Slashdot Mirror

← Back to Stories (view on slashdot.org)

Malware Found On Brand-New Windows Netbook

Posted by kdawson on from the be-careful-out-there dept.

An anonymous reader alerts us to an interesting development that Kaspersky Labs stumbled across. They purchased a new M&A Companion Touch netbook in order to test a new anti-virus product targeted at the netbook segment, and discovered three pieces of malware on the factory-sealed netbook. A little sleuthing turned up the likely infection scenario — at the factory, someone was updating Intel drivers using a USB flash drive that was infected with a variant of the AutoRun worm. "Installed along with the worm was a rootkit and a password stealer that harvests log-in credentials for online games such as World of Warcraft. ... To ensure that a new PC is malware-free, [Kaspersky] recommended that before users connect the machine to the Internet, they install security software, update it by retrieving the latest definition file on another computer, and transferring that update to the new system, then running a full antivirus scan."

15 of 250 comments (clear)

  1. Heh. by MsGeek · · Score: 1, Informative

    Wrong netbook OS. Try one of these next time: http://www.target.com/ASUS-8-9-Netbook-Computer-Linux/dp/B001E1PVU8/qid=1243113200/ref=br_1_7/190-1275134-0351843?ie=UTF8&node=1243621011&frombrowse=1&rh=&page=1 Thankyoudrivethrough!

    --
    Knowledge is power. Knowledge shared is power multiplied.
  2. Or... by Kythe · · Score: 5, Informative

    You could always reformat the darned thing from scratch using a known-good version of whatever OS you're going to be using.

    Honestly, ever since Vista became the de-facto OS shipped with new computers, I've been doing that, anyway.

    --

    Kythe
  3. Obligatory... by npoczynek · · Score: 3, Informative

    Wouldn't have happened if they had ordered that netbook with Linux pre-installed!

    1. Re:Obligatory... by AceofSpades19 · · Score: 2, Informative

      I don't know of any linux distro that has auto-run, so its pretty unlikely that that would happen

  4. Re:Remind me again by techno-vampire · · Score: 2, Informative

    AutoRun should bring up a prompt, asking if you want to run the software, and remind you that you shouldn't let it run unless you were expecting it and know what it's for. That way, if you have a thumb drive that's not supposed to have anything on it but some driver updates, and the AutoRun prompt shows up, you know something's wrong. It wouldn't be fool-proof, because there are always going to be people who click OK without understanding what's going on, but it probably would have stopped this from happening.

    --
    Good, inexpensive web hosting
  5. Re:Right..... by phantomfive · · Score: 4, Informative

    Start with IIS 6 and that isn't really true anymore. It is widely accepted by those without a bias that IIS 6 is as good as equivalent Apache releases (when properly configured, of course).

    That's irrelevant to the point I was making though, which is that popularity is not the only thing that matters where security is concerned.

    Do you really think having to write software on 3 different systems will result in less malware? Do you think companies will double the development staff to accommodate the differences in systems? I think a 33/33/33 split would make software companies have to support more variances, but probably not do any as well as they do now.

    This is an interesting point, but in the old days, software companies supported Commodore, Apple, IBM, Atari, etc. The reality of the situation is that for most big software companies, the number of programmers they have is only vaguely related to the income they generate from their software. A single programmer can write code that generates millions of dollars if you can get people to pay for it. So most companies are going to do a cost/benefit analysis: is it worth it to port my software to X system? If there are millions of users on that system, the answer is probably yes. Most major software already runs on both Macintosh and Windows, and OSX only has about 10% of the marketshare. I see no reason they wouldn't write for all three systems in many cases (although I admit I would be happy to leave Windows out, since it's relatively a pain to write for).

    do you really think a Windows user that has just "clicks thru" wouldn't do the same on Linux (or type sudo first or whatever the equivalent is on OSX)?

    This is a good question, and you are probably right, but the security model in OSX is a lot more clear, so it would be easier to teach users, "If you have to type in your password, something bad might happen!" On OSX application installation is just a matter of drag and drop, normally there is no need to type in your password, so if you do have to, then you really need to think about what you're doing.

    --
    Qxe4
  6. Re:Pffft by Bigjeff5 · · Score: 5, Informative

    First, the autorun worm was absurdly difficult to remove. The larger the organization the more likely it is to stick around.

    Second, have you ever built a corporate or OEM OS image before? Using a usb drive to install drivers is not only likely, it's practical.

    The way modern mass-images work is as follows: you have your technician machine, upon which you build the custom tools to incorporate into the image - this would be scripting software packages, customizing settings, etc. Then you have your build machine - this is a clean machine with a fresh OS install on it. You then customize that machine exactly the way you want it, installing custom packages, add all the drivers for all the machines in your product lineup (be sure to include a script to remove the unneeded drivers post-sysprep!), and reseal it to OEM spec with sysprep (which calls any necessary post-build scripts).

    Now, you test, test, test, and test to be sure it is good, and mass deploy it to all your hard drives that will be going into all your machines. Much of this does not have to be changed when new models are added, and with MS's newer tools a lot can simply be slipped in to the image itself without having to re-seal it. Very convenient. That also may be how this thing got in as well, who knows.

