Malware Found On Brand-New Windows Netbook

An anonymous reader alerts us to an interesting development that Kaspersky Labs stumbled across. They purchased a new M&A Companion Touch netbook in order to test a new anti-virus product targeted at the netbook segment, and discovered three pieces of malware on the factory-sealed netbook. A little sleuthing turned up the likely infection scenario — at the factory, someone was updating Intel drivers using a USB flash drive that was infected with a variant of the AutoRun worm. "Installed along with the worm was a rootkit and a password stealer that harvests log-in credentials for online games such as World of Warcraft. ... To ensure that a new PC is malware-free, [Kaspersky] recommended that before users connect the machine to the Internet, they install security software, update it by retrieving the latest definition file on another computer, and transferring that update to the new system, then running a full antivirus scan."

Ha ha.

[yourassOA]

Doesn't seem like an accident.

Re:

[Z00L00K]

And why is it that all machines comes pre-installed?

If they weren't then this problem with malware on preinstalled machines would have been less spread.

Re:

[spywhere]

Yeah. Also, how come every time I buy batteries, they aren't included?

Re:

[The Grim Reefer2]

Yeah. Also, how come every time I buy batteries, they aren't included?

Stephen Wright, is that you?

Re:Ha ha.

[SanityInAnarchy]

Yeah, because if they weren't pre-installed, the OS DVD would be so much safer...

Right...

If the manufacturer is compromised, you're boned either way.

Re:

[Anonymous Coward]

I'd hate to find windows on a brand-new malware netbook.

Re:Ha ha.

[Runaway1956]

Nor is it really news. The wife bought a Compaq some years ago. I cleaned it of malware, then in a few days, she complained of more. Did a "restore" from the restore partition. Malware restored itself along with the Windows OS. Imagine that....... OEM's are PAID to install crapware, and they are only to happy to accept the money.

Pffft

[BobReturns]

Yes, because any average Joe user is capable of utilising that 'solution'.

Re:

[Jurily]

Yes, because any average Joe user is capable of utilising that 'solution'.

The first thing I did with my laptop was to reinstall Vista with the DVD that came with it. Is there a way to get malware from there or the driver disk?

Re:

[Bigjeff5]

Actually yeah, the new OEM deployment tools that are available to them, plus the paradigm shift in Vista's base install method, allow them to give you a Vista re-install disk that has all of their bloatware and intentional/unintentional malware already on it.

In most cases, I don't see it happening, as they probably won't make anything off the re-install whether it has the bloat/malware or not. Not yet anyway.

Re:

[EsbenMoseHansen]

The first thing I did with my laptop was to reinstall Vista with the DVD that came with it. Is there a way to get malware from there or the driver disk?

Replace "Vista" with Ubuntu/Red Hat/SuSE/Debian and you should be fine :P More seriously, why hasn't Microsoft made a package manager+repositories yet? It is absurd that people and companies have to verify that drivers and (basic) applications are clean. The problem is a problem that already has a proven solution: signed packages from a large repository. Signed to guard against tampering after the repository. Large, so that any foul play is discovered quickly. Heck, I'm sure that you could port apt+dpkg or

Re:Pffft

[Bigjeff5]

First, the autorun worm was absurdly difficult to remove. The larger the organization the more likely it is to stick around.

Second, have you ever built a corporate or OEM OS image before? Using a usb drive to install drivers is not only likely, it's practical.

The way modern mass-images work is as follows: you have your technician machine, upon which you build the custom tools to incorporate into the image - this would be scripting software packages, customizing settings, etc. Then you have your build machine - this is a clean machine with a fresh OS install on it. You then customize that machine exactly the way you want it, installing custom packages, add all the drivers for all the machines in your product lineup (be sure to include a script to remove the unneeded drivers post-sysprep!), and reseal it to OEM spec with sysprep (which calls any necessary post-build scripts).

Now, you test, test, test, and test to be sure it is good, and mass deploy it to all your hard drives that will be going into all your machines. Much of this does not have to be changed when new models are added, and with MS's newer tools a lot can simply be slipped in to the image itself without having to re-seal it. Very convenient. That also may be how this thing got in as well, who knows.

The breakdown here was on the final step: apparently nobody scanned the test machine for viruses/malware before deploying the image. I'm surprised only a few netbooks were hit, unless the others just haven't noticed yet, heh.

