Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - Digital Photo Frame replies InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Digital Photo Frame replies

Published: 2008-02-19
Last Updated: 2008-02-19 20:16:19 UTC
by Deborah Hale (Version: 1)
0 comment(s)

Several days ago a reporter from the San Francisco Chronicle contacted me because she had read my diary regarding the possible contamination of digital photo frames sold around the Christmas holidays. These frames were purchased from a variety of stores around the country and from what we can gather there are different manufacturers and models.  It has not been an easy task trying to pull all of the details together and is perhaps one of the mysteries that will never be solved to most everyone’s satisfaction.

I am going to try to answer the questions that came in to the Internet Storm Center yesterday.  I decided rather than answering them one on one, I would take a stab at answering all of the questions in a diary format.

So here goes:

Several people wanted to know if their particular frame has been reported to be infected.

             At this point the only 3 that have been identified by name are the Insignia 10.4”, the ADS 8” and Uniek brand.  

Where were the frames purchased?

             We have had reports of frames purchased at various locations throughout the US.  Best Buy, Sam’s Club/Walmart, Target, Costco have all been identified. We know that Best Buy pulled their frames off the shelves.

Many people wanted to know how they can tell if their computer has been infected by their digital frame.

             There are many different “theories” on just what infection has occurred.  If you do a Google search for digital photo frame infections you will come up today with 70,400 hits.  I have not looked at all of the articles of course. However the ones that I have looked at all boil down to basically a malware infection.  As for identifying exactly which one you may have, that is a tough one.  Unfortunately, each of the anti-virus manufacturers has their own twist to it and each has given it their own name.  It would be so nice for many reasons if we could get this part of our world standardized.  It has been identified as Autorun.e, Autorun.worm, and Mocmex. Some of the individual components are identified with additional names.  I wish I could give you a list of what files to look for but I can’t.  First of all the lists that I have seen are many and secondly, this list may change continuously. The nature of many of these worm outbreaks is that they change their file names (identity) continuously in order to avoid detection.  To actually print this list would be irresponsible I think because it may give a false sense of security if you don’t find one of these files on your disk.  I would like to urge everyone to check out their anti-virus programs to make sure that they are current and that the definitions are up to date.  One of the reports that I have read says that this infection may disable your anti-virus programs and/or your firewall programs.  Your best line of defense is prevention.  Anti-virus, anti-spyware software and firewalls are your computers best friend if used correctly.  Just remember, in most cases these programs expire every year and need to be renewed on an annually.

What else?

The digital picture frames are not the only devices that are potential candidates for infection.  Any device that uses a USB connection, any device that allows data whether images or files to be stored, any device that connects 2 devices together to share data may be at risk.  We have had reports in the past of hard drives (both external and internal), USB Sticks/Flash Drives/Thumb Drives, Camera cards, iPods, MP3 players, etc being infected.  Again to try to determine where the initial infection occurred is nearly impossible. 

 Just today we received an email from someone who has witnessed and has evidence of an infection at a photo Kiosk at a retail store. His email had this to say:

  “Recently I found a virus on it called Troj_Agent.SAO, which is what Trend Micro named it.  Anytime you plug a removable device into it, it would create two files Autorun.inf and autorun.exe.  The exe would place itself in the recycler\recycler folder and the .inf would place itself on the root of the removable drive as a hidden file.  At first I thought this virus came in on one of our employee’s pen drive but after further investigation I discovered that the files that the virus uses were created on the kiosk the day it was shipped out to us.  Also our vendor is using this kiosk in some of their stores at the moment and there have been reports that the kiosks have given their customers a virus. “ 

These photo kiosks are wonderful allowing you too professionally print the photos from camera’s memory card.  You put the memory card into the machine, it brings up a preview of the pictures and you select which you want to print. 

There are so many possible means of infection.  There are so many ways that the infection can spread.  The best advice that we can give is:  Anti-virus, anti-spyware, firewall protection.  As I tell my “students” in the workshops that I give…  “You need to become intimate with your computer.  You need to know how it acts when it feels good. Then when it doesn’t feel good… pay attention.  Run a virus scan, run a spyware scan, check to see if any programs have been installed that you don’t know about.” 

I wish that we could require all of our drivers on the Information Highway to have a license to operate.  I wish that we could require all of our Internet users to take a course on Netiquette.  But we can’t, so all we can do is educate when we can and help people to understand the power they have in their hands.




0 comment(s)
Diary Archives