulled off a friends system.

Re:Disassembled?

[Miseph]

Correct me if I'm wrong, but I believe bash.org is essentially a collection of trolls.

Re:Disassembled?

Can we then safely assume that this was Microsoft Windows compatible only malware?

Re:Disassembled?

Does anything run under Linux? If only Linux could correctly run even a virus!

OMG - Did I just read a JAB at Linux? This isn't the /. I know and love.

Were they made by Sony?

[Zymergy]

I have read about Sony adding Malware (and Rootkits) to their consumer USB removable devices before...

I also wonder if these files "DPFMate.exe" and "FEnCodeUnicode.dll" are something someone post-production put on the devices or if these files are some intended application?
Never using a digital photo frame before, I assume one simply copies image files into a mounted USB attached drive letter folder? (similar to how USB drives mount as a removable drive letter folder in Windows)

Re:Were they made by Sony?

No, they weren't made by Sony. Walfart is getting into sub-prime lending by opening its own pwn shop.

Re:Were they made by Sony?

[blueg3]

Malware, no. Rootkits, yes.

Re:Were they made by Sony?

[Opportunist]

Care to explain how a rootkit could be considered anything but malware?

If they do nothing else, they compromise the security of a system.

Re:Were they made by Sony?

[stonedcat]

Sony disagrees with you there pal.

I mean shit, you wouldn't want people putting DRM protected pictures on their digital photo-whatsits.

Re:Were they made by Sony?

[Opportunist]

And about every security researcher on this planet agrees with me. Now, who would you rather listen to when it comes to the security concerns of your computer?

Re:Were they made by Sony?

[Lord_Sintra]

Technically, kernel level debuggers can be classified as rootkits, as they use rootkit techniques to gain the level of access they need to be able to work.

Re:Were they made by Sony?

[Opportunist]

Ok, if you really want to get technical, yes. But kernel level debuggers are usually far easier to get rid off than the average rootkit out there. :)

Re:Were they made by Sony?

[bev_tech_rob]

I think you need to turn on your sarcasm detector, hoss.....

Re:Were they made by Sony?

I wish I could get something to remove U3, and disable U3 from getting installed "accidentally" on any machines in my shop.

Re:Were they made by Sony?

[Opportunist]

Don't worry, I noticed it. I just tend to resort to knee-jerk reactions every time Phony is mentioned.

Re:Were they made by Sony?

[splatter]

u3, is a pain in the ass.

I managed to get rid of it though. I believe I killed the process in taskmgr while the stick was mounted, then used diskmgr to remove both partitions and repartition the disk as one full storage device rather then a large portion + a few megs for u3.

Oh and then just make a md5 rule to disallow any more instance of u3 to run so your users can't bring a fresh stick in and screw you up. Of course I'm speaking in windows, so ummv.

Good Luck,
DP

Re:Were they made by Sony?

[cawpin]

You might want to read your submission. It makes absolutely no sense. What is a root kit? Oh yes, malware.

Re:Were they made by Sony?

WHOOSH!

Re:Were they made by Sony?

[Cowmonaut]

Not particularly actually. They'll still leave traces usually, just like most malicious rootkits. In any event the original/old definition of malware just being any malicious software isn't strictly true anymore. In most cases I find most people seem to classify "bad things" as either virus, spyware, malware, or now rootkit. I should not I see this from the semi-technoliterate initially and then the AV vendor types seem to start using the same 'definitions' to describe the "bad things" a PC can get, adding validity in a bad way.

Re:Were they made by Sony?

Care to explain how a rootkit could be considered anything but malware?

If they do nothing else, they compromise the security of a system.

Sometimes that's desirable.

TL,DR: People were deliberately loading the rootkits from Sony cds into their computers to get around WoW's bot-checks.

Re:Were they made by Sony?

[Briareos]

Care to explain how a rootkit could be considered anything but malware?

Well, this one is considered "security software" by the manufacturer. Then again - we all know how much security by obscurity helps... (hook up the drive to another machine, anyone?)

np: Tocotronic - Letztes Jahr Im Sommer (7''-Version, 1994) (Digital Ist Besser)

Re:Were they made by Sony?

[Zibblsnrt]

The times I've had to get that crap off a system I felt I needed a priest rather than a technician. Ugh.

Re:Were they made by Sony?

[blueg3]

Compromising the security of a system isn't sufficient to classify software as malware. If it were, the majority of the software on a system, including its operating system, might be considered malware.

Malware is generally classified as such by intent. While plenty of people may not agree with the Sony's intent, myself included, I think it's quite distinct from the intent of real malware. Malware generally does some combination of performing communications against your consent, harvesting personal data and storing or transmitting it against your consent, intentionally and maliciously rendering your computer or data unusable, and exploiting security vulnerabilities to perform actions the malware would not normally be privileged to perform.

What a rootkit is depends on who you ask. The earlier definition is that it is software that performs privilege escalation -- so would always or almost always be malware. To my knowledge, the Sony software doesn't do this. The modern definition is that it is software that uses privileged operations to conceal itself from the user and the system. The Sony rootkit does do this, as do a number of debugging and anti-malware tools.

Re:Were they made by Sony?

[an+unsound+mind]

The u3 remover from Sandisk fixed my stick.

Re:Were they made by Sony?

[Bastard+of+Subhumani]

It's irrelevant who any of us would listen to. The government makes the laws and they listen to whoever has the most money. Sadly, that's probably Sony.

Re:Were they made by Sony?

[Opportunist]

When governments issue laws against the interests of people, people will ignore and violate those laws. A law violated is another law endangered, and once the dam breaks, why bother upholding any laws anymore?

Essentially, governments making laws that are not supported by the general population leads to more crimes. So, in a way, governments that pass laws against the public interest are to blame for an increase in crime rates.

Re:Were they made by Sony?

[Bastard+of+Subhumani]

When governments issue laws against the interests of people, people will ignore and violate those laws.

Maybe so in fantasy land. In the real world, the government sends thugs to smack their heads in.

Old news

[Afforess]

This is old news. It has happened before. Case and Point.

Re:Old news

[wdsci]

Sure, but as long as it's up on /. I'm sure people who have one of these things will appreciate the warning. Just my opinion, but it's not all that bad to repeat similar stories every once in a while if it's the kind of thing that people are likely to get complacent about and/or forget about.

Re:Old news

[lysergic.acid]

if it's already known to be such a problem, then why does Microsoft continue to enable autoplay by default in Windows? it's annoying enough to have autoplay applications pop up on the screen every time you insert a CD, but with USB flash drives it's just plain reckless.

USB storage devices are today's floppy disks. people use them to move files between computers, and a single device may get plugged into dozens of computers. so a lot of trojans/malware now detect when a removable drive is connected to the computer and automatically infect the drive and create an autorun.inf file so that the next computer that the thumbdrive/digital camera/iPod/PSP/etc. gets connected to will be infected as well.

yet most Windows users seem completely oblivious to this danger. and with the proliferation of USB storage devices this problem will just get worst. at the very least users should be prompted before executing an autoplay program.

Re:Old news

[blueg3]

USB storage devices aren't actually eligible for AutoPlay. However, if the device presents itself as if it were, say, a CD-ROM, it is. This is how the U3 devices work, which present both a "CD" and a USB disk. The operating system can't really enforce policies on how USB devices present themselves to the system.

Also, my Vista machine, by default, does not actually run the AutoPlay executable without user confirmation.

Re:Old news

I believe the phrase is "case in point".

Re:Old news

[Eil]

Case in point.

</grammar nazi>

Re:Old news

[trum4n]

every flash drive i have, even my card SD reader, AutoPlays. And i the only person that dosetn run AntiVirus......yet has no computer problems? this is year 3 without a single problem. WinXP Pro, modified to get rid of auto updates and the DRM, never a problem. Hell, i download from LimeWire, and the internet in general, and have no problem. I dont open things from untrusted sources, and i use firefox with adblock.

Re:Old news

[lysergic.acid]

USB devices certainly are eligible for autoplay, they just prompt the user when the device is first connected by default. however, an autorun.inf file can still change the default action for that drive, so that when the user double clicks on the volume in My Computer, it will run the autplay program rather than open up the drive for browsing. and in that situation the user gets no warning.

and i'm not sure what U3 is, but i know that if a removable drive has a partition formated with CDFS, Windows will assume that it's a copy-protected CD and will allow autoplay without the user's consent regardless of your autoplay settings. i think this can be done with any USB drive, which in a way makes disabling autoplay or prompting the user useless. just one more way consumers get screwed by DRM i guess.

Re:Old news

Why did I have to run out of mod points before I read this? I would've modded you down for your horrendous grammar and spelling. You're an idiot. An hero now, please, for the sake of our goddamn species.

Re:Old news

[ConceptJunkie]

That is indeed one of the stupidest features ever put in Windows, and there is no reliable way to disable it. I don't want autolaunch. I've never wanted it. I never will want it. And yet, I'm stuck with it for all eternity on every Windows machine I will ever use.

