Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Digital Hitchhikers Part Three

Published: 2008-01-07
Last Updated: 2008-01-07 03:43:21 UTC
by Marcus Sachs (Version: 1)
0 comment(s)

Back on Christmas Day we published a diary about digital picture frames being purchased with malware installed on the built-in memory.  Last Friday we did a follow-up diary after two more readers wrote to tell us that they also purchased malware-infected photo frames.  In the second diary we asked readers to check any recently purchased devices that connect to a user's computer via a USB cable and appear to the operating system as a mounted drive.  In years past this would have been limited to iPods and USB memory sticks but now it includes digital photo frames, GPS devices, external hard drives, and of course digital cameras.

Several readers wrote back with their findings and here's what they told us.

An reader who asked to remain anonymous said:  

I got bought a set of MP3 playing sunglasses for Christmas that came with an extra gift, infection, AVG called it PSW.OnlineGames. It was a hidden .scr file with a hidden Autorun.inf file .. Can't remember the name of the file or who sold it off-hand though since I'm not near my Inbox..

I got in contact with the company that sold the device and they responded and investigated very quickly.. Seems something went wrong in China during Quality Control checks..

Seems that the Christmas rush is a logical time to distribute infected devices.. Everyone'll be so keen to plug them in and go, and those who run unprotected get it good.

Reader Paul said:

The dairy entries discussing the malware on digital photo frames and GPS units have been interesting and informative, but I believe that they have neglected to mention mitigation. In the cases mentioned with any detail, the infection was started when autorun.inf launched a trojan exe file. The key bit of information I believe should be included in a subsequent update is that infection can be prevented by disabling the autorun feature in Windows.

Paul (and others), see this timely article on Microsoft's TechNet about a technique known as Island Hopping.  While the article focuses on USB memory sticks and media you get at trade booths the defensive measures are applicable to protecting Windows from any external device that mounts as a drive..

Josef sent us this note: 

I am currently working on an Incident within my company that seems to show obvious similarities with your Photo Frame malware incidents:

A virus that copies itself to all partitions (also removables) and writes itself to the AUTORUN.INF

If it is truly connected to your incidents, your AUTORUN.INF files should show the following lines:

[AutoRun]
open=tvhzskuyl.exe
shellexecute=tvhzskuyl.exe
shell\Auto\command=tvhzskuyl.exe
shell=Auto
[VVflagRun]
aabb=kdkfjdkfk1

It also tries to update itself from a website (www.max-gate.com/backup/mitm.com), connects to an IRC server and tries to spread via NetBIOS.

Reader David sent us this good advice: 

I just wanted to mention that if a malicious program locks down certain features of your operating system, it may still be possible to load an alternate OS (e.g. Knoppix) off CD and delete the offending content.  I believe the latest Linux tools can interact with a fair degree of safety with NTFS formatted systems.

Many users may be unaware of this option, so I just thought it might be worth noting.

Reader Craig pointed out the obvious question:  was the item "new" or had it been returned and resold: 

One fact that seems to be omitted from most of the reports I hear about picture frames, CF storage, MP3 Players, etc that show up with either a virus or porn on them is this: Whether the packages where sealed when item was purchased.

One of my students (who works at a large electronics store) has mentioned that it seems to be a common prank.  That he has seen cases where people have bought a device, loaded stuff on it, and then returned it.   And if they tell the customer representative that there was nothing wrong with the device, they just changed their mind often the device ends up right back out on the shelves with the new devices.  He told me that employees are not instructed or required to wipe content off the storage device before reselling the item or putting it back on the shelves.

Craig, as far as we know all of the cases were with "new" items - but to be fair, many stores will re-shrinkwrap returned items if the customer tells the return personnel that they brought it back because the didn't want it (rather than it being defective.)  That opens up the opportunity for somebody to buy an item, bring it home, load malware, then return it the store where it might get resold.

Reader Dave did the right thing when he brought his infected drive back: 

I purchased a 250GB Maxtor External One Touch Backup from Radio Shack (sale item!) and though it was shrink-wrapped, it caused my Mcafee AV to throttle up on two systems, and blue screen one of them. 

I exchanged it, and the new unit has worked perfectly. I did enclose a note with the drive, and had the sales clerk write "DO NOT RESELL - DEFECTIVE" all over the box.

Handler Scott Fendley provided this little vignette: 

I heard of a story in Colorado where an MP3 player had been purchased for Christmas which contained XXX stuff on it.  So it appears that this is truly a new prank that retailers are going to have to address.

Finally, SANS ISC Handler Daniel Weseman went back through his case logs for the past several weeks and found a couple of reports from his office:  

We had one case of  a "picture frame" on December 12. Symantec AV triggered on "autorun.inf" and flagged it as "Trojan Horse", so it was probably the Silly worm. On the "what happened" self declaration form, the user stated that he had gotten the picture frame at a christmas raffle of his sports club .. no telling if it was Wal-Mart. I followed up, the user doesn't have it anymore, after our IT support cleaned it and gave it back to the user, the user apparently got rid of it right at the next raffle he went to :)

We had one case of GPS on Dec 20, a Garmin Nuvi, but this wasn't straight out of the box and had been attached to the user's home PC prior.  At least this is what the case log indicates ("user copied MP3 files onto the nuvi at home")

Daniel's analysis of these two cases is that unless somebody has a virus alert right after unpacking a device and plugging it in for the very first time, chances are they picked the badies up somewhere else.

Readers, if you find any more infections - particularly digital photo frames - please let us know via our contact form.  Tell us the name of the device, where you bought it, and what day.  With your permission we'll pass the information along to the equipment manufacturer or to the store's computer security response team.

Marcus H. Sachs
Director, SANS Internet Storm Center

 

Keywords:
0 comment(s)
Diary Archives