Malware Found On Brand-New Windows Netbook

An anonymous reader alerts us to an interesting development that Kaspersky Labs stumbled across. They purchased a new M&A Companion Touch netbook in order to test a new anti-virus product targeted at the netbook segment, and discovered three pieces of malware on the factory-sealed netbook. A little sleuthing turned up the likely infection scenario — at the factory, someone was updating Intel drivers using a USB flash drive that was infected with a variant of the AutoRun worm. "Installed along with the worm was a rootkit and a password stealer that harvests log-in credentials for online games such as World of Warcraft. ... To ensure that a new PC is malware-free, [Kaspersky] recommended that before users connect the machine to the Internet, they install security software, update it by retrieving the latest definition file on another computer, and transferring that update to the new system, then running a full antivirus scan."

Heh.

[MsGeek]

Wrong netbook OS. Try one of these next time: http://www.target.com/ASUS-8-9-Netbook-Computer-Linux/dp/B001E1PVU8/qid=1243113200/ref=br_1_7/190-1275134-0351843?ie=UTF8&node=1243621011&frombrowse=1&rh=&page=1 [target.com] Thankyoudrivethrough!

Or...

[Kythe]

You could always reformat the darned thing from scratch using a known-good version of whatever OS you're going to be using.

Honestly, ever since Vista became the de-facto OS shipped with new computers, I've been doing that, anyway.

Obligatory...

[npoczynek]

Wouldn't have happened if they had ordered that netbook with Linux pre-installed!

Re:Remind me again

[techno-vampire]

AutoRun should bring up a prompt, asking if you want to run the software, and remind you that you shouldn't let it run unless you were expecting it and know what it's for. That way, if you have a thumb drive that's not supposed to have anything on it but some driver updates, and the AutoRun prompt shows up, you know something's wrong. It wouldn't be fool-proof, because there are always going to be people who click OK without understanding what's going on, but it probably would have stopped this from happening.

Re:Right.....

[phantomfive]

Start with IIS 6 and that isn't really true anymore. It is widely accepted by those without a bias that IIS 6 is as good as equivalent Apache releases (when properly configured, of course).

That's irrelevant to the point I was making though, which is that popularity is not the only thing that matters where security is concerned.

Do you really think having to write software on 3 different systems will result in less malware? Do you think companies will double the development staff to accommodate the differences in systems? I think a 33/33/33 split would make software companies have to support more variances, but probably not do any as well as they do now.

This is an interesting point, but in the old days, software companies supported Commodore, Apple, IBM, Atari, etc. The reality of the situation is that for most big software companies, the number of programmers they have is only vaguely related to the income they generate from their software. A single programmer can write code that generates millions of dollars if you can get people to pay for it. So most companies are going to do a cost/benefit analysis: is it worth it to port my software to X system? If there are millions of users on that system, the answer is probably yes. Most major software already runs on both Macintosh and Windows, and OSX only has about 10% of the marketshare. I see no reason they wouldn't write for all three systems in many cases (although I admit I would be happy to leave Windows out, since it's relatively a pain to write for).

do you really think a Windows user that has just "clicks thru" wouldn't do the same on Linux (or type sudo first or whatever the equivalent is on OSX)?

This is a good question, and you are probably right, but the security model in OSX is a lot more clear, so it would be easier to teach users, "If you have to type in your password, something bad might happen!" On OSX application installation is just a matter of drag and drop, normally there is no need to type in your password, so if you do have to, then you really need to think about what you're doing.

Re:Pffft

[Bigjeff5]

First, the autorun worm was absurdly difficult to remove. The larger the organization the more likely it is to stick around.

Second, have you ever built a corporate or OEM OS image before? Using a usb drive to install drivers is not only likely, it's practical.