Right.....

[phantomfive]

To ensure that a new PC is malware-free, [Kaspersky] recommended that before users connect the machine to the Internet, they install security software, update it by retrieving the latest definition file on another computer, and transferring that update to the new system, then running a full antivirus scan

And people say Linux is user unfriendly? I never use Windows to visit banking/credit card/money websites, and I advise all my friends to do the same.

Re:Right.....

[phantomfive]

The only reason it's always that way is due to the fact it would be almost useless for an attacker to target linux ......

It's not the only reason. The obvious counter-example is IIS vs Apache, where IIS has gotten owned more than Apache, despite Apache's vastly greater marketshare.

Personally I'm looking forward to a world that is 30% OSX, 30% Linux, and 30% Windows. Not only will there be more software available for the OS of my choice, but also it will be harder for malware to spread. Look, in this case if the manufacturers hadn't been using Windows to download the drivers in the factory, the virus wouldn't have spread to the new computer. Monoculture is bad for many reasons.

Re:

[iamhigh]

It's not the only reason. The obvious counter-example is IIS vs Apache, where IIS has gotten owned more than Apache, despite Apache's vastly greater marketshare.

Start with IIS 6 and that isn't really true anymore. It is widely accepted by those without a bias that IIS 6 is as good as equivalent Apache releases (when properly configured, of course).

Do you really think having to write software on 3 different systems will result in less malware? Do you think companies will double the development staff to accommodate the differences in systems? I think a 33/33/33 split would make software companies have to support more variances, but probably not do any as well a

Re:Right.....

[phantomfive]

Start with IIS 6 and that isn't really true anymore. It is widely accepted by those without a bias that IIS 6 is as good as equivalent Apache releases (when properly configured, of course).

That's irrelevant to the point I was making though, which is that popularity is not the only thing that matters where security is concerned.

Do you really think having to write software on 3 different systems will result in less malware? Do you think companies will double the development staff to accommodate the differences in systems? I think a 33/33/33 split would make software companies have to support more variances, but probably not do any as well as they do now.

This is an interesting point, but in the old days, software companies supported Commodore, Apple, IBM, Atari, etc. The reality of the situation is that for most big software companies, the number of programmers they have is only vaguely related to the income they generate from their software. A single programmer can write code that generates millions of dollars if you can get people to pay for it. So most companies are going to do a cost/benefit analysis: is it worth it to port my software to X system? If there are millions of users on that system, the answer is probably yes. Most major software already runs on both Macintosh and Windows, and OSX only has about 10% of the marketshare. I see no reason they wouldn't write for all three systems in many cases (although I admit I would be happy to leave Windows out, since it's relatively a pain to write for).

do you really think a Windows user that has just "clicks thru" wouldn't do the same on Linux (or type sudo first or whatever the equivalent is on OSX)?

This is a good question, and you are probably right, but the security model in OSX is a lot more clear, so it would be easier to teach users, "If you have to type in your password, something bad might happen!" On OSX application installation is just a matter of drag and drop, normally there is no need to type in your password, so if you do have to, then you really need to think about what you're doing.

Re:Right.....

[sphealey]

> Do you really think having to write software on 3 different
> systems will result in less malware?

Do you really thing that monocrop agriculture could destroy an entire civilization? Oh wait...

And when NASA attempted to build the ultimate fail-safe computer system for the Shuttle do you really think they wasted their money having 1 of the 5 CPUs built, designed, and programmed by an entirely separate organization than the primary contractor and prohibiting the two design groups from communicating with one another? Oh wait...

sPh

Re:

[iamhigh]

Do you really thing that monocrop agriculture could destroy an entire civilization? Oh wait...

Are we talking about sprinkling fertilizer and water on computers? Oh wait...

And when NASA attempted to build the ultimate fail-safe computer system for the Shuttle do you really think they wasted their money having 1 of the 5 CPUs built, designed, and programmed by an entirely separate organization than the primary contractor and prohibiting the two design groups from communicating with one another? Oh wait...

Are we talking about a company with the ability to spend billions of dollars and years on a single software release? Probably not...

Re:

[MichaelSmith]

The problem is that windows, OSX and *nix all converge as you look closer to the UI. Workstations tend to run the same applications and support the same protocols. Most of them run javascript and flash for example. Maybe in the future a lot of those workstations will be primarily thin clients used to access online services. Then the services get hacked...

