Malware Found On Brand-New Windows Netbook

An anonymous reader alerts us to an interesting development that Kaspersky Labs stumbled across. They purchased a new M&A Companion Touch netbook in order to test a new anti-virus product targeted at the netbook segment, and discovered three pieces of malware on the factory-sealed netbook. A little sleuthing turned up the likely infection scenario — at the factory, someone was updating Intel drivers using a USB flash drive that was infected with a variant of the AutoRun worm. "Installed along with the worm was a rootkit and a password stealer that harvests log-in credentials for online games such as World of Warcraft. ... To ensure that a new PC is malware-free, [Kaspersky] recommended that before users connect the machine to the Internet, they install security software, update it by retrieving the latest definition file on another computer, and transferring that update to the new system, then running a full antivirus scan."

Ha ha.

[yourassOA (1546173)]

Doesn't seem like an accident.

Re:

[Z00L00K (682162)]

And why is it that all machines comes pre-installed?

If they weren't then this problem with malware on preinstalled machines would have been less spread.

Re:Ha ha.

[SanityInAnarchy (655584)]

Yeah, because if they weren't pre-installed, the OS DVD would be so much safer...

Right...

If the manufacturer is compromised, you're boned either way.

Re:

[The Grim Reefer2 (1195989)]

Yeah. Also, how come every time I buy batteries, they aren't included?

Stephen Wright, is that you?

Re:Ha ha.

[Runaway1956 (1322357)]

Nor is it really news. The wife bought a Compaq some years ago. I cleaned it of malware, then in a few days, she complained of more. Did a "restore" from the restore partition. Malware restored itself along with the Windows OS. Imagine that....... OEM's are PAID to install crapware, and they are only to happy to accept the money.

Pffft

[BobReturns (1424847)]

Yes, because any average Joe user is capable of utilising that 'solution'.

Re:Pffft

[Bigjeff5 (1143585)]

First, the autorun worm was absurdly difficult to remove. The larger the organization the more likely it is to stick around.

Second, have you ever built a corporate or OEM OS image before? Using a usb drive to install drivers is not only likely, it's practical.

The way modern mass-images work is as follows: you have your technician machine, upon which you build the custom tools to incorporate into the image - this would be scripting software packages, customizing settings, etc. Then you have your build machine - this is a clean machine with a fresh OS install on it. You then customize that machine exactly the way you want it, installing custom packages, add all the drivers for all the machines in your product lineup (be sure to include a script to remove the unneeded drivers post-sysprep!), and reseal it to OEM spec with sysprep (which calls any necessary post-build scripts).

Now, you test, test, test, and test to be sure it is good, and mass deploy it to all your hard drives that will be going into all your machines. Much of this does not have to be changed when new models are added, and with MS's newer tools a lot can simply be slipped in to the image itself without having to re-seal it. Very convenient. That also may be how this thing got in as well, who knows.

The breakdown here was on the final step: apparently nobody scanned the test machine for viruses/malware before deploying the image. I'm surprised only a few netbooks were hit, unless the others just haven't noticed yet, heh.

Re:

[EsbenMoseHansen (731150)]

The first thing I did with my laptop was to reinstall Vista with the DVD that came with it. Is there a way to get malware from there or the driver disk?

Replace "Vista" with Ubuntu/Red Hat/SuSE/Debian and you should be fine :P More seriously, why hasn't Microsoft made a package manager+repositories yet? It is absurd that people and companies have to verify that drivers and (basic) applications are clean. The problem is a problem that already has a proven solution: signed packages from a large repository. Signed to guard against tampering after the repository. Large, so that any foul play is discovered quickly. Heck, I'm sure that you could port apt+dpkg or

Right.....

[phantomfive (622387)]

To ensure that a new PC is malware-free, [Kaspersky] recommended that before users connect the machine to the Internet, they install security software, update it by retrieving the latest definition file on another computer, and transferring that update to the new system, then running a full antivirus scan

And people say Linux is user unfriendly? I never use Windows to visit banking/credit card/money websites, and I advise all my friends to do the same.