Re:Old news

[Opportunist]

Because of stupid users who're unable to open an Explorer and run programs. They want to slip in their CD and they want their game or program to start without having to worry about the system. I know at least two people who start their programs by opening and closing the CD try with the relevant CD inside. I know that because I routinely go there twice a month to harvest a sample of the latest trojans running rampart...

Re:Old news

I am pretty sure English is not that guy's first language. Be nice =)

Re:Old news

Dude, it's case in point, not and. I don't normally bother with that sort of thing, but I figure it will save you some embarrassment sooner or later.

Re:Old news

[Macthorpe]

Vista provides you with an Autoplay menu rather than just playing the thing, even if autorun.inf is present - if you don't want it to pop ever again, you can hit 'Do nothing' and 'Never ask me again'.

Re:Old news

[gparent]

That is indeed one of the stupidest features ever put in Windows, and there is no reliable way to disable it.

There's a registry hack on google.

Re:Old news

[Mycroft_VIII]

Not for everything, I've had to use restore twice because it auto-played that stupid player on some dvd's and scrambled my ability to watch a dvd with any other program (sometimes windows built in crap worked, but that's it).
    This is on vista64 ultimate.

Mycroft

Re:Old news

[jackharrer]

Disable service called Shell Detection something. That will switch off Autoplay for everything globally. Easiest solution and saves you memory and load time.

Re:Old news

[hairyfeet]

For those that use or work on Windows boxes I would suggest TuneUp Utilities 2007 which they give you for free at the link I just posted in the hopes you'll like it and buy the latest version. It gives you a ton of tools to customize and control Windows and works on 98-Vista. To turn off Autoplay on any drive you desire(you can keep CD/DVD autoplay or pick and choose with this tool) simply go to Tuneup Systemcontrol/Administration(4th one from the top)/Drives/Autoplay. This will let you turn on/off autoplay for individual CD/DVD drives, removable media, floppy, network drives, RAM drives, and unknown where you can choose by drive letter which to allow or disallow.

This is a great little free tool to have in your toolbox if you have to work on Windows machines. Pretty much everything you could want to change you can from this tool. It also has a nice process manager and reg editor built in. After the last round of these flash bugs hit I started disabling all autoplay from removable drives for all machines coming across my desk. I have to agree with you that the braintrust at MSFT that set autoplay as default for removable drives really should get fired. It is just too easy to pass bugs through autoplay. I'm just glad I stumbled across a tool that makes it trivial to disable it while leaving the autoplay for DVDs that my customers want.

Re:Old news

[TCM]

I think that's _exactly_ the wrong way to go about this.

"Here, in order to stop your OS from doing stupid things that get you infected, download this FREE utility from an obscure site that's too hip to spell '4' as 'for'. It's harmless, I PROMISE!"

That's the other kind of attack vector that ends people in trouble with their machines.

And reading the other post above suggesting different obscure registry settings: EXCUSE ME, this is 2009 (almost), I thought we were _advancing_ on usability. This is just sick.

Re:Old news

[elbobo]

Case in point.

Re:Old news

[Widowwolf]

Why not link to the Actual product website.. URL:http://www.tune-up.com/download/tu2009/ with the free new demo of Tune-Up Utilities 2009. This is a great tool to use, as i have used it for the last several years for many customers (Auto running the 1-click task while they are asleep) and have had only rare cases where more drastic measures need to be taken. That and they will usually give you a decent discount on the next years releases after you purchase their it (for example $15.00 dollars off 2009 version if you buy 2008's)

Re:Old news

[Widowwolf]

Of course i forgot the end > so here you go http://www.tune-up.com/download/tu2009/

Re:Old news

[Pentium100]

USB storage devices aren't actually eligible for AutoPlay. However, if the device presents itself as if it were, say, a CD-ROM, it is.

If the autorun.inf file is like this:

[autorun]
open=autorun.exe
shell=explore
Shell\open=&Open
Shell\open\Command=autorun.exe
Shell\explore=&Explore
Shell\explore\Command=autorun.exe

then autorun.exe will be executed when user doubleclicks on their USB device in "My Computer". If you don't believe me - try it out...

I think this will not work on Vista or if autorun.inf reading is disabled, but it will work on XP even if AutoPlay is disabled using group policy editor.

Re:Old news

[Pentium100]

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\autorun.inf]
@="@SYS:Does_Not_Exist"

This takes care of autorun.inf once and for all, you can even keep AutoPlay if you want it.

Re:Old news

[yakumo.unr]

On Vista, for just the current user when the auto play options pop up there's an 'advanced options' (or similar, I forget the exact wording) link at the bottom, or you can just go to:

Control Panel -> AutoPlay.

Disable 'Use Autoplay for all media and devices' right at the top and you're done. (If your paranoid like me you can then also set all the options to 'Take no action')

To enforce this globally for all users as an admin (XP also AFAIK):

start - run - type 'gpedit.msc' (hit enter, vista requires elevation)

Computer configuration
  |_ Administrative Templates
    |_ Windows Components
      |_ Autoplay Policies
        |_ Turn Off Autoplay (double click) select 'Enable' then in the dropdown select 'All Drives' and hit 'OK'

Also apply the same to the same location in 'User Configuration':

User Configuration
  |_ Administrative Templates
    |_ Windows Components
      |_ Autoplay Policies
        |_ Turn Off Autoplay (double click) select 'Enable' then in the dropdown select 'All Drives' and hit 'OK'

Re:Old news

[BikeHelmet]

Ahh, a fellow autoplay hater!

http://it.slashdot.org/comments.pl?sid=1074953&cid=26256453
^
My post on how to disable it in the driver. Haven't tested it on Vista, since I don't have Vista.

It's pretty reliably disabled on Win2k/XP, though. ;)

Re:Old news

You don't need to disable it on Vista.

Re:Old news

Not only that, but there is a registry hack for Windows too!

Re:Old news

[socsoc]

Do you realize that your redundant posts are immediately next to each other?

Re:Old news

[KillerBob]

You're making the mistake of assuming people actually read the stuff that gets posted here, rather than just blindly posting whatever they feel like, and hoping that it has some relevance to the topic at hand....

Re:Old news

[anaradad]

It's "case in point" and not "case and point."

Re:Old news

[trum4n]

English is my first language, thank you. I just couldn't care less.

Re:Old news

Well! You used "couldn't care less" instead of "could care less", so that means you are my new hero!

Re:Old news

[Actually,+I+do+RTFA]

That is indeed one of the stupidest features ever put in Windows, and there is no reliable way to disable it. I don't want autolaunch. I've never wanted it.

• Run gpedit.msc
• Computer Configuration
• Administrative Templates
• System
• Turn off Autoplay

Most Windows machines are poorly configured, but the options to tune its behavior usually exist.

Re:Old news

[hairyfeet]

Because in this economy there are plenty of folks out there that just ain't got it to spare, and you shouldn't have to shell out money simply to close an attack vector that shouldn't be there to begin with. They also make sure to bury the free version on their site so trying to find it is like trying to hit a needle in a haystack.

And as for the other poster as for the website being a risk: You have never used Freeware World Team? Really? If you have to work with Windows it is the best site for free tools bar none. It easily beats Major Geeks and CNet thanks to the excellent search engine built in. With those other sites you have to know what you are looking for, but with FWT all you have to do is type in what you need a tool to do and they find you a free app that does it. And I have been using them for many years and there is no spyware, adware, malware, or viruses there. Just an easy to use website that helps you get the job done. Try it and I bet you'll like it.

Re:Old news

[Widowwolf]

"Because in this economy there are plenty of folks out there that just ain't got it to spare, and you shouldn't have to shell out money simply to close an attack vector that shouldn't be there to begin with. They also make sure to bury the free version on their site so trying to find it is like trying to hit a needle in a haystack."
#1: It is only 50 for the paid version and you can continue to use the free trial through the whole year.
#2: Its not just closing out attack vectors, it is an all around cleanup of your pc, including dumping temp files, fixing reg errors, and also ways to optimize your PC, and a way better defragger the Windows provides.
#3: Bury it on their website, that's funny. Its right on the front page!
"And as for the other poster as for the website being a risk: You have never used Freeware World Team? Really? If you have to work with Windows it is the best site for free tools bar none. It easily beats Major Geeks and CNet thanks to the excellent search engine built in. With those other sites you have to know what you are looking for, but with FWT all you have to do is type in what you need a tool to do and they find you a free app that does it. And I have been using them for many years and there is no spyware, adware, malware, or viruses there. Just an easy to use website that helps you get the job done. Try it and I bet you'll like it." Never said it was a risk, just that when speaking of a product, and with as many malware/spyware laden sites out there, some people would like a direct site. I know plenty of fix everything sites out there that takes a program like this, and will add on things such as Weatherbug and other nasty programs along with it. Primary site is always best, also because you get the free trial of their latest product, not one that's 2 years old.