Re:

[Brian Gordon]

How does having 3 times as many vulnerabilities make it harder for malware to spread? Your logic is "well if 2/3 of the malware gets shunted off to other OSes then I'm golden" but you'll have 3 times as much malware to be shunted!

Re:Right.....

[phantomfive]

You haven't thought this through. It's pretty well accepted that a monoculture is bad for computer security. If you would like to discuss the issue, then I suggest you inform yourself on the research and arguments in the topic, [ccianet.org] and then you will be much better informed to make an insightful comment. Then we can talk.

Re:

[phantomfive]

At least two of the author's have PhDs in Computer Science. One was chair of the IEEE Computer Society Technical Committee on Security and Privacy. One is Bruce Schneier. I'm pretty sure they understand Metcalfe's law. If anyone has misunderstood the law, it is probably you.

Re:

[KingMotley]

Perhaps their credentials would be intimidating, if I didn't have my own. May I remind you this is slashdot, some of us have credentials from real schools, not 3rd rate schools like Penn State. Some of the guys mentioned likely contributed no more than a single quote and didn't write or approve the paper in whole.

From your paper:
"For two-way interactive communications â" such as between fax machines or personal email â" the value of the network rises proportionally to N2, the square of the pote

Re:

[phantomfive]

Perhaps their credentials would be intimidating, if I didn't have my own. May I remind you this is slashdot, some of us have credentials from real schools, not 3rd rate schools like Penn State.

Credentials shouldn't be intimidating. They mean nothing if your argument isn't good. Let's look at yours.

The first part is correct, that is what Metcalfe's Law states. It's about computing the value of a network given N number of connections. However, the second part which they state is based on the law (by using "Thus"), is incorrect. That is not what the law states, in fact if you read the detailed law in whole, you will see that it says that the number of possible connections rises proportioanlly to N squared, not N squared as they have stated in the paper.

This is your concern? That they leave off the world proportionally? Let's look at what they said, exactly: "Thus, if the number of people on email doubles in a given year, the number of possible communications rises by a factor of four." This is in fact, a true statement. A bit of consideration should help you to realize that in this specific case, it is not only proportional to N squared, it is e

Re:

[Brian Gordon]

No KingMotley's right. n(n-1)/2 is the number of connections where n is the number of users. Expanded we have (n^2-n)/2. Now n doubles so we have 2n^2-n. So it's actually increasing by a factor of 4-2/(1-n).

Also the idea that a software monoculture is a bad security practice is ludicrous. What's the right way to do it then? Making sure that too many users don't install the same software so nobody can get hit by malware? "Well they can't possibly write malware for them all at least someone's safe".

Re:

[phantomfive]

Also the idea that a software monoculture is a bad security practice is ludicrous. What's the right way to do it then? Making sure that too many users don't install the same software so nobody can get hit by malware? "Well they can't possibly write malware for them all at least someone's safe".

The right way to do it is to make sure there are options. If you have no choice but to use Microsoft, then you will be stuck with whatever flaws Microsoft gives you. If you are capable of switching easily from one OS to another, then you can avoid those flaws. Currently that is not possible, but there is no reason it must be that way. I think you could have thought of this.

Also, notice that the statement wasn't about the number of connections, it was about the number of communications, so A to B is co

Re:

[phantomfive]

Is it your habit, Mr. Well Credentialed, to always pick the weakest argument in a paper? That's a logical fallacy, you know; or maybe they didn't teach about logical fallacies at your 'first rate' school. Or maybe you just didn't learn?

Re:

[Brian Gordon]

Well then it's increasing by a factor of 8-4/(1-n) which is only 4 when n=0. In fact, as n grows the number of "connections" increases by a factor of 8 [wolframalpha.com] when n doubles. I think.

Re:

[phantomfive]

Oh dang it:

1 Person: 0 connections
2 People: 2 connections
3 People: 6 connections
4 People: 12 connections
5 People: 20 connections
6 People: 35 connections
7 People: 42 connections
8 People: 56 connections

I think we can do something of the form 2n/n and figure out by what factor it is doubling, so in this case: (8-4/(1-(2n))/(8-4/(1-n)), which can probably be simplified. I guess a factor of 4 is a misstatement in the paper.

Re:

[thePowerOfGrayskull]

May I remind you this is slashdot, some of us have credentials from real schools, not 3rd rate schools like Penn State.

