Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Bug Toys Worms

Walmart Photo Keychain Comes Preloaded With Malware 224

Blowit writes "With the Christmas holidays just past and opening up your electronic presents may get you all excited, but not for a selected lot of people who got the Mercury 1.5" Digital Photo Frame from Walmart (or other stores). My father-in-law attached the device to his computer and his Trend Micro Anti-virus screamed that a virus is on the device. I scanned the one I have and AVAST did not find any virus ... So I went to Virscan.org to see which vendors found what, and the results are here and here." Update: 12/29 05:44 GMT by T : The joy is even more widespread; MojoKid points out that some larger digital photo frames have been delivered similarly infected this year, specifically Samsung's SPF-85H 8-inch digital photo frame, sold through Amazon among other vendors, which arrived with "W32.Sality.AE worm on the installation disc for Samsung Frame Manager XP Version 1.08, which is needed for using the SPF-85H as a USB monitor." Though Amazon was honest enough to issue an alert, that alert offers no reason to think that only Amazon's stock was affected.
This discussion has been archived. No new comments can be posted.

Walmart Photo Keychain Comes Preloaded With Malware

Comments Filter:
  • Disassembled? (Score:5, Insightful)

    by Anonymous Coward on Sunday December 28, 2008 @11:49PM (#26254821)

    No one has disassembled the binary yet to see what it does? Does it call SetWindowsHookEx or something?

  • by Zymergy ( 803632 ) * on Sunday December 28, 2008 @11:55PM (#26254857)
    I have read about Sony adding Malware (and Rootkits) to their consumer USB removable devices before...

    I also wonder if these files "DPFMate.exe" and "FEnCodeUnicode.dll" are something someone post-production put on the devices or if these files are some intended application?
    Never using a digital photo frame before, I assume one simply copies image files into a mounted USB attached drive letter folder? (similar to how USB drives mount as a removable drive letter folder in Windows)
    • by blueg3 ( 192743 )

      Malware, no. Rootkits, yes.

      • by Opportunist ( 166417 ) on Monday December 29, 2008 @01:48AM (#26255435)

        Care to explain how a rootkit could be considered anything but malware?

        If they do nothing else, they compromise the security of a system.

        • by Lord_Sintra ( 923866 ) on Monday December 29, 2008 @05:02AM (#26256117)
          Technically, kernel level debuggers can be classified as rootkits, as they use rootkit techniques to gain the level of access they need to be able to work.
          • Ok, if you really want to get technical, yes. But kernel level debuggers are usually far easier to get rid off than the average rootkit out there. :)

            • Re: (Score:3, Insightful)

              by Cowmonaut ( 989226 )
              Not particularly actually. They'll still leave traces usually, just like most malicious rootkits. In any event the original/old definition of malware just being any malicious software isn't strictly true anymore. In most cases I find most people seem to classify "bad things" as either virus, spyware, malware, or now rootkit. I should not I see this from the semi-technoliterate initially and then the AV vendor types seem to start using the same 'definitions' to describe the "bad things" a PC can get, add
        • by Briareos ( 21163 ) *

          Care to explain how a rootkit could be considered anything but malware?

          Well, this one [winability.com] is considered "security software" by the manufacturer. Then again - we all know how much security by obscurity helps... (hook up the drive to another machine, anyone?)

          np: Tocotronic - Letztes Jahr Im Sommer (7''-Version, 1994) (Digital Ist Besser)

  • Old news (Score:4, Informative)

    by Afforess ( 1310263 ) <afforess@gmail.com> on Sunday December 28, 2008 @11:56PM (#26254859) Journal
    This is old news. It has happened before. Case and Point. [foxnews.com]
    • Re: (Score:2, Insightful)

      by wdsci ( 1204512 )
      Sure, but as long as it's up on /. I'm sure people who have one of these things will appreciate the warning. Just my opinion, but it's not all that bad to repeat similar stories every once in a while if it's the kind of thing that people are likely to get complacent about and/or forget about.
      • You're making the mistake of assuming people actually read the stuff that gets posted here, rather than just blindly posting whatever they feel like, and hoping that it has some relevance to the topic at hand....