The way modern mass-images work is as follows: you have your technician machine, upon which you build the custom tools to incorporate into the image - this would be scripting software packages, customizing settings, etc. Then you have your build machine - this is a clean machine with a fresh OS install on it. You then customize that machine exactly the way you want it, installing custom packages, add all the drivers for all the machines in your product lineup (be sure to include a script to remove the unneeded drivers post-sysprep!), and reseal it to OEM spec with sysprep (which calls any necessary post-build scripts).

Now, you test, test, test, and test to be sure it is good, and mass deploy it to all your hard drives that will be going into all your machines. Much of this does not have to be changed when new models are added, and with MS's newer tools a lot can simply be slipped in to the image itself without having to re-seal it. Very convenient. That also may be how this thing got in as well, who knows.

The breakdown here was on the final step: apparently nobody scanned the test machine for viruses/malware before deploying the image. I'm surprised only a few netbooks were hit, unless the others just haven't noticed yet, heh.

Re:Ha ha.

[Runaway1956]

Nor is it really news. The wife bought a Compaq some years ago. I cleaned it of malware, then in a few days, she complained of more. Did a "restore" from the restore partition. Malware restored itself along with the Windows OS. Imagine that....... OEM's are PAID to install crapware, and they are only to happy to accept the money.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Remind me again

[cdrguru]

Autorun came from "put in the CD, the game starts." This was introduced before there was the possibility of recordable CD-R discs so it was utterly safe, until malware folks start producing CD-ROMs by the 1,000s.

Extending it to USB devices is problematic. Anything that can be written to by a user can then be used to corrupt other machines, assuming that some users have blackness in their hearts. That pretty much means that for CDs it isn't safe anymore either.

Re:Right.....

[phantomfive]

You haven't thought this through. It's pretty well accepted that a monoculture is bad for computer security. If you would like to discuss the issue, then I suggest you inform yourself on the research and arguments in the topic, [ccianet.org] and then you will be much better informed to make an insightful comment. Then we can talk.

Re:Remind me again

[GF678]

The only solution is to kill AutoRun completely. It should not exist. It has no good reason for existing. The only thing it really does is by its nature a security hole. Just shut it off already.

They have, in Windows 7.

Despite what a lot of the morons in Slashdot think, Microsoft does listen to people's complaints.

Re:Virus really such a threat?

[Anonymous Coward]

In my experience, the majority of viruses are PEBKAC related, and usually caused by the dancing bunnies problem, which no OS maker can really fix unless the PC is locked down like a console.

I have seen malware come on USB flash drives, but if a system is running a decent antivirus program, it usually will get caught before it has a chance to execute. However, running gpedit.msc and disabling autorun and autoplay completely is the best matter of course.

IMHO, there are four main sources of malware:

1: Machine is exposed on the Internet and hit by an active remote root attack.
2: Dancingbunnies.wmv .exe (with a good amount of spaces between the .wmv and the .exe.)
3: A hole in the Web browser or a plugin. This is why I highly recommend Firefox/Adblock/NoScript.
4: autorun.inf tomfoolery on either a CD or removable media.

#1 can be cleared up by a hardware firewall, or even the OS's firewall with no exceptions if on a laptop on public wireless. #3 can be mitigated by running the Web browser as a user in a VM. #4 can be disabled with registry entries and a profile entry (assuming a version of Windows where profiles work -- Vista Home and XP home, one will have to hit the Registry directly). Which leaves #2, and this is basically dealt with by user education.

Re:Remind me again

[Anonymous Coward]

Self inserts Fallout3 disk into Win7 PC. Autorun brings up dialog box. Nope still there.

Re:Obligatory...

[AceofSpades19]

I don't know of any linux distro that has auto-run, so its pretty unlikely that that would happen

Re:Remind me again

[GF678]

You're getting confused with Autoplay, they're not actually the same thing

Autoplay is what brings up the dialog box based on the contents of the media
Autorun is the method by which the autorun.inf file on the media is executed automatically.

You could normally disable autoplay easily, but autorun.inf files would still run. That doesn't happen anymore.