    The breakdown here was on the final step: apparently nobody scanned the test machine for viruses/malware before deploying the image. I'm surprised only a few netbooks were hit, unless the others just haven't noticed yet, heh.

    --
    Security is mostly a superstition... Avoiding danger is no safer in the long run than outright exposure. - Helen Keller
  7. Re:Ha ha. by Runaway1956 · · Score: 4, Informative

    Nor is it really news. The wife bought a Compaq some years ago. I cleaned it of malware, then in a few days, she complained of more. Did a "restore" from the restore partition. Malware restored itself along with the Windows OS. Imagine that....... OEM's are PAID to install crapware, and they are only to happy to accept the money.

    --
    "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
  8. Re:Remind me again by hairyfeet · · Score: 3, Informative

    And as a PC repairman I can say that autorun isn't even in the top 5 of ways an average Windows machine that crosses my desk gets boned. Hell I wouldn't even put it in the top ten. Maybe somewhere in the top twenty. The number 1 2 and 3 are 1-Hot_Lesbos.mpg.exe 2-Lame_pop_song.mp3.exe 3-here are those pics I promised! ( unsolicited email attachment from friend with password protected zip file).

    Honestly the guy that put "do not show file extensions for known file types" as the default should have gotten a really good firing. That and the fact that on 95-XP if you choose to uncheck the "do not show file extensions" checkbox and hit rename explorer automatically will pick the ENTIRE file, including the extension. Which means if you let them see the extension you end up with a bunch of files renamed with no file extension that the user then has no clue what5 to do with or how to open. That was just some really stupid UI design.

    Oh and for the PC repair guys out there that are having to wipe and reinstall Windows a lot, or like me build a lot of new XP machines, I would recommend Almeza Multiset to make you life a whole lot easier. I have a lot of programs like Oxygen Office and Klite Mega Codec Pack that I give my customers so when they get the box they can just flip the switch and go. With Almeza I only have to install and configure a program once and Almeza will make a nice unattended install CD with whatever programs I choose set the way I want them, be it FF3 with ABP, OO.o, whatever. All I do is pick "install all" and go have a smoke and when I return she is ready to go. I am not connected with the company in any way, it is just the best $39.99 I've spent when it comes to having to work on Windows.

    --
    ACs don't waste your time replying, your posts are never seen by me.
  9. Re:Remind me again by cdrguru · · Score: 3, Informative

    Autorun came from "put in the CD, the game starts." This was introduced before there was the possibility of recordable CD-R discs so it was utterly safe, until malware folks start producing CD-ROMs by the 1,000s.

    Extending it to USB devices is problematic. Anything that can be written to by a user can then be used to corrupt other machines, assuming that some users have blackness in their hearts. That pretty much means that for CDs it isn't safe anymore either.

  10. Re:Right..... by phantomfive · · Score: 4, Informative

    You haven't thought this through. It's pretty well accepted that a monoculture is bad for computer security. If you would like to discuss the issue, then I suggest you inform yourself on the research and arguments in the topic, and then you will be much better informed to make an insightful comment. Then we can talk.

    --
    Qxe4
  11. Re:Remind me again by GF678 · · Score: 3, Informative

    The only solution is to kill AutoRun completely. It should not exist. It has no good reason for existing. The only thing it really does is by its nature a security hole. Just shut it off already.

    They have, in Windows 7.

    Despite what a lot of the morons in Slashdot think, Microsoft does listen to people's complaints.

  12. Re:Virus really such a threat? by Anonymous Coward · · Score: 1, Informative

    In my experience, the majority of viruses are PEBKAC related, and usually caused by the dancing bunnies problem, which no OS maker can really fix unless the PC is locked down like a console.

    I have seen malware come on USB flash drives, but if a system is running a decent antivirus program, it usually will get caught before it has a chance to execute. However, running gpedit.msc and disabling autorun and autoplay completely is the best matter of course.

    IMHO, there are four main sources of malware:

    1: Machine is exposed on the Internet and hit by an active remote root attack.
    2: Dancingbunnies.wmv .exe (with a good amount of spaces between the .wmv and the .exe.)
    3: A hole in the Web browser or a plugin. This is why I highly recommend Firefox/Adblock/NoScript.
    4: autorun.inf tomfoolery on either a CD or removable media.

    #1 can be cleared up by a hardware firewall, or even the OS's firewall with no exceptions if on a laptop on public wireless. #3 can be mitigated by running the Web browser as a user in a VM. #4 can be disabled with registry entries and a profile entry (assuming a version of Windows where profiles work -- Vista Home and XP home, one will have to hit the Registry directly). Which leaves #2, and this is basically dealt with by user education.

  13. Re:Remind me again by Anonymous Coward · · Score: 2, Informative

    Self inserts Fallout3 disk into Win7 PC. Autorun brings up dialog box. Nope still there.

  14. Re:Remind me again by GF678 · · Score: 3, Informative

    You're getting confused with Autoplay, they're not actually the same thing

    Autoplay is what brings up the dialog box based on the contents of the media
    Autorun is the method by which the autorun.inf file on the media is executed automatically.

    You could normally disable autoplay easily, but autorun.inf files would still run. That doesn't happen anymore.