    • Packer (Score:5, Informative)

      by micksam7 ( 1026240 ) * on Monday December 29, 2008 @12:21AM (#26254993)

      It's not a virus, it's just a exe packer they used.

      Virus scanners have been labeling PE Packers as viruses for ages now, simply because a virus could be packed with them, and it's easier to pick out a packer header than a virus contained in it.

      A lot of false positives are caused by this, and this looks like one of those cases based on what you linked. "Generic" "NSPack" "PossibleThreat" in the VirSCAN links give that away.

      EXE/PE Packers simply compress a binary and decompress it on the fly, simply to save space or "load faster". Likely Walmart's programmers used one to keep the app's size small on a small device like that.

      I've dealt with this situation in size-coding competitions before, and it's not fun. A lot of false positives are caused simply because a packer was used.

      Fortunately, some of the better virus scaners actually unpack the software before checking it, or look for valid virus signatures instead of a simple Packer.

      This basically is just a case of virus scan companies being lazy.

      • Re: (Score:3, Informative)

        by micksam7 ( 1026240 ) *

        those cases based on what you linked
        -> those cases based on what the summary linked.

        Slight target issue, appologies.

      • Re:Packer (Score:5, Insightful)

        by poetmatt ( 793785 ) on Monday December 29, 2008 @12:28AM (#26255033) Journal

        I suppose it's no surprise then that Trend Micro (and likely Mcafee) went berserk while Avast did not? Although I think we had that controversy with the "clamAV vs Mcafee" virus scanning thing a year or two back.

        • Re: (Score:3, Informative)

          by Thaelon ( 250687 )

          Well, of course. If they didn't occasionally remind you of their existence, you might start to think you don't need them.

          I haven't used a TSR virus scanner for years.

          Through adequate user precautions, they're completely unnecessary.

          With just a few simple precautions, even in Windows, you shouldn't need one either:

          • Use Firefox exclusively - updating it when necessary.
          • Use Thunderbird instead of Outlook Express
          • Use only your own bookmarks to visit your bank's website and other popular sites.
          • Run all remotely su
          • Forgive my stupidity but what does TSR stand for?

            With windows, that's basically what I did and never installed an antivirus or ever had problems with it. If the free scans found anything, then I'd take action.

            However, I'd always end up after 3-6 months of an XP install that critical system files would somehow get corrupted and the filesystem would fragment rapidly. I never knew how to get around that, so I've just been running ubuntu anyway, which has been generally nicer regardless.

      • Re: (Score:2, Informative)

        by blueg3 ( 192743 )

        Fortunately, some of the better virus scaners actually unpack the software before checking it, or look for valid virus signatures instead of a simple Packer.

        Unfortunately, advanced packers can detect this and can unpack differently if they are being unpacked by a virus scanner. Part of the point of using a packer for a virus is its ability to disguise the signature, so looking for a signature without unpacking is pointless.

        • Re:Packer (Score:4, Interesting)

          by Opportunist ( 166417 ) on Monday December 29, 2008 @01:58AM (#26255461)

          Interesting. What packer would that be?

        • Re:Packer (Score:4, Insightful)

          by BikeHelmet ( 1437881 ) on Monday December 29, 2008 @06:03AM (#26256367) Journal

          Unfortunately, advanced packers can detect this and can unpack differently if they are being unpacked by a virus scanner. Part of the point of using a packer for a virus is its ability to disguise the signature, so looking for a signature without unpacking is pointless.

          If the virus can detect the antivirus, then your antivirus fails at sandboxing.

      • Re:Packer (Score:4, Interesting)

        by ianare ( 1132971 ) on Monday December 29, 2008 @12:46AM (#26255139)
        I've had cases where executables created with py2exe were triggering virus scanners. A few users reported this to the virus scanning companies, and the problem went away the next time the virus databases were updated.
      • Re:Packer (Score:5, Insightful)

        by Opportunist ( 166417 ) on Monday December 29, 2008 @01:52AM (#26255449)

        Erh... not entirely true.