Re:Right.....

[phantomfive (622387)]

The only reason it's always that way is due to the fact it would be almost useless for an attacker to target linux ......

It's not the only reason. The obvious counter-example is IIS vs Apache, where IIS has gotten owned more than Apache, despite Apache's vastly greater marketshare.

Personally I'm looking forward to a world that is 30% OSX, 30% Linux, and 30% Windows. Not only will there be more software available for the OS of my choice, but also it will be harder for malware to spread. Look, in this case if the manufacturers hadn't been using Windows to download the drivers in the factory, the virus wouldn't have spread to the new computer. Monoculture is bad for many reasons.

Re:

[iamhigh (1252742)]

It's not the only reason. The obvious counter-example is IIS vs Apache, where IIS has gotten owned more than Apache, despite Apache's vastly greater marketshare.

Start with IIS 6 and that isn't really true anymore. It is widely accepted by those without a bias that IIS 6 is as good as equivalent Apache releases (when properly configured, of course).

Do you really think having to write software on 3 different systems will result in less malware? Do you think companies will double the development staff to accommodate the differences in systems? I think a 33/33/33 split would make software companies have to support more variances, but probably not do any as well a

Re:Right.....

[phantomfive (622387)]

Start with IIS 6 and that isn't really true anymore. It is widely accepted by those without a bias that IIS 6 is as good as equivalent Apache releases (when properly configured, of course).

That's irrelevant to the point I was making though, which is that popularity is not the only thing that matters where security is concerned.

Do you really think having to write software on 3 different systems will result in less malware? Do you think companies will double the development staff to accommodate the differences in systems? I think a 33/33/33 split would make software companies have to support more variances, but probably not do any as well as they do now.

This is an interesting point, but in the old days, software companies supported Commodore, Apple, IBM, Atari, etc. The reality of the situation is that for most big software companies, the number of programmers they have is only vaguely related to the income they generate from their software. A single programmer can write code that generates millions of dollars if you can get people to pay for it. So most companies are going to do a cost/benefit analysis: is it worth it to port my software to X system? If there are millions of users on that system, the answer is probably yes. Most major software already runs on both Macintosh and Windows, and OSX only has about 10% of the marketshare. I see no reason they wouldn't write for all three systems in many cases (although I admit I would be happy to leave Windows out, since it's relatively a pain to write for).

do you really think a Windows user that has just "clicks thru" wouldn't do the same on Linux (or type sudo first or whatever the equivalent is on OSX)?

This is a good question, and you are probably right, but the security model in OSX is a lot more clear, so it would be easier to teach users, "If you have to type in your password, something bad might happen!" On OSX application installation is just a matter of drag and drop, normally there is no need to type in your password, so if you do have to, then you really need to think about what you're doing.

Re:Right.....

[sphealey (2855)]

> Do you really think having to write software on 3 different
> systems will result in less malware?

Do you really thing that monocrop agriculture could destroy an entire civilization? Oh wait...

And when NASA attempted to build the ultimate fail-safe computer system for the Shuttle do you really think they wasted their money having 1 of the 5 CPUs built, designed, and programmed by an entirely separate organization than the primary contractor and prohibiting the two design groups from communicating with one another? Oh wait...

sPh

Re:Right.....

[phantomfive (622387)]

You haven't thought this through. It's pretty well accepted that a monoculture is bad for computer security. If you would like to discuss the issue, then I suggest you inform yourself on the research and arguments in the topic, [ccianet.org] and then you will be much better informed to make an insightful comment. Then we can talk.

Re:

[thetoadwarrior (1268702)]

I think attacks on Linux would increase and you're bound to get clowns who run their system as root all the time if given the chance.

However a huge chunk of the world run their servers with linux and open source alternatives. These sites include sites that hold credit card information so they would be obvious targets and their source code is available to all to find holes yet MS' offerings, like IIS, seem to have a higher ratio of problems.

So in the end I don't think Linux would actually reach Window'

Re:Right.....