Re:Old news

[CokeJunky]

I have one of these mercury key chains -- a christmas present -- and it does indeed present itself as a CDROM drive in order to get the autoplay to run.

Of course, I am still trying to figure out if this particular alert is an actual problem, or if it is just a packed executable to save space on the device.

Did you tell Walm*rt?

[plover]

Write them a letter telling them what you found. Try this link http://walmartstores.com/contactus/feedback.aspx to get to their headquarters, where something might get done about it. Include enough technical detail for them to replicate the problem, especially the model number or any other identifying information from the package.

If you want someone to care enough to write back, try to not sound accusatory or threaten to sue them. I'm sure they get enough of that on a daily basis.

Re:Did you tell Walm*rt?

[Mashiki]

This looks more like a false positive then anything, but unless Blowit actually submitted these files to all the antivirus vendors or went through one of the folks in the industry to fast-track it for checking there's no way to tell. There's a few places where this can be done(dslreports being my favorite), and send it off to the lab and see if it's a false positive or not and get an update pushed.

There's been innumerable cases in the past where files have been marked as virus/trojans due to similar encodings in the headers. While I took a look through the list as well, all of the decent av products didn't pick it up; while all of the poor ones did which simply tells me that they're using basic heuristics to look.

Re:Did you tell Walm*rt?

[gad_zuki!]

Yep, if the executable is packed with a couple of the more popular tools then youre bound to get a false positive.

You dont really need to submit this stuff to the pros. Install it on a vm and just see whats changed. If suddenly the startup entries have changed, files are running from temp, lots of outgoing tcp connections are made to russian/chinese servers, etc its probably safe to assume that this isnt just the digital frame software, but a virus.

Re:Did you tell Walm*rt?

[plover]

I agree with you that it's almost certainly a false positive (I also saw the only "specific" virus signatures reported weren't found by the major products, but visiting their web sites showed that they indeed knew about the specific viruses the others reported.) However, it would still be of value to contact the retailer and let them know what he found. If nothing else, they need to be able to reassure their other customers that they've researched the problem and found that it's a mistake in the anti-virus software. That's part of the whole "don't threaten them with a lawsuit" approach I recommended.

The other thing to consider is if the average Walm*rt customer pays for 'decent av products' or if they just leave the 3-year-old shovelware that came with their $199 computer in place? Your average /. reader probably won't see a false positive, but the average American might. Walm*rt, above virtually all other retailers, has to deal with the least common denominator on a frequent basis.

Could make an interesting photo!

Did you take a picture of it?

Flagged by shit anti-viruses

Shit anti-viruses shitting their pants over the packer used and then pumping out a false positive (yes, in this case, I'm pointing at you too Avira!).

Re:Flagged by shit anti-viruses

[Ethanol-fueled]

It's like pointing and yelling "terrorist!" at some random guy just because he's wearing a turban.

Why invest in more intelligent heuristics and R&D when you could simply invest in fancy popup bubbles and slowing the customer's computer to a crawl with nagware! That's what happens when marketing takes over, folks!

Seems like...

[kirbysuperstar]

It's all heuristics. I doubt it's actually anything to worry about.

false positives?

Looks to me like they used some kind of packer to make the exe's small to not take up a lot of space on the device (understandably). A lot of scanners will automatically detect packing as malware and, due to the nature of how a packer works, trojan is the logical choice. I have a similar problem with anything I compile with delphi since a lot of malware is developed in delphi.

My 2 cents worth...

Re:false positives?

[csartanis]

I have a similar problem with anything I compile with delphi since a lot of malware is developed in delphi.

???????????????

Source please?

Re:false positives?

[bugnuts]

So... lemme see if I got this straight.
You're saying in Delphi, they don't put trojans on their small packers?

that's why USB autoplay is a bad idea

[lysergic.acid]

this time it seems like it was the vendor's screwup, which is very rare, but it's very easy for someone to have a clean USB stick, then plug it into an infected PC and unknowingly get a trojan written to the USB stick.

i recently had close call myself when i took my PSP to work and plugged it into a workstation (i had some utilities and e-books saved on the memory stick). when i got home and plugged the PSP into my desktop, i noticed the PSP memory stick was displayed with an odd icon in My Computer. so i looked at the root directory and found a suspicious .exe file that i hadn't placed there, which was also referenced by a new autorun.inf file.

with thumbdrives, external hard drives, portable media players, and other flash memory devices becoming increasingly common, i expect more and more malware writers will exploit them as an infection vector, especially as autoplay is usually enabled by default on Windows systems. the only reason i had autoplay disabled was because i found it annoying, and that's the only reason i lucked out.

Re:that's why USB autoplay is a bad idea

[Farmer+Pete]

On my computers USB autoplay doesn't work automatically. Sure, it pops up the window asking me what I want to do, (and one of those options will be the autorun.inf choice), but I have to click to let it do it's thing. That's why any good infection will come from a flash drive with U3 software on it. I've got a nice flash drive that will steal all your passwords in about 10 seconds after it's plugged in. No popups. It's also not detected by most AV programs, and since it's a virtual CD, the most they can do is not let the exe(s) run.

Re:that's why USB autoplay is a bad idea

[Beardo+the+Bearded]

Funnily enough, there's a rumour going around that USB sticks were used to hack into the Pentagon:

http://catless.ncl.ac.uk/Risks/25.47.html#subj5

From the link:
If true, it was a simple but brilliantly effective method. Someone infected thumb drives with the WORM then dropped them around the Pentagon parking lot. The employees, picked them up, took them into their offices and plugged them into their office computers to determine the owner of the drive.

Re:that's why USB autoplay is a bad idea

[lysergic.acid]

well, there are several different ways autoplay can infect a machine. if you have it so that USB drives prompt you for the action to take each time, then you're protected from the autoplay program running upon drive attachment (in pre-Vista versions of Windows you can also hold [shift] when you insert a disc or attach a flash drive to disable autoplay.) but there's still the danger that the user might double-click on the attached device in My Computer, which will still execute the autoplay program if there is one.

i mean, most people are used to just double-clicking on a removable volume to browse its contents. i know i am. so even if you have autoplay set to prompt the user, if you try to open up the volume in this way you'll still be infected. so it's best to disable autoplay completely or get into the habit of right clicking on removable volumes to browse their contents rather than double-clicking or hitting enter, which will simply execute the default action.

of course, the situation isn't helped by the fact that there's no easy way for users to change autplay behavior except to use TweakUI, which doesn't come with Windows.

Re:that's why USB autoplay is a bad idea

[gzipped_tar]

Viruses exploiting the AutoPlay is nothing new and going wild. The other day I went to a printing shop with stuff I was going to print stored on a USB stick. I plugged it in the Windows box at the shop and it got infected. Three "folder" icons appeared in the Windows file manager but they were not directories -- they were trojan executables with the icons identical to the default one for directories. They all ended in .exe but the Windows file manager hid the extension part of filename by default so a careless use couldn't tell that from a directory. Also the "autorun.inf" was clearly modified to point to the malware (written in plain text).

I was not infected because my machine is a Linux one and I know these malware tricks well, but I can imagine how many customers of that shop are tricked to click on the trojan program.

Autorun is evil. It is so vulnerable to exploitation and of little use and it's enabled by default on Windows. Sadly, the GNOME team, who's goal is to copy every mistake done by Microsoft, choose to mount removable media automatically by default. What's their next quest? Certified malware-to-malware compatibility?

Luckily I ditched GNOME long ago.

Re:that's why USB autoplay is a bad idea

[Jah-Wren+Ryel]

Funnily enough, there's a rumour going around that USB sticks were used to hack into the Pentagon:

I saw that in RISKS when it first came out and I'm surprised it hasn't been disputed yet. The reasons being that

(a) Dropping a bunch of infected media in the parking lot of the target is an old urban legend / joke among security pros

(b) The "hack" being referenced was of classified systems - and most secure sites disable the USB ports (and other media loaders like floppies and DVD drives) on all but a handful of reduced access machines plus their security officers should be beating their users over the head about the process for bringing data onto the secure systems - anti-virus scanning, even of COTS media and media the user creates himself, should be de rigueur.

(c) An attack like that is hard to target - so you got malware onto a classified network, other DoS, you can't really expect to get much out of it - it isn't terribly feasible to retrieve any data such malware might acquire.

So, while certainly possible, I think the rumor is unlikely to be true in that particular case.

Re:that's why USB autoplay is a bad idea

[lordSaurontheGreat]

While it's a great idea,* USB drives aren't allowed to connect to secure assets. You can loose your clearance by just bringing a USB drive into a secure room.

*Great idea thinking as a white hat trying to break in to better defend, of course.