        Yes, some virus scanners label anything that is runtime packed as malware, mostly because malware writers have been using packers as a cheap and easy disguise. But c'mon, that's so 2006.

        Most AV suits today are able to unpack those runtime packers. I know of a suit that even sandboxes the program and executes it in a virtual machine to see if it results in some unpacked code.

        Exepackers do NOT save you space, though! If anything, they're a memory bloat because more often than not you have the packed and the unpacked version of the program in ram, eating up space needlessly, so I stopped using them. Ram is precious, HD space isn't.

        • Re:Packer (Score:4, Insightful)

          by Xtense ( 1075847 ) <xtense.o2@pl> on Monday December 29, 2008 @04:35AM (#26256033) Homepage

          > Ram is precious, HD space isn't.

          Speed is precious too. Executable packers make sense when your .exe is something like 40MB, because your stupid project manager forced you to include a bunch of idiotic resources into it, something along the lines of bitmaps and uncompressed wave files (true story!). It may sound funny, but with current run-of-the-mill consumer CPUs it is actually faster to read a small file from the HD and uncompress a resource than to wait for the whole executable to load all this bloat. Still, we're talking about a speed difference of around 300-400ms (yes, i took these out from my ass, but those were results of our crappy testbed), so it's not something a typical consumer would notice, although pretty numbers are a good thing when your boss doesn't know shit about computers.

          • Re: (Score:2, Informative)

            by happy_place ( 632005 )
            ...and not just an HD, but smaller exes are also faster sent over a network, or over an I/O bus like a USB device...
        • Re: (Score:3, Interesting)

          by owlstead ( 636356 )

          Yes, some virus scanners label anything that is runtime packed as malware, mostly because malware writers have been using packers as a cheap and easy disguise. But c'mon, that's so 2006.

          No, that's so previous century. I can remember the same issue with virus scanners in the DOS era, where unpacking may have actually saved some space on floppies and hard disks. With a friend, we had a warning about a virus in many .exe's using a heuristic scan, which turned out to be a popular unpacker. To put this in perspective, this was on a 25 MHz 386 DX, 1 MB internal RAM and a 40 MB hard drive - which cost me my entire holiday savings and then some.

          As a funny side note, some DOS utilities like format

          • Re: (Score:3, Funny)

            by Opportunist ( 166417 )

            What I meant is that hiding trojans behind executable packers is quite 2006'y. They don't really do that anymore, or at least more out of habit rather than actually hoping it would accomplish anything, since most of the better AV suits can unwrap even the most esotheric exepackers by now.

            That's the burden of the AV writer. Whenever you want to lean back because you finally accomplished something (like, say, implementing an unpacker for every packer out there), they change the playfield and all you did was f

        • by jandrese ( 485 )
          Depends where you are. If you're on a digital photo frame that has a hilariously small amount of flash for no good reason, and you're expected to be hooked into a Windows PC, then the hard drive space IS more valuable than the memory, because most modern PCs have more than enough memory to hold a few MB of packed and unpacked picture loader application.
          • Re: (Score:3, Informative)

            by nabsltd ( 1313397 )

            I bought my wife a digital photo frame with no flash memory because it was cheaper.

            It did have an SD slot, though, and I had to buy the card, but that still ended up cheaper, and that way it can display as many pictures as she wants...it's just limited to 2GB at a time (no SDHC).

            It's also a whole lot easier, as she keeps the frame at work, and every so often swaps SD cards when she wants new (or different) pictures.

        • by Sleepy ( 4551 )

          Exepackers do NOT save you space, though! If anything, they're a memory bloat because more often than not you have the packed and the unpacked version of the program in ram, eating up space needlessly, so I stopped using them. Ram is precious, HD space isn't.

          +1 on what the other person replying said.

          Your statement IS accurate if you are comparing helloworld.exe or some other vanilla EXE file... but if you embed lots of resources into the executable then it gets to be a big-time large file. In an ideal world

    • Re:Old news (Score:4, Insightful)

      by lysergic.acid ( 845423 ) on Monday December 29, 2008 @12:28AM (#26255037) Homepage

      if it's already known to be such a problem, then why does Microsoft continue to enable autoplay by default in Windows? it's annoying enough to have autoplay applications pop up on the screen every time you insert a CD, but with USB flash drives it's just plain reckless.