[hairyfeet (841228)]

Uuuhhhhh....I really hate to burst your reality bubble there, bud, but there is a reason why all the Linux servers aren't getting pwned and the Windows desktops are. It is because they have these things called server admins and they are usually pretty damned smart. They are also really anal retentive when it comes to anything security related. With good reason, after all they are getting paid the big bucks to be. Meet Glenn. Say hi Glenn (I'm busy, go away) not a very social creature, Glenn is a Linux server admin. He spends most of his time on security websites and learning about the latest nasty when he isn't testing a new tweak on the test server to see if he can get an extra .05% performance under load. In his free time he enjoys black hat conferences, which his employer is happy to pay him to attend.

Now we are going to meet an average Windows desktop user. Meet Velma. say hi Velma (Hi Y'all!) isn't she sweet? Little Velma works at the local insurance agency. they love her there because she can take one look at a customer and without looking up a shred of paperwork say something like this "Hi Bob! How's your oldest girl? You know she's about ready to get her learner's permit so I've already looked up the most affordable coverage for her. Does she have really good grades? She can get an extra discount if she does" and so on. Little Velma is really good at generating sales. She is sweet and friendly and always knows your name and remembers all about your family. Everybody loves little Velma.

/cue ominous music......But we here in the PC business have a nickname for little Velma, one that she don't know about but is well earned it is....the disaster area! Dum dum dum! That is because little Velma is the trusting kind of sort, and on a computer that equals danger. Let's watch as little Velma interacts with her friendly neighborhood PC repairman, a big but lovable biker looking chap known on the net as hairyfeet.../feet/Now Velma, we have talked about this. you shouldn't mess with email attachments, I don't care who they are from. And if it is a .zip that you have to put a password to open it is a virus and you shouldn't touch it! /Velma/ But my bff Kim sent me this! See there is her name and everything! I'm sure it will be safe! /feet/Velma look, it is an executable and NOT happy puppy pictures! Do NOT run that! /Velma/ Oh, you worry too much. My bff Kim wouldn't send me anything bad. (inputs password, runs .exe, porn popups start flooding the screen while the network gets pounded) ooops. /feet/ ....... [roflposters.com]

And now you have seen an actual demonstration of why Linux is safe on servers. It is safe on servers because it is administered by guys like Glenn, say goodbye Glenn (I'm busy!) and does NOT have any Velma types mucking it up. Say goodbye Velma (Bye Y'all!). If you were to let Velma and all her friends loose on Linux if they didn't break them immediately they would become spambots in no time. It is because the malware writers have already figured out how to use a sinister concept called social engineering to target Velma and her types VERY effectively. Glenn isn't very social (Bite Me!) and is a naturally cynical creature and therefor social engineering really isn't an effective tool on his type. This is why Linux can enjoy the freedom to operate on some many servers across America without the constant malware like poor Velma gets. Tune in next week when we meet Bob, the Windows network admin, also known as the "where the hell is the damned disk?" guy.

Re:Right.....

[JSG (82708)]

Mr haireyfeet - thank you for reminding me why I have been reading /. for the last GKHL.

That is a beautifully pitched diatribe with a good measure of sarcasm and humour, mixed in with a few typographical conventions that I don't really understand but could make an educated guess at.

However, there are an awfull lot of Linux (and *BSD et al) systems that are being put in the hands of Tuxvelma. You see, like it as not we Linux admins are not the only folk who access these things or even (shock, horror) actually own them.

My wife is not exactly the most technologically sharp person but she insists (after a bit of a demo) on FF for her browser.

Also, after Vista went a bit wonky on her identical to mine laptop, she asked me to put whatever I was running on it. So (1 year) now (5 months) we (20 days) have another Gentoo user - belting!

Incidentaly I'm an MCSE as well (crap). Oh and an NCP and an LCP and a complete and utter nerd. I'm also an MD. Nerd or MD - I'm not sure which I prefer most.