Re:that's why USB autoplay is a bad idea

[itsthebin]

I always have used

start -> run -> gpedit.msc

admin templates -> system -> turn off autoplay

enabled - turn off autoplay on all drives - apply

Re:that's why USB autoplay is a bad idea

[Antique+Geekmeister]

That's frankly nonsense about disabling USB ports. The military uses USB sticks extensively to transmit bulky data in the field relatively securely, without relying on vulnerable network connectivity or complex intervening VPN or unreliable transfer technologies. And far too many peripheral devices, from mice to graphics plotters to speakers, are now USB, so you can't simply plug that port or disable them in the BIOS.

More sophisticated tools to block digital storage on removable media are available, but their use seems particularly likely on those only lightly secured machines for office or semi-personal work, and the presence of malware or keystroke loggers would certainly cause a Pentagon security effort such as we saw referenced.

Re:that's why USB autoplay is a bad idea

http://www.foxnews.com/politics/2008/12/10/cyber-attack-linked-company-russian-spies/

Re:that's why USB autoplay is a bad idea

[DexPleiadian]

This is part of the reason that it is now Army policy that no usb flash drives can be used to transfer data. This was put out sometime between November and mid-December. I was pretty upset considering that I purchased one for military use...

Re:that's why USB autoplay is a bad idea

[Jah-Wren+Ryel]

That's frankly nonsense about disabling USB ports. The military uses USB sticks extensively to transmit bulky data in the field relatively securely, without relying on vulnerable network connectivity or complex intervening VPN or unreliable transfer technologies. And far too many peripheral devices, from mice to graphics plotters to speakers, are now USB, so you can't simply plug that port or disable them in the BIOS.

I speak from personal experience. The sites I am familiar with software disable USB ports on all systems except a select few which are specifically designated as data transfer workstations. Furthermore, mice and keyboards are still widely available with PS/2 ports on them and almost all other peripherals are unnecessary on the majority of systems, specific needs are handled on a case by case basis.

Re:that's why USB autoplay is a bad idea

[Antique+Geekmeister]

I also speak from personal experience. I've had to deal with plenty of people buying servers, desktops, and laptops machines in the last.... 4 years whose favorite old PS/2 devices required USB adapters to be connected, and whose use of good quality mice, modern keyboards, KVM's or reverse KVM's, and graphics tablets worked only or worked best with the built-in USB. Insisting that USB be disabled for security reasons is like forbidding floppy drives for security reasons. It creates a lot of work for the IT department that might be better spent elsewhere.

This is particularly a problem with servers, where installing a KVM of the incorrect type (whether USB or PS/2) creates serious problems accessing the console at boot time. And I was particularly amused to hear of a colleague's installation of new high-end desktops in a laboratory where some fool had insisted on blocking the USB ports only to find that the groups' 3D printers and graphics tablets were USB controlled, and to find that the group tended to use their Ipods to listen to music on their good headphones through their computers, which had been an accepted use for years.

So from my experience, it's not as common a security approach as you seem to think. And from the reports I've seen of field transfers of data, and from the reports of this USB problem at the Pentagon, I suspect the default enabling of USB ports and of USB mass storage is far more common than you may realize.

Re:that's why USB autoplay is a bad idea

[csartanis]

How is automount a bad thing? Autorun yes, but I'm going to go out on a limb here and say when someone attaches media to a computer they are going to access the data on it 100% of the time.

Re:that's why USB autoplay is a bad idea

[Jah-Wren+Ryel]

Servers really are not an issue since the people who need media access on them will have the privileges to do it anyway,
You seem to be ignoring my oft repeated point that specific needs are handled on a case by case basis.

However, ain't no way I believe this though -- "to find that the group tended to use their Ipods to listen to music on their good headphones through their computers, which had been an accepted use for years." Not even the sloppiest of sites is going to allow users to connect unclassified ipods to classified systems and then continue to treat those ipods as unclassified.

Re:that's why USB autoplay is a bad idea

[Antique+Geekmeister]

That wasn't a military site, that was a laboratory site with intellectual property they were concerned about. There was a significant loss of productivity without the music for the personnel doing the work.

And don't be surprised at how people in the field, or even in the offices of the Pentagon, ignore upstream mandated security policies. I'm sure it's less of a problem in some ways in the military because chains of command are clearer, and enforcement easier, but don't assume that all Pentagon systems are strictly managed or "classified". There are a lot of contractors doing a lot of work, and while I've not personally inspected their sites, I'm reasonably confident that plenty of secretary and contractor and even admin machines are not secured to the extent you describe.

Re:that's why USB autoplay is a bad idea

its amazing anyone falls for this common red team tactic these days.

Re:that's why USB autoplay is a bad idea

[Jah-Wren+Ryel]

That wasn't a military site, that was a laboratory site with intellectual property they were concerned about.

WTF??!?

but don't assume that all Pentagon systems are strictly managed or "classified".

This specific case referenced in the RISKS digest is solely about classified systems on a classified internet, no scare quotes needed. The event and the DoD response are clearly documented in RISKS, and to start dragging unclassified, even non-DoD systems as justification for why disabling USB ports on classified systems is "frankly nonsense" is, well, frankly nonsense.

Re:that's why USB autoplay is a bad idea

[Antique+Geekmeister]

You're conflating 'secure' with 'classified' systems. Many sites run what they consider 'secure' systems, which simply do not have the level of physical security you're describing or I would expect in a 'classified' system.

I'm sorry if it confused you, but many sites that run what they consider 'secure' systems rely on virus scanners, data encyption, and employee behavior to prevent data theft. This certainly includes academic, medical, legal, and fiscal systems that I've encountered in the last decade on a professional basis. (I didn't run them all myself, but did work with them in some fascinating ways to integrate my employer's services with theirs.)

Security is a hard, scary problem, that needs review at each design phase of your systems. If you can live without USB memory sticks, great, but don't be surprised if a 'secure' system, for example, relies on external removable USB drives for removable off-site backups to replace very expensive tape drives and tape monkeys to swap out tapes. (I've made extensive professional use of this over the last 5 years.) And don't be surprised if some smart-aleck is breaking the USB lockouts to use equipment that they need to use, without bothering to report this upstream. It certainly happens in industry and academia, and while it's probably less common in military systems, that doesn't mean it won't happen.

Re:that's why USB autoplay is a bad idea

[gzipped_tar]

Sometimes we need to fsck the partition(s). Or we are planning to dd things to the raw device. Sometimes we are just being crazy. Who knows.

But that's not the point. The point is that removable media are far safer when unmounted. If there's a bug in the code responsible for automount that is exploitable, you are pwned.

Avast

[Republican+Gun]

If avast didn't find it then....

Re:Avast

If avast didn't find it then....

then what? is avast the holy grail of antivirus software or what? are you a moron?

inconclusive...

[retchdog]

According to those links you provided, Trend Micro did not find anything wrong. (could be different settings, version, &c.) However... many of the positives were heuristic and, as further evidence of this, the identifications were not consistent.

Maybe it's just badly coded junk; nearly as bad, perhaps, but exactly what you'd expect from the Wal*Mart holiday special.

(insert obligatory comment about slashdot editors)

Not necessarily infected

[arth1]

Keep in mind that it might be a false positive. Those happen, and sometimes you find the same false positive in more than one AV product when they simply copy from each other instead of creating their own definitions from the real thing.

An example is the game The Witcher, which triggered a false AV protection in ESET Nod32 antivirus. Then, suddenly, a couple of months later, a couple of other products also started seeing a virus here. There was none -- the packer that had been used by the game had also been used for a virus, and the signature was copied from NOD32 to some less successful AV programs without further ado.

So, don't just take it on face value that there is a virus -- especially not when none of the really big players with low false positive rates can detect it. It may be one, but don't blindly assume so.

Re:Not necessarily infected

[Farmer+Pete]

I use AutoHotKey for some macroing. Someone must have used it to make a virus, cause Symantec started detecting it as a trojan. A few changes to the packaging and it's not detected again. False positives are really annoying.

And let's see..

Hmm... I see a bunch of AV's that are prone to give false positives give positives, while F-Secure, Kaspersky, Antivir, AVG, McAffee don't give anything off, Gee, could it possibly be that it's a false positive? [Hurr]OH I DUNNO[/Durr]

For those sarcastically challenged.

Yes, it's to 99.99% sure it's a false positive.

Re:And let's see..

A lot of AVs detect Radmin server 3 as a trojan, probably because it can be used as a trojan, but I use it to remote control my own PCs...

Re:And let's see..

[floodle]

For those sarcastically challenged.

Good thing you helped me out there - my sarcasm detector tends to give false positives.

have I missed something?

[glitch23]

With the Christmas holidays

uh, since when has there been more than one Christmas? Do you politically correct people know how stupid you sound to other, more sane, people? This could be modded as off-topic but then again I did reply to something within the submission text so is it really off-topic or did I just bring up something some people just don't want to talk about?

Re:have I missed something?

Actually, there are multiple Christmas holidays. Besides Christmas Day itself, how about Advent and Three Kings Day.

Plus, what Americans call "vacation" is referred to as "holidays" in Britain.