Sorry, as soon as I see someone trying to justify themselves in terms of which awesome school they got their piece(s) of paper from, my eyes glaze over. This is probably because on slashdot, some of us worry more about real-world activities and accomplishments than the amount of tuition we had to spend on our degrees ;)

Re:

[thetoadwarrior]

I think attacks on Linux would increase and you're bound to get clowns who run their system as root all the time if given the chance.

However a huge chunk of the world run their servers with linux and open source alternatives. These sites include sites that hold credit card information so they would be obvious targets and their source code is available to all to find holes yet MS' offerings, like IIS, seem to have a higher ratio of problems.

So in the end I don't think Linux would actually reach Window'

Re:

[Bert64]

Linux is very widely used in the server market, and yet still seems comparably few attacks there... Although there is plenty of malware, it is almost always targeted at servers and is manually installed onto the machine and typically only targets one or two distributions or kernel versions. There is very little malware that is going to affect an average user who's browsing websites or inserting arbitrary media.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Right.....

[JSG]

Mr haireyfeet - thank you for reminding me why I have been reading /. for the last GKHL.

That is a beautifully pitched diatribe with a good measure of sarcasm and humour, mixed in with a few typographical conventions that I don't really understand but could make an educated guess at.

However, there are an awfull lot of Linux (and *BSD et al) systems that are being put in the hands of Tuxvelma. You see, like it as not we Linux admins are not the only folk who access these things or even (shock, horror) actually own them.

My wife is not exactly the most technologically sharp person but she insists (after a bit of a demo) on FF for her browser.

Also, after Vista went a bit wonky on her identical to mine laptop, she asked me to put whatever I was running on it. So (1 year) now (5 months) we (20 days) have another Gentoo user - belting!

Incidentaly I'm an MCSE as well (crap). Oh and an NCP and an LCP and a complete and utter nerd. I'm also an MD. Nerd or MD - I'm not sure which I prefer most.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[dimeglio]

There are plenty of root kits for Linux. Although I haven't seen many since Kernel 2.6

Re:

[Skrynesaver]

You are either a troll a fool or an MS marketing droid. While Linux adoption on the desktop may still be limited, in the server room Linux and Solaris are more common than Windows server for many reasons, not least the registry concept. Apache is more secure, no argument available to contradict this. I'm sure others have stated this elsewhere in this thread, but i's one in the morning and I'm back from the pub, yet your drivel is more likely to cause me to puke than the ten pints of Guinness I've enjoyed

Re:

[phantomfive]

Yeah, I know what you mean, like, 5 in 6 play Russian Roulette and survive. Should be safe, right? As for me, I will try to increase the odds of NOT having my bank account cleaned out by mean people, and I don't care if it IS the OEM's fault because they aren't going to fill my bank account back up again. Avoiding Windows is a good way to do that.

Also, since you like statistics so much, let's talk about them: statistically speaking you are much less likely to get malware on a Linux machine. If that e

Re:

[Bigjeff5]

Linux doesn't protect you from falling for phishing attacks, which is how they get most people these days.

In fact if you are naive enough to think "I use linux, I'm safe!" then you are probably more likely to fall for them.

Frankly, Linux is very much not a secure system, not in most cases anyway. I'd take XP and Linux as about equivalent on the security front, as a patched/firewalled XP machine with AV software is reasonably secure. Moreso than most Linux builds, the only thing protecting Linux (and to be

Re:

[phantomfive]

I think you've failed to see my point. From a statistical standpoint, you are much less likely to get malware on a linux machine than on a windows machine. How does your post even address that point? Your go through making vague assertions and quoting statistics that are probably made up, finishing with the assertion that Linux is full of holes waiting to be blown wide open. Not only does it fail to address my point, it's a non-sequiter. What, exactly, is the purpose of your post?

Re:

[cyber-vandal]

Linux can be run from a CD/DVD where malware has a far far harder time getting the chance to do anything. Windows cannot. So therefore doing your internet banking that way is far far more secure than using any version of Windows, no matter how invulnerable you might pretend that it is.

Re:

[cskrat]

Check out Bart PE. Windows XP can turned into a live CD in much the same way that linux distros can.