Re:

[hairyfeet (841228)]

Don't you worry, Linux user! I'm sure if the day comes that you manage to get Velma(I needed to move the machine, so I just yanked and now there are wires hanging out. Is that bad?) and all her little friends moved over from Windows I'm sure your friends at the Russian Business network will be able to design new and easy to use Linux viruses that Velma and all her friends can use to turn Linux into a virus laden hunk of malware.

It is inevitable due to the fact of a strange phenomena that goes by the weird

Re:Right.....

[TheP4st (1164315)]

You insensitive clod, I am a 40 year old virgin and moved out of the basement a year ago!

Who watches the...

[yerktoader (413167)]

But trusting another computer depends on knowing it's clean of malware. I'd think it a better bet for Kaspersky to offer bootable thumb drives with a slim OS and their software, allowing users to scan any machine with a known good device.

Heh.

[MsGeek (162936)]

Wrong netbook OS. Try one of these next time: http://www.target.com/ASUS-8-9-Netbook-Computer-Linux/dp/B001E1PVU8/qid=1243113200/ref=br_1_7/190-1275134-0351843?ie=UTF8&node=1243621011&frombrowse=1&rh=&page=1 [target.com] Thankyoudrivethrough!

False sense of security

[Len (89493)]

Devices with any OS can come with malware. Even iPods [sophos.com] and picture frames [securityfocus.com] have been shipped with malware pre-installed. There's nothing magic about Linux, other than its ability to suppress the geek skepticism reflex.

Re:False sense of security

[Sir_Lewk (967686)]

The main difference is the vast difference in security practices between the two platforms. The only reason malware on ipods and photo frames is dangerous is because windows by default thinks that it's clever to auto-execute code off of external devices.

Re:

[icannotthinkofaname (1480543)]

And then it would be "News for nerds," instead of, "Microsoft bashing session for nerds."

Or...

[Kythe (4779)]

You could always reformat the darned thing from scratch using a known-good version of whatever OS you're going to be using.

Honestly, ever since Vista became the de-facto OS shipped with new computers, I've been doing that, anyway.

Re:Or...

[yerktoader (413167)]

You know, I always thought it would be a good idea to ship PC's without the OS loaded. If the end user had to set up the OS it would force them to learn the basics...But that's why I'm an ex-tech support asshole I guess.

Re:

[Anarchduke (1551707)]

I like that idea. Of course, I like it because I could charge those people to install their operating system for them at 60 bucks an hour.

Press Release: Stunt number 43242

[JK_Huysmans (1561025)]

Oh, how I love Kaspersky's constant press releases.

"OMG Virus! Buy our product!"

All they seem capable of for marketing is different stunts related to finding viruses in weird places. Come on. Seriously.

Re:

[TinBromide (921574)]

I'd be more alarmed if they gave equal press to sky-diving accidents or deep sea diving developments.

Re:

[TinBromide (921574)]

That would be alarming. Quite So. Unless they found a hard drive dropped by someone hoping to dispose of the data.

Re:Press Release: Stunt number 43242

[Ilgaz (86384)]

As I don't use Windows, AV company security blogs tells me a lot about the security scene after I filter the PR.

Also Kaspersky never says ''buy our product'', they don't need such stupid stunts. A person who buys one of those cheapo TW netbooks won't likely afford their product either. They say ''a security product'' without mentioning any brand while they have right to advertise their own.

Once upon a time, computer vendors (including Taiwanese) were decent enough to run a god damn antivirus (standard was 3 of them) before shipping the computer. I guess they are targeting old timers reminding them it is not the case anymore.

But not with a thumb drive!

[TinBromide (921574)]

they install security software, update it by retrieving the latest definition file on another computer, and transferring that update to the new system, then running a full antivirus scan.

Just be sure to scan the thumb drive so you're not infecting it!

They really hand-install drivers?

[by Anonymous Coward]

I kind of figured that computer manufacturers had hard drive arrays to clone a pre-made installation. Pull each drive off the rack, put it in the computer, and make sure it boots, then box it.

They're really installing drivers by having some schmuck walk around with a USB stick?

