Walmart Photo Keychain Comes Preloaded With Malware

Blowit writes "With the Christmas holidays just past and opening up your electronic presents may get you all excited, but not for a selected lot of people who got the Mercury 1.5" Digital Photo Frame from Walmart (or other stores). My father-in-law attached the device to his computer and his Trend Micro Anti-virus screamed that a virus is on the device. I scanned the one I have and AVAST did not find any virus ... So I went to Virscan.org to see which vendors found what, and the results are here and here." Update: 12/29 05:44 GMT by T : The joy is even more widespread; MojoKid points out that some larger digital photo frames have been delivered similarly infected this year, specifically Samsung's SPF-85H 8-inch digital photo frame, sold through Amazon among other vendors, which arrived with "W32.Sality.AE worm on the installation disc for Samsung Frame Manager XP Version 1.08, which is needed for using the SPF-85H as a USB monitor." Though Amazon was honest enough to issue an alert, that alert offers no reason to think that only Amazon's stock was affected.

Disassembled?

No one has disassembled the binary yet to see what it does? Does it call SetWindowsHookEx or something?

Re:Disassembled?

Funny thing though--it didn't run under Linux.

Does anything run under Linux? If only Linux could correctly run even a virus!

Old news

[Afforess]

This is old news. It has happened before. Case and Point.

Re:Old news

[lysergic.acid]

USB devices certainly are eligible for autoplay, they just prompt the user when the device is first connected by default. however, an autorun.inf file can still change the default action for that drive, so that when the user double clicks on the volume in My Computer, it will run the autplay program rather than open up the drive for browsing. and in that situation the user gets no warning.

and i'm not sure what U3 is, but i know that if a removable drive has a partition formated with CDFS, Windows will assume that it's a copy-protected CD and will allow autoplay without the user's consent regardless of your autoplay settings. i think this can be done with any USB drive, which in a way makes disabling autoplay or prompting the user useless. just one more way consumers get screwed by DRM i guess.

Did you tell Walm*rt?

[plover]

Write them a letter telling them what you found. Try this link http://walmartstores.com/contactus/feedback.aspx to get to their headquarters, where something might get done about it. Include enough technical detail for them to replicate the problem, especially the model number or any other identifying information from the package.

If you want someone to care enough to write back, try to not sound accusatory or threaten to sue them. I'm sure they get enough of that on a daily basis.

false positives?

Looks to me like they used some kind of packer to make the exe's small to not take up a lot of space on the device (understandably). A lot of scanners will automatically detect packing as malware and, due to the nature of how a packer works, trojan is the logical choice. I have a similar problem with anything I compile with delphi since a lot of malware is developed in delphi.

My 2 cents worth...

that's why USB autoplay is a bad idea

[lysergic.acid]

this time it seems like it was the vendor's screwup, which is very rare, but it's very easy for someone to have a clean USB stick, then plug it into an infected PC and unknowingly get a trojan written to the USB stick.

i recently had close call myself when i took my PSP to work and plugged it into a workstation (i had some utilities and e-books saved on the memory stick). when i got home and plugged the PSP into my desktop, i noticed the PSP memory stick was displayed with an odd icon in My Computer. so i looked at the root directory and found a suspicious .exe file that i hadn't placed there, which was also referenced by a new autorun.inf file.

with thumbdrives, external hard drives, portable media players, and other flash memory devices becoming increasingly common, i expect more and more malware writers will exploit them as an infection vector, especially as autoplay is usually enabled by default on Windows systems. the only reason i had autoplay disabled was because i found it annoying, and that's the only reason i lucked out.

Not necessarily infected

[arth1]

Keep in mind that it might be a false positive. Those happen, and sometimes you find the same false positive in more than one AV product when they simply copy from each other instead of creating their own definitions from the real thing.

An example is the game The Witcher, which triggered a false AV protection in ESET Nod32 antivirus. Then, suddenly, a couple of months later, a couple of other products also started seeing a virus here. There was none -- the packer that had been used by the game had also been used for a virus, and the signature was copied from NOD32 to some less successful AV programs without further ado.

So, don't just take it on face value that there is a virus -- especially not when none of the really big players with low false positive rates can detect it. It may be one, but don't blindly assume so.

Packer

[micksam7]

It's not a virus, it's just a exe packer they used.