Do you ignorant people know how stupid you sound to other, more cosmopolitan people?

Re:have I missed something?

More sane... or just saner?
The holidays are at Christmas, hence "Christmas Holidays". Sheesh!

Re:have I missed something?

[XDirtypunkX]

So people should change to take your beliefs into account? We could call it "the period surrounding Christmas", would that term be correct with your single-holiday politics? I'm sorry, we should be more sensitive to your needs.

Re:have I missed something?

[Jeremy+Erwin]

Christmas is a twelve day feast that starts on Dec 25, and doesn't let up until Epiphany.

Re:have I missed something?

Perhaps where you live, but for others Christmas starts on Dec 24.

Re:have I missed something?

[gregbot9000]

Do you know how biased you sound to other, more objective people when you act like being more cosmopolitan gives you some intrinsic value over others? Why don't you just come out and say "more civilized," or "more white," since you're making value judgments based on bias over reason anyways.

Re:have I missed something?

Fuck off, farmboy

Re:have I missed something?

[Whiteox]

FYI: Officially Festivus is on the 23rd of December.

Re:have I missed something?

[value_added]

If that doesn't confuse the OP enough, the Eastern Orthodox world still regards Christmas day as falling on the 7th of January.

Re:have I missed something?

[Culture20]

And it doesn't end until someone is pinned.

Re:have I missed something?

[glitch23]

A holiday that consists of multiple days is still 1 holiday and therefore does not justify a plural form of "holiday". The plural of "day" would be warranted but not "holiday".

Re:have I missed something?

[glitch23]

Hey, if you are going to be more sensitive to the few thousand people who celebrate Kwanzaa and the few million who celebrate Hanukkah then yes, you better be more sensitive to those who celebrate Christmas considering they are in the majority. But this isn't about Hanukkah and Kwanzaa (the submission said "Christmas holidays" not "holiday season"). It is about Christmas. There is only one Christmas holiday, whether it consists of multiple calendar days or not. Case closed.

Re:have I missed something?

[glitch23]

The holidays are at Christmas, hence "Christmas Holidays". Sheesh!

Really? How do you figure? Christmas is only a single holiday so why refer to it in the plural? It sounds stupid and is grammatically incorrect. Why don't we refer to the New Year's holidays since it is only a single holiday consisting of a single day? Why not start referring to Thanksgiving as the Thanksgiving holidays? If we're going to be grammatically incorrect we may as well be consistent throughout the entire calendar year. "Christmas holidays" does not include Hanukkah and Kwanzaa so I hope that isn't the rationale here. People who celebrate those would be disenfranchised if so and we wouldn't want those million people to mount an uprising against the other 300 million people in the U.S. because they are disenfranchised.

Re:have I missed something?

[Jeremy+Erwin]

I strongly suggest that you stop trying to understand English from the outside and instead embrace and enjoy the language for what it is. Put down your computer and curl up with a book. Perhaps Twelfth Night?

Re:have I missed something?

[XDirtypunkX]

Actually, in much of the rest of the Western world, there are two Christmas holidays; Christmas and Boxing Day.

more to come...

[FunkyELF]

I didn't RTFA...whatever. Anyway, I'm sure this product came from China since it was sold a Walmart. I remember a while back people speculating about China's x86 compatible processor having undocumented opcodes for some alterior motive. This is all part of the China conspiracy.

Re:more to come...

I didn't RTFA...whatever. Anyway, I'm sure this product came from China since it was sold a Walmart. I remember a while back people speculating about China's x86 compatible processor having undocumented opcodes for some alterior motive. This is all part of the China conspiracy.

Did your bottle of eggnog come with a free tinfoil hat?

Re:more to come...

Maybe you need to get down with the Hooked on Phonics conspiracy; it's ulterior, not "alterior".

Re:more to come...

[plover]

Maybe you need to get down with the Hooked on Phonics conspiracy; it's ulterior, not "alterior".

Depends on the news server. I used to claim to read alt.erior until my wife discovered I was just downloading the pictures.

Packer

[micksam7]

It's not a virus, it's just a exe packer they used.

Virus scanners have been labeling PE Packers as viruses for ages now, simply because a virus could be packed with them, and it's easier to pick out a packer header than a virus contained in it.

A lot of false positives are caused by this, and this looks like one of those cases based on what you linked. "Generic" "NSPack" "PossibleThreat" in the VirSCAN links give that away.

EXE/PE Packers simply compress a binary and decompress it on the fly, simply to save space or "load faster". Likely Walmart's programmers used one to keep the app's size small on a small device like that.

I've dealt with this situation in size-coding competitions before, and it's not fun. A lot of false positives are caused simply because a packer was used.

Fortunately, some of the better virus scaners actually unpack the software before checking it, or look for valid virus signatures instead of a simple Packer.

This basically is just a case of virus scan companies being lazy.

Re:Packer

[micksam7]

those cases based on what you linked
-> those cases based on what the summary linked.

Slight target issue, appologies.

Re:Packer

[poetmatt]

I suppose it's no surprise then that Trend Micro (and likely Mcafee) went berserk while Avast did not? Although I think we had that controversy with the "clamAV vs Mcafee" virus scanning thing a year or two back.

Re:Packer

[blueg3]

Fortunately, some of the better virus scaners actually unpack the software before checking it, or look for valid virus signatures instead of a simple Packer.

Unfortunately, advanced packers can detect this and can unpack differently if they are being unpacked by a virus scanner. Part of the point of using a packer for a virus is its ability to disguise the signature, so looking for a signature without unpacking is pointless.

Re:Packer

Speaking of packers

Donovan McNabb whipped out his large black schlong today and packed Tony Romo, T.O, Jerry Jones, and Wade Phillips fudge in a brutal assraping the likes of which has not been seen in decades. That's probably why Andy Reid wore a 4 day beard...he planned on giving you the old homeless man reacharound.

Good show, Dallas. Comedy gold.

Re:Packer

[winphreak]

First, thanks for explaining the EXE packer use, I wasn't sure what legit uses there were for it.

From my experience, Avira hasn't flagged any packed EXEs unless there was an actual virus header in the file. Is there anyone with Avira who can prove me right or wrong?

Re:Packer

[ianare]

I've had cases where executables created with py2exe were triggering virus scanners. A few users reported this to the virus scanning companies, and the problem went away the next time the virus databases were updated.

Re:Packer

The Chargers' fudgepacking of the Broncos was equally enjoyable. Today was a good day for football.

Re:Packer

following your logic, it seems it would be pointless either way. For advanced viruses, that is.

Re:Packer

[Opportunist]

Erh... not entirely true.

Yes, some virus scanners label anything that is runtime packed as malware, mostly because malware writers have been using packers as a cheap and easy disguise. But c'mon, that's so 2006.

Most AV suits today are able to unpack those runtime packers. I know of a suit that even sandboxes the program and executes it in a virtual machine to see if it results in some unpacked code.

Exepackers do NOT save you space, though! If anything, they're a memory bloat because more often than not you have the packed and the unpacked version of the program in ram, eating up space needlessly, so I stopped using them. Ram is precious, HD space isn't.

Re:Packer

[Opportunist]

Interesting. What packer would that be?

Re:Packer

[Xtense]

> Ram is precious, HD space isn't.

Speed is precious too. Executable packers make sense when your .exe is something like 40MB, because your stupid project manager forced you to include a bunch of idiotic resources into it, something along the lines of bitmaps and uncompressed wave files (true story!). It may sound funny, but with current run-of-the-mill consumer CPUs it is actually faster to read a small file from the HD and uncompress a resource than to wait for the whole executable to load all this bloat. Still, we're talking about a speed difference of around 300-400ms (yes, i took these out from my ass, but those were results of our crappy testbed), so it's not something a typical consumer would notice, although pretty numbers are a good thing when your boss doesn't know shit about computers.

Re:Packer

[owlstead]

Yes, some virus scanners label anything that is runtime packed as malware, mostly because malware writers have been using packers as a cheap and easy disguise. But c'mon, that's so 2006.

No, that's so previous century. I can remember the same issue with virus scanners in the DOS era, where unpacking may have actually saved some space on floppies and hard disks. With a friend, we had a warning about a virus in many .exe's using a heuristic scan, which turned out to be a popular unpacker. To put this in perspective, this was on a 25 MHz 386 DX, 1 MB internal RAM and a 40 MB hard drive - which cost me my entire holiday savings and then some.

As a funny side note, some DOS utilities like format were labeled "trash programming". I heard this was mostly due the fact that the floppy disk was so hard to program for.

Re:Packer

[BikeHelmet]

Unfortunately, advanced packers can detect this and can unpack differently if they are being unpacked by a virus scanner. Part of the point of using a packer for a virus is its ability to disguise the signature, so looking for a signature without unpacking is pointless.

If the virus can detect the antivirus, then your antivirus fails at sandboxing.