      USB storage devices are today's floppy disks. people use them to move files between computers, and a single device may get plugged into dozens of computers. so a lot of trojans/malware now detect when a removable drive is connected to the computer and automatically infect the drive and create an autorun.inf file so that the next computer that the thumbdrive/digital camera/iPod/PSP/etc. gets connected to will be infected as well.

      yet most Windows users seem completely oblivious to this danger. and with the proliferation of USB storage devices this problem will just get worst. at the very least users should be prompted before executing an autoplay program.

      • Re:Old news (Score:4, Informative)

        by blueg3 ( 192743 ) on Monday December 29, 2008 @12:35AM (#26255075)

        USB storage devices aren't actually eligible for AutoPlay. However, if the device presents itself as if it were, say, a CD-ROM, it is. This is how the U3 devices work, which present both a "CD" and a USB disk. The operating system can't really enforce policies on how USB devices present themselves to the system.

        Also, my Vista machine, by default, does not actually run the AutoPlay executable without user confirmation.

        • Re:Old news (Score:5, Informative)

          by lysergic.acid ( 845423 ) on Monday December 29, 2008 @01:16AM (#26255295) Homepage

          USB devices certainly are eligible for autoplay, they just prompt the user when the device is first connected by default. however, an autorun.inf file can still change the default action for that drive, so that when the user double clicks on the volume in My Computer, it will run the autplay program rather than open up the drive for browsing. and in that situation the user gets no warning.

          and i'm not sure what U3 is, but i know that if a removable drive has a partition formated with CDFS, Windows will assume that it's a copy-protected CD and will allow autoplay without the user's consent regardless of your autoplay settings. i think this can be done with any USB drive, which in a way makes disabling autoplay or prompting the user useless. just one more way consumers get screwed by DRM i guess.

          • Re: (Score:3, Informative)

            by Pentium100 ( 1240090 )

            REGEDIT4

            [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\autorun.inf]
            @="@SYS:Does_Not_Exist"

            This takes care of autorun.inf once and for all, you can even keep AutoPlay if you want it.

        • Re: (Score:3, Informative)

          by Pentium100 ( 1240090 )

          USB storage devices aren't actually eligible for AutoPlay. However, if the device presents itself as if it were, say, a CD-ROM, it is.

          If the autorun.inf file is like this:

          [autorun]
          open=autorun.exe
          shell=explore
          Shell\open=&Open
          Shell\open\Command=autorun.exe
          Shell\explore=&Explore
          Shell\explore\Command=autorun.exe

          then autorun.exe will be executed when user doubleclicks on their USB device in "My Computer". If you don't believe me - try it out...

          I think this will not work on Vista or if autorun.inf reading is disabled, but it will work on XP even if AutoPlay is disabled using group policy editor.

      • That is indeed one of the stupidest features ever put in Windows, and there is no reliable way to disable it. I don't want autolaunch. I've never wanted it. I never will want it. And yet, I'm stuck with it for all eternity on every Windows machine I will ever use.

        • Re: (Score:3, Informative)

          by gparent ( 1242548 )

          That is indeed one of the stupidest features ever put in Windows, and there is no reliable way to disable it.

          There's a registry hack on google.

          • Re: (Score:3, Informative)

            by jackharrer ( 972403 )

            Disable service called Shell Detection something. That will switch off Autoplay for everything globally. Easiest solution and saves you memory and load time.