Re:

[msobkow (48369)]

You're right about using drive images. However, when I was responsible for rolling out lease-return machines, we were re-imaging the systems from install CDs, rather than using "hard drive arrays." It's far easier to pop an auto-installing CD into the tray than it is to remove the hard drive, install it in an array, re-image it, then re-install it back into the PC.

It's not a very painful process -- about all you had to do was click "Ok" after the imaging CD booted and asked you if you were sure you wan

Convenience!

[clang_jangle (975789)]

I'm so glad to see this innovative feature finally being boldly embraced by an OEM. Until now, it's been sheer drudgery, waiting the twelve minutes or so it takes to get a new Windows install infected just felt like forEVar!

Remind me again

[techno-vampire (666512)]

Would somebody out there please explain why AutoRun was ever considered a Good Idea? I know that before I got rid of Windows and went Linux only, one of the first things I'd do on a new computer was disable it.

Re:

[techno-vampire (666512)]

AutoRun should bring up a prompt, asking if you want to run the software, and remind you that you shouldn't let it run unless you were expecting it and know what it's for. That way, if you have a thumb drive that's not supposed to have anything on it but some driver updates, and the AutoRun prompt shows up, you know something's wrong. It wouldn't be fool-proof, because there are always going to be people who click OK without understanding what's going on, but it probably would have stopped this from happe

Re:Remind me again

[dgatwood (11270)]

No, AutoRun should not exist. You can't create a warning that scares people into clicking "no". If you try that, the first thing the customers do is call your support line asking why their copy of [Insert expensive software package here] contains a virus when it is really just set to automatically run their installer. Then, the only valid use of AutoRun becomes a black mark for software vendors and they stop using it, making it a completely useless technology.

The only possible way to make AutoRun be usable without being a gaping security hole is to require that all AutoRun software be signed using a signing key distributed by the OS vendor. Unfortunately, that could be a slippery slope to requiring all apps be signed (at significant cost), which would be a giant step backwards for small software vendors, open source, etc. Such a security measure would also have to have been done from the very beginning to avoid the problem of existing apps causing panic attacks in end users.

The only solution is to kill AutoRun completely. It should not exist. It has no good reason for existing. The only thing it really does is by its nature a security hole. Just shut it off already.

Re:Remind me again

[cdrguru (88047)]

Autorun came from "put in the CD, the game starts." This was introduced before there was the possibility of recordable CD-R discs so it was utterly safe, until malware folks start producing CD-ROMs by the 1,000s.

Extending it to USB devices is problematic. Anything that can be written to by a user can then be used to corrupt other machines, assuming that some users have blackness in their hearts. That pretty much means that for CDs it isn't safe anymore either.

Re:Remind me again

[GF678 (1453005)]

The only solution is to kill AutoRun completely. It should not exist. It has no good reason for existing. The only thing it really does is by its nature a security hole. Just shut it off already.

They have, in Windows 7.

Despite what a lot of the morons in Slashdot think, Microsoft does listen to people's complaints.

Re:

[ConceptJunkie (24823)]

Despite what a lot of the morons in Slashdot think, Microsoft does listen to people's complaints.

Yeah, AutoRun and not showing the file extensions by the default are two of the most stupid ideas Microsoft ever had, and they have a _lot_ of stupid ideas. Maybe they did listen to complaints, but it took them 15 years to do something about it. Both those features started with Windows 95.

Personally, I'd prefer to do business with a company that doesn't take 15 years to fix its mistakes.

Re:Remind me again

[GF678 (1453005)]

You're getting confused with Autoplay, they're not actually the same thing

Autoplay is what brings up the dialog box based on the contents of the media
Autorun is the method by which the autorun.inf file on the media is executed automatically.

You could normally disable autoplay easily, but autorun.inf files would still run. That doesn't happen anymore.