Re:Packer

It twas I, Peter Piper that purchased the picture peeper with a packer.

Re:Packer

[Opportunist]

What I meant is that hiding trojans behind executable packers is quite 2006'y. They don't really do that anymore, or at least more out of habit rather than actually hoping it would accomplish anything, since most of the better AV suits can unwrap even the most esotheric exepackers by now.

That's the burden of the AV writer. Whenever you want to lean back because you finally accomplished something (like, say, implementing an unpacker for every packer out there), they change the playfield and all you did was for /dev/null. :(

Re:Packer

[happy_place]

...and not just an HD, but smaller exes are also faster sent over a network, or over an I/O bus like a USB device...

Re:Packer

[jandrese]

Depends where you are. If you're on a digital photo frame that has a hilariously small amount of flash for no good reason, and you're expected to be hooked into a Windows PC, then the hard drive space IS more valuable than the memory, because most modern PCs have more than enough memory to hold a few MB of packed and unpacked picture loader application.

Re:Packer

[Sleepy]

Exepackers do NOT save you space, though! If anything, they're a memory bloat because more often than not you have the packed and the unpacked version of the program in ram, eating up space needlessly, so I stopped using them. Ram is precious, HD space isn't.

+1 on what the other person replying said.

Your statement IS accurate if you are comparing helloworld.exe or some other vanilla EXE file... but if you embed lots of resources into the executable then it gets to be a big-time large file. In an ideal world, those resources would not be in the EXE... and they would not be un-compressed BMP and WAV either.

Companies will build these "into" the EXE under the false impression it would prevent competitors or consumers from hacking in their own images, copying the data, etc.

Re:Packer

Likely Walmart's programmers used one to keep the app's size small on a small device like that.

Excuse me. The only programmer Wal-Mart hires are the cheapest foreign labor and they would not have the mental capacity to concoct something of this nature. Besides, the software on these devices is not developed by programmers working for Wal-Mart any more than the software that comes on most every USB thumb drive is developed by the seller of the product; the manufacturer develops the software or some party acting on their behlf.

Re:Packer

[MBGMorden]

First, thanks for explaining the EXE packer use, I wasn't sure what legit uses there were for it.

It is hard to imagine in the days of terabyte hard drives, but packers have been around a long time. I remember WAY back when I had a computer with an 80MB hard drive. Back then a 300-400k executable took up a lot of space, so I'd use packers quite often to shave anywhere from 10 to 50% of the size off of such programs. Had to run them right afterwards before deleting the original though. Some programs didn't react well to the packer and would crash afterwards.

Re:Packer

[Thaelon]

Well, of course. If they didn't occasionally remind you of their existence, you might start to think you don't need them.

I haven't used a TSR virus scanner for years.

Through adequate user precautions, they're completely unnecessary.

With just a few simple precautions, even in Windows, you shouldn't need one either:

• Use Firefox exclusively - updating it when necessary.
• Use Thunderbird instead of Outlook Express
• Use only your own bookmarks to visit your bank's website and other popular sites.
• Run all remotely suspicious executables as a privilege starved user (such as one having no permissions other than read access to a single folder containing the suspect executable)
• Put your computer behind a physical firewall such as a router.
• Install using a slipstreamed Service Pack 2 or later install disc)
• Run an occasional free full system scan when convenient, note that you don't have to maintain updates or any similar stupidity since it's an online scan.

The only threats likely to get past these types of precautions - such as new malware only hours or days old - are unlikely to be stopped by a virus scanner that doesn't know what to look for either. So what have you got to gain by ditching TSR scanners? More system resources, possibly more money.

Re:Packer

[poetmatt]

Forgive my stupidity but what does TSR stand for?

With windows, that's basically what I did and never installed an antivirus or ever had problems with it. If the free scans found anything, then I'd take action.

However, I'd always end up after 3-6 months of an XP install that critical system files would somehow get corrupted and the filesystem would fragment rapidly. I never knew how to get around that, so I've just been running ubuntu anyway, which has been generally nicer regardless.

Re:Packer

[Beat+The+Odds]

Interesting. What packer would that be?

I believe it would be the Green Bay Packer. (GBP for short).

Re:Packer

[blueg3]

That's correct, unless you build a very, very good scanner that can safely unpack even clever packers (which you can do, to an extent, with virtualization trickery). Signature detection really only weeds out the less-advanced malware (or very common trojans).

Re:Packer

[blueg3]

It's pretty tough to sandbox things like debug registers.

Re:Packer

[Briareos]

It's pretty tough to sandbox things like debug registers.

But it's also pretty tough to imagine a genuine, non-evil unpacker that actually needs to access those for unpacking...

np: Tocotronic - Hamburg Rockt (7''-Version, 1994) (Digital Ist Besser)

Re:Packer

[blueg3]

Oh, they don't. But the evil unpacker can do something like check the state of the debug registers, which is one way an antivirus can examine the unpacked code without simply allowing it to execute. They can then change their behavior based on whether or not the unpacker is being debugged. They can do this in fairly subtle ways, and can do it for the common methods of inspecting executables.

Putting your antivirus in the hypervisor and using VM introspection to do the inspection is the current silver bullet, as detecting this is rather tricky. (Currently possible only with timing attacks if your hypervisor doesn't want to be detected. Moreover, malware that won't run if it's in a VM is not so useful if VMs become more common.)

Re:Packer

[GPLDAN]

Being that this is Wal-Mart, it's called the "Deliverance Gee Your Mouth is Purty" Packer.

Re:Packer

Even if it's a "legit" program, there has been a history of some photo-related software doing malware-type stuff on the computer. For instance, those Walgreens and Kodak photo-CDs. They can really wreak havoc on registries relating to CD and DVD burners, rendering them write-mode inoperable. And unless you know what to look for, you're borked! (With those disks, it's always better to disable autoplay, and then use safe software to find the acutal .jpgs.)

Anyhow, for a photo-frame, why would one need yet another piece of software for viewing or transfering photos? Why can't they just make it be a simple file for dumping .jpgs and .pngs into and using the hardware/firmware on the device itself to do the rest. There shouldn't be a need for yet another redundant piece of software when it isn't needed in the first place. (And if there's special settings you could tweak for the frame, put in a .xml file - so you could change them from notepad or some other text file editor. And if that seems complicated, it wouldn't be that hard to make some .html capable of autogenerating instructions and the code for copy-pasta.)

Re:Packer

[wastedlife]

Windows is terrible at fragmenting filesystems, especially the drive the OS is installed on. Using an old version of Buzzsaw from back when it was freeware, my system drive would routinely have hundreds of fragments per day with only a few on my other drive, which housed the pagefile and data files.

I've never had critical system files go corrupt unless the hard drive was failing or a transformer explodes less than a block away. I also diligently maintain my drives with Buzzsaw doing idle defragging and a monthly full defragmentation of each drive.

Re:Packer

[nabsltd]

A packed EXE is nothing but data, and I don't think that data could really figure out if it was manipulated by program 1 (the anti-virus) or program 2 (the unpacker code in the file).

But, it is possible to use one packer signature that program 1 understands and uses to successfully extract and find no virus, while program 2 runs a slightly different routine that generates the virus.

If the virus scanner were actually monitoring the running of the EXE unpack, it should block everything (like SetWindowsHookEx, among others) that would allow in-process code exploits. Then, when an EXE is written to disk and an auto-run entry of some type (service, login hook, whatever) is created, the AV would detect it through normal means.

Re:Packer

[nabsltd]

I bought my wife a digital photo frame with no flash memory because it was cheaper.

It did have an SD slot, though, and I had to buy the card, but that still ended up cheaper, and that way it can display as many pictures as she wants...it's just limited to 2GB at a time (no SDHC).

It's also a whole lot easier, as she keeps the frame at work, and every so often swaps SD cards when she wants new (or different) pictures.

Re:Packer

[blueg3]

The unpacker code behaves differently if it is being monitored.

An antivirus program cannot simply unpack the data through manipulation, as the packing can include arbitrary coding. (Technically yes, it could, but it is unreasonable to.) The antivirus program has to run the unpacking code if it wants to examine the unpacked data. It could emulate a system itself (which would really be unpacking by manipulation only), which is nearly impossible to do well enough that it is undetectable; it could simply execute the code, which makes interrupting it while it's in a state that it can be analyzed and before it's done any damage very difficult; or, it could run it while monitoring it, which is detectable, but not very easily so.

Of course, if an antivirus could reliably block everything that would allow in-process code exploits and then consult a signature oracle to determine if the process is malicious, it should. Things aren't so simple, though.

Frankly, static analysis, despite its popularity, sucks. It's fairly trivial to sneak unpacked malware past static analyzers.

Re:Packer

[Mozk]

Limited to 2 GB? What resolution is this frame? You might try resampling the photos to that, because having the pictures at 4096×3072 or whatever won't make them look better, especially since the frame probably employs a shoddy algorithm for resizing them.