        • by MitchAmes ( 1080977 ) on Monday December 29, 2008 @03:39AM (#26255831)
          For Windows XP, SP2 ... Tweak UI allows disabling of AutoPlay either by device type (eg CD) or drive letter, and the setting is stored in the user registery under [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer], but Tweak UI only shows the settings if the user is an Administrator. However according to Microsoft's TechNet web-site, the NoDriveTypeAutoRun setting in HKCU is ignored if there is a corresponding entry in HKLM, so to disable AutoPlay on all drive types for all users: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer] "NoDriveTypeAutoRun"=dword:000000ff If AutoPlay is enabled, actions per content type can be set per user by right-clicking the drive in Explorer, then selecting the AutoPlay tab. The options are stored in [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\UserChosenExecuteHandlers]. The default (which is to prompt the user) can be restored by deleting the entries. Note that there doesn't appear to be an option for "data only". So far as I know, if AutoPlay is enabled (which it is by default), you can't disable AutoRun.inf. However, if the user is not an administrator, Explorer will prompt for an Administrator logon before doing anything.
          • by BikeHelmet ( 1437881 ) on Monday December 29, 2008 @06:26AM (#26256453) Journal

            If you're really worried, you should disable it at the driver level rather than the explorer policy level.

            For Win2k/XP (maybe Vista), open up regedit and find this key:

            [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]

            REG_DWORD "Autorun" - set it to 0
            Note: Must be logged on as an admin.

            This disables autorun at the driver level, rather than explorer policy level. It may take a reboot to take effect. It should disable all autorun handlers/hooks, effectively turning drives into regular folders. (they just "open")

            Autorun.inf files will not automatically run or prompt you to run - actually, on my Win2k box, the right-click autorun option completely vanished!

            Note: It doesn't seem to "spin-up" CDs anymore on my computer, until I go into My Computer. It gives it a nasty delay loading that folder, but I figure this is a good thing. It means it isn't accessing the CD or device at all until I tell it to.

            Such is the price of security, I suppose!

            • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]

              That looks like it may only disable autoplay for CD/DVD drives. Does it also work for USB drives?

        • Re: (Score:2, Informative)

          by BikeHelmet ( 1437881 )

          Ahh, a fellow autoplay hater!

          http://it.slashdot.org/comments.pl?sid=1074953&cid=26256453 [slashdot.org]
          ^
          My post on how to disable it in the driver. Haven't tested it on Vista, since I don't have Vista.

          It's pretty reliably disabled on Win2k/XP, though. ;)

        • That is indeed one of the stupidest features ever put in Windows, and there is no reliable way to disable it. I don't want autolaunch. I've never wanted it.

          • Run gpedit.msc
          • Computer Configuration
          • Administrative Templates
          • System
          • Turn off Autoplay

          Most Windows machines are poorly configured, but the options to tune its behavior usually exist.

      • Because of stupid users who're unable to open an Explorer and run programs. They want to slip in their CD and they want their game or program to start without having to worry about the system. I know at least two people who start their programs by opening and closing the CD try with the relevant CD inside. I know that because I routinely go there twice a month to harvest a sample of the latest trojans running rampart...

      • Vista provides you with an Autoplay menu rather than just playing the thing, even if autorun.inf is present - if you don't want it to pop ever again, you can hit 'Do nothing' and 'Never ask me again'.

        • Not for everything, I've had to use restore twice because it auto-played that stupid player on some dvd's and scrambled my ability to watch a dvd with any other program (sometimes windows built in crap worked, but that's it).
              This is on vista64 ultimate.

          Mycroft
          • On Vista, for just the current user when the auto play options pop up there's an 'advanced options' (or similar, I forget the exact wording) link at the bottom, or you can just go to:

            Control Panel -> AutoPlay.

            Disable 'Use Autoplay for all media and devices' right at the top and you're done. (If your paranoid like me you can then also set all the options to 'Take no action')

            To enforce this globally for all users as an admin (XP also AFAIK):

            start - run - type 'gpedit.msc' (hit enter, vista requires elevati

      • Comment removed based on user account deletion
        • Re:Old news (Score:4, Insightful)

          by TCM ( 130219 ) on Monday December 29, 2008 @05:08AM (#26256129)

          I think that's _exactly_ the wrong way to go about this.

          "Here, in order to stop your OS from doing stupid things that get you infected, download this FREE utility from an obscure site that's too hip to spell '4' as 'for'. It's harmless, I PROMISE!"

          That's the other kind of attack vector that ends people in trouble with their machines.

          And reading the other post above suggesting different obscure registry settings: EXCUSE ME, this is 2009 (almost), I thought we were _advancing_ on usability. This is just sick.