Re:Remind me again

[hairyfeet (841228)]

And as a PC repairman I can say that autorun isn't even in the top 5 of ways an average Windows machine that crosses my desk gets boned. Hell I wouldn't even put it in the top ten. Maybe somewhere in the top twenty. The number 1 2 and 3 are 1-Hot_Lesbos.mpg.exe 2-Lame_pop_song.mp3.exe 3-here are those pics I promised! ( unsolicited email attachment from friend with password protected zip file).

Honestly the guy that put "do not show file extensions for known file types" as the default should have gotten a really good firing. That and the fact that on 95-XP if you choose to uncheck the "do not show file extensions" checkbox and hit rename explorer automatically will pick the ENTIRE file, including the extension. Which means if you let them see the extension you end up with a bunch of files renamed with no file extension that the user then has no clue what5 to do with or how to open. That was just some really stupid UI design.

Oh and for the PC repair guys out there that are having to wipe and reinstall Windows a lot, or like me build a lot of new XP machines, I would recommend Almeza Multiset [almeza.com] to make you life a whole lot easier. I have a lot of programs like Oxygen Office and Klite Mega Codec Pack that I give my customers so when they get the box they can just flip the switch and go. With Almeza I only have to install and configure a program once and Almeza will make a nice unattended install CD with whatever programs I choose set the way I want them, be it FF3 with ABP, OO.o, whatever. All I do is pick "install all" and go have a smoke and when I return she is ready to go. I am not connected with the company in any way, it is just the best $39.99 I've spent when it comes to having to work on Windows.

3?

[by Anonymous Coward]

Autorun worm, Windows...thats only 2...where is the third malware item?

Obligatory...

[npoczynek (1259228)]

Wouldn't have happened if they had ordered that netbook with Linux pre-installed!

Re:

[AceofSpades19 (1107875)]

I don't know of any linux distro that has auto-run, so its pretty unlikely that that would happen

Uh, what the... ?

[c (8461)]

"transferring that update to the new system, then running a full antivirus scan."

I guess I've been out of the Microsoft ecosystem for a long, long time... is it now common practice to run AV scans in a probably compromised environment? Or are malware authors so lazy these days that they can't even bother to write code which breaks any installed AV software?

c.

I didn't get any malware

[Provocateur (133110)]

so I am returning mine. Why do THEY get all the good stuff?? You mean I have to go ONLINE and download this 'malware' myself?? And they get 3 out of the box!

DON'T even THINK about making me pay for shipping the return!!

Buy our shit, seriously!

[billcopc (196330)]

Kaspersky releases "news" article about their virus scanner saving the day, while casting doubt on all PC vendors. Solution: Buy our shit!

I don't care whether it's malware, weapons of mass destruction, or kiddie porn. It's all baseless fear-mongering to push corporate or political influence, in the end it's all just money.

What they of course fail to highlight is the fact that the solution is neither effective nor guaranteed to work. Kaspersky's scanner, like any scanner, cannot catch all malware, just like Bush couldn't (wouldn't?) catch OBL. Perhaps worse is the high rate of false positives, such as when your virus scanner mistakenly recognizes a Linux ISO as a boot sector virus, or your republican mistakenly recognizes a Linux hacker as an islamic terrorist. Bullshit all around!

What ought to happen

[Animats (122034)]

Recall Alert
U.S. Consumer Product Safety Commission
Office of Information and Public Affairs
Washington, DC 20207
May 23, 2009
Alert #09-993
M&A Companion Touch
The following product safety recall was voluntarily conducted by the firm in cooperation with the CPSC. Consumers should stop using the product immediately unless otherwise instructed.
Name of Product: "Companion Touch" notebook computer
Units: About 9,000
Distributor: M&A

Hazard: The laptop computer may have pre-installed hostile software (a "virus" or "worm") which could result in the unauthorized transmission of private user data, including bank account numbers and passwords, to a remote site.
Incidents/Injuries: None reported.

Remedy: Immediately stop using the device and return it to the point of sale for replacement. If bank account or credit card information has at any time been stored on the device, contact your bank and credit card providers to check for fraud and identity theft.

If computer security is to be taken seriously, such actions are essential.