Re:Packer

[nabsltd]

Yes, limited to 2GB, because that's the maximum an SD card can hold.

We do resize the pictures, but not to the frame native resolution because you can zoom a picture to inspect detail. And, we have thousands of pictures to choose from, because the "film" is so cheap. And, even if it wasn't we would have thousands of pictures, because of all the real film I shot and scanned the negatives.

But, don't be so dismissive of the resizing algorithms on smaller devices. My Archos 504 only has a 480x272 resolution, but it plays DVD resolution (720x480) just fine. Although the files are slightly larger, it saves me a lot of time not having to transcode. Since I already have all my DVDs ripped to my hard drive, it's now just a copy operation.

Re:Packer

[drinkypoo]

I haven't used a TSR virus scanner for years.

Me neither, because I don't use DOS. I do have AVG running, though. Why not? It works.

P.S. do NOT recommend SP2 or later. Important security fixes come with SP3.

Re:Packer

[petermgreen]

Afaict some programmers (especially of the freeware/shareware variety) think that thier users think that smaller executables mean less bloated apps. If a developer belives this then it is very tempting to use a packer to reduce the apparent size of thier executable, especially if others are doing it too.

bottle?

I drink my eggnog straight out of the [redacted]

Another conspiracy!

[fortapocalypse]

And Walmart employees also cough on the their real photos. Double virus score!

Can't seem to run the virus on my mac

[exabrial]

Sigh, still no cross-platform support for Malware!

Re:Can't seem to run the virus on my mac

[WTF+Chuck]

And when the hell are the malware writers going to start open sourcing their code? They do everything they can to push their pre-compiled binaries onto people's machines, why not the source as well?

Re:Can't seem to run the virus on my mac

[Yvan256]

http://www.vmware.com/products/fusion/

Re:Can't seem to run the virus on my mac

[LoRdTAW]

Same exact problem my Linux box has.

Re:Can't seem to run the virus on my mac

[plover]

Ever hear of the Virus Creation Laboratory? Better than open source, it was a code factory that emitted them without heavy duty coding at all.

The scary thing is how advanced the concept was, especially back when viruses weren't even a source of income. Picture a fully funded criminal organization pouring money into virus research and development today!

Re:Can't seem to run the virus on my mac

[WTF+Chuck]

Ever hear of the Virus Creation Laboratory? Better than open source, it was a code factory that emitted them without heavy duty coding at all.

No, it wasn't better than open source, it was worse. Had VCL been open source, then it could have been fixed by the community, rather than abandoned. By now, we could not only have the source code for the viruses, but could also have *.vcl files that would allow your copy of VCL to quickly reproduce the original virus with you own copy of VCL.

Imagine the possibilities of taking the vcl file for your favorite/least favorite virus. Loading it up and tweaking it to your very own needs. All without having to do any heavy coding. Tired of that virus ridden spam bot filling your inbox, create a computer "bacteriophage" that targets the spam bots and wipes their hard drives.

I know, I know, you ask why not just remove the spambot and let the machine live on. That would be just treating the symptoms of the larger problem. The larger problem being the computer running the spambot. If you wipe the hard drive often enough, the physical owner of the machine will eventually learn to better secure their machine and not let the problem return. Sure, they will probably still have no clue that they were spamming the world and will only have taken the steps to keep the bacteriophage from wiping their hard drive, but the end result will be the same. That and a lot of us here will profit from the lusers bringing their machines in for repairs. It's a win-win situation for us.

Whoa there laddy!

[Linker3000]

Liberal use of the words 'allegedly', 'might' and 'may' - and a few question marks - might have been appropriate here.

How many samples of the product have been tested, did you give the supplier a chance to verify your findings or consult an independent expert?

More importantly, how much have you set aside to cover the possible lawsuit for damaging Walmart's sales?

Re:Whoa there laddy!

[DeadPixels]

Yeah, I'd be hesitant of saying that the keychain definitely comes "preloaded with malware" when only ~30% of the scanners on Virscan are reporting "generic" possible malware.

Don't know whether to blame the editors or submitter for this one.

Re:Whoa there laddy!

[OrangeTide]

You act like posters need to follow journalistic guidelines. This is the Internet!

Re:Whoa there laddy!

[arth1]

Don't know whether to blame the editors or submitter for this one.

The question is who would Wal-Mart name in a libel and defamation lawsuit?

1. The poster?
2. The editors?
3. Slashdot?
4. SourceForge Inc.?
5. The AV companies reporting false positives?
6. The AV software aggregation web site (for hiding the individual AV software disclaimers and terms of use)?

I'd say that the editors are the least likely to be named, although they might be subpoenaed.
Also,
I think Wal-Mart would have a good chance to win such a lawsuit, except, perhaps against AV companies who provide waterproof disclaimers. This article seems to me to be well past the border between opinion and claim.

Re:Whoa there laddy!

[DaveV1.0]

I believe the answer to that is "Yes". This is America and you can sue over anything here.

Re:Whoa there laddy!

[DeadPixels]

I think they'd be more likely to name anyone with money. When in doubt...

Obligatory

Can you send a picture (not infected of course) of this ?

If you are dumb enough to buy china made

products, then you deserve this. The chinese gov. as well as plain ol crackers are changing the designs to include loads of malware and spying on the west. The fact that ppl are dumb enough to buy this crap means that they deserve it.

Why are you so shocked?

[OrangeTide]

You think they buy virus scanner software in a Chinese factory? No, these guys cut every corner they can to meet those razor thin profit margins.

Re:Why are you so shocked?

[DNS-and-BIND]

I work with dozens of Chinese factories on a daily basis, and yes, they have AV software installed. Otherwise, the warning dialog in XP pops up, and they call the IT guy to fix it. But please feel free to continue your racist diatribes modded +5.

Re:Why are you so shocked?

Now capitalism is racist?

And my personal experience in Guangdong is the opposite, unless you tell them you want something handled a certain way, they will assume you want it handled in the cheapest way possible. They are contractors after all, and when you pick the lowest bidder you better clearly write out every detail.

This is the same when you hire a building contractor to work on your home, even if he/she is not a minority. But some people, like yourself, prefer to see the world as those everyone is a racist. Or perhaps it's just convenient for you to attack people as being racist to show off your superiority in a public situation.

Re:Why are you so shocked?

[rrohbeck]

I'm sure they do run AV software, but they probably downloaded if from piratez-R-us.ru.

Re:Why are you so shocked?

[drinkypoo]

You think they buy virus scanner software in a Chinese factory? No, these guys cut every corner they can to meet those razor thin profit margins.

China has long been known to be allergic to paying for software and to just pirate everything, and you think they're not using AV software to save money? Would you like to buy a large red bridge located in the San Francisco Bay Area, by any chance? Only used once.

"case and point"?

[macraig]

Not to be condescending: the proper cliched phrase is "case IN point". It's a linking preposition, not a conjunction, in the phrase. I'm not sure of the historical evolution of the phrase.

Ah, here we go:

http://www.worldwidewords.org/qa/qa-cas1.htm

i think some are on purpose

[Z80a]

i got my hands on a pink "MP5" thing (hate that mp4/mp5/mp6 crap), and it not only have a autorun.inf pointing to a virus as you expect, as it keeps rewriting the damn thing when i erase it, and it points to a file on the recycler, and the recycler of the device has a weird file on it its like the own MPthing firmware is actually writing the virus on it

YOU FAIL 2IT

Up tod4y! If you and Juliet 40,000 BitTorRent) Second,

Where it comes from (NOT Walmart)

[caferace]

company website: http://www.mercury-ce.com/product.php?productid=16151&cat=251&page=1
parent company: http://www.kobian-inc.com/?page=contact-us

do77

the hard drive to a losing battle; on an endeav`our it will be among problem; a few Things in GNNA (GAY NIGGER

You all know the words by now! SING ALONG!

[Chris+Tucker]

"Botnets, spammer's botnets!
What kind of boxes are on botnets?

Compaq, HP, Dell and Sony, true!
Gateway, Packard Bell, maybe even Asus, too!

Are boxes, found on botnets. All running Windows, FOO!"

For myself, I'm currently running OSX, 10.5.6.

Why, yes. Yes I AM a smug bastard! Thanks for asking!

Re:You all know the words by now! SING ALONG!

I hope you plan on switching operating systems if yours ever gains enough market share to become profitable to bother exploiting.

Re:You all know the words by now! SING ALONG!

Why is this moderated as a troll? It sounds a bit angry, but unless there's something i don't know about OSX 10.5.6. that makes it impervious to all malware attacks it's pretty damn true.

Re:You all know the words by now! SING ALONG!

[Chris+Tucker]

Best of luck trying to run an exploit in an OS that requires a specific set of actions by the Admin to install software.

Unlike Windows and 'Autorun', and Outlook Express and Internet Explorer, and the SONY Rootkits, et al, etc.