  • by plover ( 150551 ) * on Sunday December 28, 2008 @11:56PM (#26254861) Homepage Journal

    Write them a letter telling them what you found. Try this link http://walmartstores.com/contactus/feedback.aspx [walmartstores.com] to get to their headquarters, where something might get done about it. Include enough technical detail for them to replicate the problem, especially the model number or any other identifying information from the package.

    If you want someone to care enough to write back, try to not sound accusatory or threaten to sue them. I'm sure they get enough of that on a daily basis.

    • Re: (Score:3, Interesting)

      by Mashiki ( 184564 )

      This looks more like a false positive then anything, but unless Blowit actually submitted these files to all the antivirus vendors or went through one of the folks in the industry to fast-track it for checking there's no way to tell. There's a few places where this can be done(dslreports being my favorite), and send it off to the lab and see if it's a false positive or not and get an update pushed.

      There's been innumerable cases in the past where files have been marked as virus/trojans due to similar encodi

      • Yep, if the executable is packed with a couple of the more popular tools then youre bound to get a false positive.

        You dont really need to submit this stuff to the pros. Install it on a vm and just see whats changed. If suddenly the startup entries have changed, files are running from temp, lots of outgoing tcp connections are made to russian/chinese servers, etc its probably safe to assume that this isnt just the digital frame software, but a virus.

      • by plover ( 150551 ) *

        I agree with you that it's almost certainly a false positive (I also saw the only "specific" virus signatures reported weren't found by the major products, but visiting their web sites showed that they indeed knew about the specific viruses the others reported.) However, it would still be of value to contact the retailer and let them know what he found. If nothing else, they need to be able to reassure their other customers that they've researched the problem and found that it's a mistake in the anti-vir

  • false positives? (Score:5, Informative)

    by Anonymous Coward on Sunday December 28, 2008 @11:59PM (#26254883)

    Looks to me like they used some kind of packer to make the exe's small to not take up a lot of space on the device (understandably). A lot of scanners will automatically detect packing as malware and, due to the nature of how a packer works, trojan is the logical choice. I have a similar problem with anything I compile with delphi since a lot of malware is developed in delphi.

    My 2 cents worth...

  • by lysergic.acid ( 845423 ) on Monday December 29, 2008 @12:02AM (#26254899) Homepage

    this time it seems like it was the vendor's screwup, which is very rare, but it's very easy for someone to have a clean USB stick, then plug it into an infected PC and unknowingly get a trojan written to the USB stick.

    i recently had close call myself when i took my PSP to work and plugged it into a workstation (i had some utilities and e-books saved on the memory stick). when i got home and plugged the PSP into my desktop, i noticed the PSP memory stick was displayed with an odd icon in My Computer. so i looked at the root directory and found a suspicious .exe file that i hadn't placed there, which was also referenced by a new autorun.inf file.

    with thumbdrives, external hard drives, portable media players, and other flash memory devices becoming increasingly common, i expect more and more malware writers will exploit them as an infection vector, especially as autoplay is usually enabled by default on Windows systems. the only reason i had autoplay disabled was because i found it annoying, and that's the only reason i lucked out.

    • by Beardo the Bearded ( 321478 ) on Monday December 29, 2008 @12:35AM (#26255077)

      Funnily enough, there's a rumour going around that USB sticks were used to hack into the Pentagon:

      http://catless.ncl.ac.uk/Risks/25.47.html#subj5 [ncl.ac.uk]

      From the link:
      If true, it was a simple but brilliantly effective method. Someone infected thumb drives with the WORM then dropped them around the Pentagon parking lot. The employees, picked them up, took them into their offices and plugged them into their office computers to determine the owner of the drive.