Virus scanners have been labeling PE Packers as viruses for ages now, simply because a virus could be packed with them, and it's easier to pick out a packer header than a virus contained in it.

A lot of false positives are caused by this, and this looks like one of those cases based on what you linked. "Generic" "NSPack" "PossibleThreat" in the VirSCAN links give that away.

EXE/PE Packers simply compress a binary and decompress it on the fly, simply to save space or "load faster". Likely Walmart's programmers used one to keep the app's size small on a small device like that.

I've dealt with this situation in size-coding competitions before, and it's not fun. A lot of false positives are caused simply because a packer was used.

Fortunately, some of the better virus scaners actually unpack the software before checking it, or look for valid virus signatures instead of a simple Packer.

This basically is just a case of virus scan companies being lazy.

Re:Packer

[poetmatt]

I suppose it's no surprise then that Trend Micro (and likely Mcafee) went berserk while Avast did not? Although I think we had that controversy with the "clamAV vs Mcafee" virus scanning thing a year or two back.

Re:Packer

[Opportunist]

Erh... not entirely true.

Yes, some virus scanners label anything that is runtime packed as malware, mostly because malware writers have been using packers as a cheap and easy disguise. But c'mon, that's so 2006.

Most AV suits today are able to unpack those runtime packers. I know of a suit that even sandboxes the program and executes it in a virtual machine to see if it results in some unpacked code.

Exepackers do NOT save you space, though! If anything, they're a memory bloat because more often than not you have the packed and the unpacked version of the program in ram, eating up space needlessly, so I stopped using them. Ram is precious, HD space isn't.

Re:Packer

[BikeHelmet]

Unfortunately, advanced packers can detect this and can unpack differently if they are being unpacked by a virus scanner. Part of the point of using a packer for a virus is its ability to disguise the signature, so looking for a signature without unpacking is pointless.

If the virus can detect the antivirus, then your antivirus fails at sandboxing.

Re:Packer

It twas I, Peter Piper that purchased the picture peeper with a packer.

Why are you so shocked?

[OrangeTide]

You think they buy virus scanner software in a Chinese factory? No, these guys cut every corner they can to meet those razor thin profit margins.

Re:Were they made by Sony?

[Opportunist]

Care to explain how a rootkit could be considered anything but malware?

If they do nothing else, they compromise the security of a system.

Turning off AutoRun in Windows XP

[MitchAmes]

For Windows XP, SP2 ... Tweak UI allows disabling of AutoPlay either by device type (eg CD) or drive letter, and the setting is stored in the user registery under [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer], but Tweak UI only shows the settings if the user is an Administrator. However according to Microsoft's TechNet web-site, the NoDriveTypeAutoRun setting in HKCU is ignored if there is a corresponding entry in HKLM, so to disable AutoPlay on all drive types for all users: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer] "NoDriveTypeAutoRun"=dword:000000ff If AutoPlay is enabled, actions per content type can be set per user by right-clicking the drive in Explorer, then selecting the AutoPlay tab. The options are stored in [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\UserChosenExecuteHandlers]. The default (which is to prompt the user) can be restored by deleting the entries. Note that there doesn't appear to be an option for "data only". So far as I know, if AutoPlay is enabled (which it is by default), you can't disable AutoRun.inf. However, if the user is not an administrator, Explorer will prompt for an Administrator logon before doing anything.

Re:Turning off AutoRun in Windows XP

[BikeHelmet]

If you're really worried, you should disable it at the driver level rather than the explorer policy level.

For Win2k/XP (maybe Vista), open up regedit and find this key:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]

REG_DWORD "Autorun" - set it to 0
Note: Must be logged on as an admin.

This disables autorun at the driver level, rather than explorer policy level. It may take a reboot to take effect. It should disable all autorun handlers/hooks, effectively turning drives into regular folders. (they just "open")

Autorun.inf files will not automatically run or prompt you to run - actually, on my Win2k box, the right-click autorun option completely vanished!

Note: It doesn't seem to "spin-up" CDs anymore on my computer, until I go into My Computer. It gives it a nasty delay loading that folder, but I figure this is a good thing. It means it isn't accessing the CD or device at all until I tell it to.

Such is the price of security, I suppose!

Re:Were they made by Sony?

[Lord_Sintra]

Technically, kernel level debuggers can be classified as rootkits, as they use rootkit techniques to gain the level of access they need to be able to work.