Granted, even stupid people use Macs from time to time, so, I guess that it's potentially possible to actually get some moron to install a rootkit if he thought he'd was going to see (Female Celebrity) sex tape.

In my decades of using Macs, I've only run into ONE virus, and that was on a used Color Classic I bought at the now defunct Computer Renaissance shop in Cambridge almost 10 years ago.

Re:You all know the words by now! SING ALONG!

[Chris+Tucker]

Any OS more complex than that shipped with the VIC=20 can be exploited in some fashion.

Unlike Windows, the slutty whore that'll let ANYBODY screw her, Mac OS is much harder to mess with. No Autorun, no incestuous relationship between Mail.app and Safari, immune to SONY's CD based rootkits, ships with security options switched on by default, a virgin Mac OS X install can sit on an unfirewalled Internet connection for, essentially, forever, and not get 0wned, unlike Windows which lasts maybe 1 minute before getting 0wned.

And when, Oh happy day!, when Mac OS is the majority OS on the planet, I'll be concerned about exploits then. Until then...

Turning off AutoRun in Windows XP

[MitchAmes]

For Windows XP, SP2 ... Tweak UI allows disabling of AutoPlay either by device type (eg CD) or drive letter, and the setting is stored in the user registery under [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer], but Tweak UI only shows the settings if the user is an Administrator. However according to Microsoft's TechNet web-site, the NoDriveTypeAutoRun setting in HKCU is ignored if there is a corresponding entry in HKLM, so to disable AutoPlay on all drive types for all users: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer] "NoDriveTypeAutoRun"=dword:000000ff If AutoPlay is enabled, actions per content type can be set per user by right-clicking the drive in Explorer, then selecting the AutoPlay tab. The options are stored in [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\UserChosenExecuteHandlers]. The default (which is to prompt the user) can be restored by deleting the entries. Note that there doesn't appear to be an option for "data only". So far as I know, if AutoPlay is enabled (which it is by default), you can't disable AutoRun.inf. However, if the user is not an administrator, Explorer will prompt for an Administrator logon before doing anything.

Re:Turning off AutoRun in Windows XP

[BikeHelmet]

If you're really worried, you should disable it at the driver level rather than the explorer policy level.

For Win2k/XP (maybe Vista), open up regedit and find this key:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]

REG_DWORD "Autorun" - set it to 0
Note: Must be logged on as an admin.

This disables autorun at the driver level, rather than explorer policy level. It may take a reboot to take effect. It should disable all autorun handlers/hooks, effectively turning drives into regular folders. (they just "open")

Autorun.inf files will not automatically run or prompt you to run - actually, on my Win2k box, the right-click autorun option completely vanished!

Note: It doesn't seem to "spin-up" CDs anymore on my computer, until I go into My Computer. It gives it a nasty delay loading that folder, but I figure this is a good thing. It means it isn't accessing the CD or device at all until I tell it to.

Such is the price of security, I suppose!

Re:Turning off AutoRun in Windows XP

[kalirion]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]

That looks like it may only disable autoplay for CD/DVD drives. Does it also work for USB drives?

Re:Turning off AutoRun in Windows XP

[tunapez]

Service Name: ShellHWDetection
Display Name: Shell Hardware Detection
Startup Type: Disabled

Initial Unpack/Run the questionable executable Sandboxed, FTW!

Haven't gotten my mitts on any DigPicFrames, do these even require software to make the transfer or is this just more bloatware? I could kill Cox and Qwest for that crap they load every time someone uses their "modem install" software. TG for those who read directions 2nd.

Re:Turning off AutoRun in Windows XP

[BikeHelmet]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]

That looks like it may only disable autoplay for CD/DVD drives. Does it also work for USB drives?

I believe it does, but I can't say for certain.

On my computer autorun for USB devices is disabled too, and I believe it was that tweak that did it, but it was years ago that I applied these tweaks, and my memory isn't perfect. :P

If you want to test it, I suggest throwing an Autorun.inf onto a USB stick, and have it open Notepad. ;)

Wine...

[someone1234]

Another proof that Wine is not yet fully compatible :D

Note that none of the major commercial scanners...

[jimicus]

I note that virtually none of the major commercial scanners found anything.

I have trouble believing there's any significant malware that is generally known to the AV industry but is not detected by any of McAfee, Sophos, Symantec or Kaspersky. Particularly when the industry depends so heavily on scaring people into believing they are likely to become infected.

Re:Note that none of the major commercial scanners

[OneSmartFellow]

I have trouble believing there's any significant malware that is generally known to the AV industry

You must be joking, they know about all the viruses, they write them.

Re:Note that none of the major commercial scanners

[citation needed]

No Excuse!!!

[flajann]

There is simply NO EXCUSE for delivering a product infected with a virus. This is just plain sloppy on the part of the manufacturers.

Besides, I always thought those photo frames were a bit silly, anyway.

Anyone use the LG USB Driver for the Chocolate?

[rrossman2]

My father-in-law got the LG Chocolate thanks to his daughter for christmas, only to find out you can't set MP3's as ringtones out of the box. He had used the Verizon Vcast Music software that came with the phone, and that its self is also junk. Anyhow, I downloaded BitPim and got the MP3's to transfer and setup as ring tones. Then his other daughter was on myspace and who knows what else, and here dad decided to scan his computer for malware. I believe the program is called MalRemover or Malware Remover or something, but it listed the LG USB Driver as malware, and I was wondering if anyone else has gotten a hit on this, or is this another "mistaken identity" like a lot of posts are mentioning about?

Re:Anyone use the LG USB Driver for the Chocolate?

[arth1]

My father-in-law got the LG Chocolate thanks to his daughter for christmas, only to find out you can't set MP3's as ringtones out of the box.

Sure you can, but you need to buy the full phone, and not a provider-crippled one.

My advice is to always buy a non-locked[*] phone without a plan, from a company that isn't a service provider. Then shop around for plans.

[*]: Non-locked as opposed to unlocked.

2 for 1

[Storydor]

It's just another 2 for 1 offer!

Merry christmas!

[Yogiz]

Is that the gift that keeps on giving?

Re:Note that none of the major commercial scanners

[EmagGeek]

Here ya go

TSR

[Neeth]

Terminate and Stay Resident

I have to ask...

[toby]

"Is Windows ready for the Picture Frame??"

Embedded Linux sure is. I can't understand HOW Windows ever ended up on a device like this. The license cost alone must seriously affect the profit margin, even discounting the annoyance of pre-installed malware. What are they going to do? Recall them?

Choosing Windows = pure dumbassery.

Fisher Price toys also have this issue

Another device with said problem appears to be the fisher-price Kids Tough Digital cameras. Contains an exe detected as a virus along with an autorun.ini

Second opinion - scanning another 1.5" photo frame

[AYeomans]

Here is the virscan.org scan of the DPFmate.exe file on a similar photo keyring. This scans almost clean, with the only warning being "Suspicious - DNAscan" from QuickHeal.
All sounds to me that the Walmart photo frame may be truly infected. Interesting to see if a re-scan gives the same results, after AV signature updates.
To identify my photo frame, it has USB vendor code 1908:1320, and gives dmesg output as

[ 1615.074173] scsi 2:0:0:0: CD-ROM buildwin Photo Frame 1.01 PQ: 0 ANSI: 2
[ 1615.131784] sr1: scsi3-mmc drive: 40x/40x writer cd/rw xa/form2 cdda tray
[ 1615.132336] sr 2:0:0:0: Attached scsi CD-ROM sr1
[ 1615.132793] sr 2:0:0:0: Attached scsi generic sg2 type 5
[ 1618.229611] ISO 9660 Extensions: Microsoft Joliet Level 3
[ 1618.243632] ISOFS: changing to secondary root

and has files on it

-r-xr-xr-x 1 a root 49 2007-12-13 17:07 Autorun.inf
-r-xr-xr-x 1 a root 135904 2008-07-25 11:46 DPFMate.exe
-r-xr-xr-x 1 a root 1344 2008-05-19 18:53 flashlib.dat
-r-xr-xr-x 1 a root 22044 2008-07-23 16:15 LanguageUnicode.ini
-r-xr-xr-x 1 a root 96281 2008-06-11 16:29 MacDPFmate.zip
-r-xr-xr-x 1 a root 758 2008-07-07 12:21 StartInfoUnicode.ini

Hey, I always stick odd USB devices into Linux first to check them out.
For background info, this photo frame does nothing when first connected. You can set it to "transfer" mode, at which point it emulates a USB CD-ROM of 304 Kbyte size. That CD image tries to autorun the DPFmate software to compress and transfer images to the device. The photos are *not* visible on the device through normal access, must have transferred them to a hidden area. I'd be interested if anyone has more info on the USB protocols used.

Eheh, useless.

This is what we call a False-Positive. Case closed, on with the day.

Re:Second opinion - scanning another 1.5" photo fr

[windsurfer619]

Hey, I always stick odd USB devices into Linux first to check them out.

There's gotta be a joke in there somewhere...