      • Funnily enough, there's a rumour going around that USB sticks were used to hack into the Pentagon:

        I saw that in RISKS when it first came out and I'm surprised it hasn't been disputed yet. The reasons being that

        (a) Dropping a bunch of infected media in the parking lot of the target is an old urban legend / joke among security pros

        (b) The "hack" being referenced was of classified systems - and most secure sites disable the USB ports (and other media loaders like floppies and DVD drives) on all but a handful of reduced access machines plus their security officers should be beating their users over the hea

        • Re: (Score:3, Insightful)

          That's frankly nonsense about disabling USB ports. The military uses USB sticks extensively to transmit bulky data in the field relatively securely, without relying on vulnerable network connectivity or complex intervening VPN or unreliable transfer technologies. And far too many peripheral devices, from mice to graphics plotters to speakers, are now USB, so you can't simply plug that port or disable them in the BIOS.

          More sophisticated tools to block digital storage on removable media are available, but the

          • That's frankly nonsense about disabling USB ports. The military uses USB sticks extensively to transmit bulky data in the field relatively securely, without relying on vulnerable network connectivity or complex intervening VPN or unreliable transfer technologies. And far too many peripheral devices, from mice to graphics plotters to speakers, are now USB, so you can't simply plug that port or disable them in the BIOS.

            I speak from personal experience. The sites I am familiar with software disable USB ports on all systems except a select few which are specifically designated as data transfer workstations. Furthermore, mice and keyboards are still widely available with PS/2 ports on them and almost all other peripherals are unnecessary on the majority of systems, specific needs are handled on a case by case basis.

            • I also speak from personal experience. I've had to deal with plenty of people buying servers, desktops, and laptops machines in the last.... 4 years whose favorite old PS/2 devices required USB adapters to be connected, and whose use of good quality mice, modern keyboards, KVM's or reverse KVM's, and graphics tablets worked only or worked best with the built-in USB. Insisting that USB be disabled for security reasons is like forbidding floppy drives for security reasons. It creates a lot of work for the IT

              • Servers really are not an issue since the people who need media access on them will have the privileges to do it anyway,
                You seem to be ignoring my oft repeated point that specific needs are handled on a case by case basis.

                However, ain't no way I believe this though -- "to find that the group tended to use their Ipods to listen to music on their good headphones through their computers, which had been an accepted use for years." Not even the sloppiest of sites is going to allow users to connect unclassified

                • That wasn't a military site, that was a laboratory site with intellectual property they were concerned about. There was a significant loss of productivity without the music for the personnel doing the work.

                  And don't be surprised at how people in the field, or even in the offices of the Pentagon, ignore upstream mandated security policies. I'm sure it's less of a problem in some ways in the military because chains of command are clearer, and enforcement easier, but don't assume that all Pentagon systems are

    • Re: (Score:3, Informative)

      Viruses exploiting the AutoPlay is nothing new and going wild. The other day I went to a printing shop with stuff I was going to print stored on a USB stick. I plugged it in the Windows box at the shop and it got infected. Three "folder" icons appeared in the Windows file manager but they were not directories -- they were trojan executables with the icons identical to the default one for directories. They all ended in .exe but the Windows file manager hid the extension part of filename by default so a carel

  • inconclusive... (Score:4, Insightful)

    by retchdog ( 1319261 ) on Monday December 29, 2008 @12:03AM (#26254905) Journal

    According to those links you provided, Trend Micro did not find anything wrong. (could be different settings, version, &c.) However... many of the positives were heuristic and, as further evidence of this, the identifications were not consistent.

    Maybe it's just badly coded junk; nearly as bad, perhaps, but exactly what you'd expect from the Wal*Mart holiday special.

    (insert obligatory comment about slashdot editors)

  • by arth1 ( 260657 ) on Monday December 29, 2008 @12:04AM (#26254909) Homepage Journal

    Keep in mind that it might be a false positive. Those happen, and sometimes you find the same false positive in more than one AV product when they simply copy from each other instead of creating their own definitions from the real thing.

    An example is the game The Witcher, which triggered a false AV protection in ESET Nod32 antivirus. Then, suddenly, a couple of months later, a couple of other products also started seeing a virus here. There was none -- the packer that had been used by the game had also been used for a virus, and the signature was copied from NOD32 to some less successful AV programs without further ado.

    So, don't just take it on face value that there is a virus -- especially not when none of the really big players with low false positive rates can detect it. It may be one, but don't blindly assume so.

  • And let's see.. (Score:3, Insightful)

    by Anonymous Coward on Monday December 29, 2008 @12:07AM (#26254925)

    Hmm... I see a bunch of AV's that are prone to give false positives give positives, while F-Secure, Kaspersky, Antivir, AVG, McAffee don't give anything off, Gee, could it possibly be that it's a false positive? [Hurr]OH I DUNNO[/Durr]

    For those sarcastically challenged.

    Yes, it's to 99.99% sure it's a false positive.

  • by fortapocalypse ( 1231686 ) on Monday December 29, 2008 @12:36AM (#26255079)
    And Walmart employees also cough on the their real photos. Double virus score!
  • Sigh, still no cross-platform support for Malware!
  • by OrangeTide ( 124937 ) on Monday December 29, 2008 @12:56AM (#26255197) Homepage Journal

    You think they buy virus scanner software in a Chinese factory? No, these guys cut every corner they can to meet those razor thin profit margins.

  • by jimicus ( 737525 ) on Monday December 29, 2008 @04:19AM (#26255977)

    I note that virtually none of the major commercial scanners found anything.

    I have trouble believing there's any significant malware that is generally known to the AV industry but is not detected by any of McAfee, Sophos, Symantec or Kaspersky. Particularly when the industry depends so heavily on scaring people into believing they are likely to become infected.

    • Re: (Score:3, Funny)

      I have trouble believing there's any significant malware that is generally known to the AV industry

      You must be joking, they know about all the viruses, they write them.
  • There is simply NO EXCUSE for delivering a product infected with a virus. This is just plain sloppy on the part of the manufacturers.

    Besides, I always thought those photo frames were a bit silly, anyway.

  • 2 for 1 (Score:2, Funny)

    by Storydor ( 1169983 )
    It's just another 2 for 1 offer!
  • by AYeomans ( 322504 ) <ajv.yeomans@org@uk> on Monday December 29, 2008 @03:58PM (#26261495)
    Here [virscan.org] is the virscan.org scan of the DPFmate.exe file on a similar photo keyring. This scans almost clean, with the only warning being "Suspicious - DNAscan" from QuickHeal.
    All sounds to me that the Walmart photo frame may be truly infected. Interesting to see if a re-scan gives the same results, after AV signature updates.
    To identify my photo frame, it has USB vendor code 1908:1320, and gives dmesg output as

    [ 1615.074173] scsi 2:0:0:0: CD-ROM buildwin Photo Frame 1.01 PQ: 0 ANSI: 2
    [ 1615.131784] sr1: scsi3-mmc drive: 40x/40x writer cd/rw xa/form2 cdda tray
    [ 1615.132336] sr 2:0:0:0: Attached scsi CD-ROM sr1
    [ 1615.132793] sr 2:0:0:0: Attached scsi generic sg2 type 5
    [ 1618.229611] ISO 9660 Extensions: Microsoft Joliet Level 3
    [ 1618.243632] ISOFS: changing to secondary root

    and has files on it

    -r-xr-xr-x 1 a root 49 2007-12-13 17:07 Autorun.inf
    -r-xr-xr-x 1 a root 135904 2008-07-25 11:46 DPFMate.exe
    -r-xr-xr-x 1 a root 1344 2008-05-19 18:53 flashlib.dat
    -r-xr-xr-x 1 a root 22044 2008-07-23 16:15 LanguageUnicode.ini
    -r-xr-xr-x 1 a root 96281 2008-06-11 16:29 MacDPFmate.zip
    -r-xr-xr-x 1 a root 758 2008-07-07 12:21 StartInfoUnicode.ini

    Hey, I always stick odd USB devices into Linux first to check them out.
    For background info, this photo frame does nothing when first connected. You can set it to "transfer" mode, at which point it emulates a USB CD-ROM of 304 Kbyte size. That CD image tries to autorun the DPFmate software to compress and transfer images to the device. The photos are *not* visible on the device through normal access, must have transferred them to a hidden area. I'd be interested if anyone has more info on the USB protocols used.

Understanding is always the understanding of a smaller problem in relation to a bigger problem. -- P.D. Ouspensky

Working...