But nobody in their right mind does that just to check their bank account. Anybody who knows what a live CD is off the top of their heads should be able to run a clean system with adequate protection. Assuming you have a clean system, the major threats that you'd have to worry about with online banking are pretty well confined to phishing attacks. A live CD isn't going to do you any favors on that front since

Re:

[phantomfive]

Exactly, you said it first my friend, Linux is no easier or more friendly to deal with than any other OS, and vice versa.

Re:

[Sowelu]

I once had a Linux workstation that I thought was safely behind a proxy, where nothing could get to it, so I never bothered with much in the way of security. Turns out my network was configured wrong, and it was wide open...sure enough, got totally owned. God forbid I did any banking from that machine! Of course, this was about a decade ago, so I'm sure it's easier to keep updated now...but still.

Re:Right.....

[TheP4st]

You insensitive clod, I am a 40 year old virgin and moved out of the basement a year ago!

Who watches the...

[yerktoader]

But trusting another computer depends on knowing it's clean of malware. I'd think it a better bet for Kaspersky to offer bootable thumb drives with a slim OS and their software, allowing users to scan any machine with a known good device.

Re:

[ms1234]

Thats why Windows never even got a chance to start on my netbook, installed Fedora right away. Now I have a useless sticker at the bottom that says I'm a proud Windows license owner...

Re:

[assassinator42]

Are there any anti-virus products that still do this? Norton used to offer a bootable CD to run a scan for Windows9x, but it couldn't use the latest definitions and it has since been discontinued.
How is ClamAV at doing offline scans of a Windows box?

Heh.

[MsGeek]

Wrong netbook OS. Try one of these next time: http://www.target.com/ASUS-8-9-Netbook-Computer-Linux/dp/B001E1PVU8/qid=1243113200/ref=br_1_7/190-1275134-0351843?ie=UTF8&node=1243621011&frombrowse=1&rh=&page=1 [target.com] Thankyoudrivethrough!

False sense of security

[Len]

Devices with any OS can come with malware. Even iPods [sophos.com] and picture frames [securityfocus.com] have been shipped with malware pre-installed. There's nothing magic about Linux, other than its ability to suppress the geek skepticism reflex.

Re:

[colinrichardday]

But what of OSes without devices, such as a typical Linux DVD?

Re:

[colinrichardday]

Sorry. I presume that you will install the DVD onto a computer. But you can reformat/erase the hard drive during installation, so as long as the DVD had no malware, you should be OK.

Re:

[jonaskoelker]

Even iPods [...] have been shipped with malware pre-installed.

As the iPod marketing campaign leader*, I have to take offense.

The iPod doesn't ship with "mal"ware. It ships with a friendly software agent which makes sure the musicians and artists get paid what they deserve. You love art, don't you? You don't want the artists to starve, do you?

You call it malware. we call it Delivering Revenue to Musicians, or "DRM" for short.

(* statistics and benchmarks were in short supply, so I lied a little instead.)

Re:

[Len]

If the malware is installed at the point of manufacture, it can easily be tailored for whatever device it's installed on. It's trivial to write malware for Linux when it can be installed to run as root at boot time! Even I can do that, and I'm a Windows programmer. [flickr.com] :-)

Re:

[Sir_Lewk]

I'm very sceptical that these infections are intentional. Don't attribute to malice that which can be adequately explained by stupidity.

Re:False sense of security

[Sir_Lewk]

The main difference is the vast difference in security practices between the two platforms. The only reason malware on ipods and photo frames is dangerous is because windows by default thinks that it's clever to auto-execute code off of external devices.

Re:

[Lord Bitman]

it's targeted at windows because of market share. If you're being told "run this executable", and you do it, it doesn't matter if it hides its results in C:\WINDOWS\system.dll or in /home/acoward/.bashrc

Re:

[icannotthinkofaname]

And then it would be "News for nerds," instead of, "Microsoft bashing session for nerds."

Or...

[Kythe]

You could always reformat the darned thing from scratch using a known-good version of whatever OS you're going to be using.

Honestly, ever since Vista became the de-facto OS shipped with new computers, I've been doing that, anyway.

Re:Or...

[yerktoader]

You know, I always thought it would be a good idea to ship PC's without the OS loaded. If the end user had to set up the OS it would force them to learn the basics...But that's why I'm an ex-tech support asshole I guess.

Re:

[Anarchduke]

I like that idea. Of course, I like it because I could charge those people to install their operating system for them at 60 bucks an hour.

Re:

[mikael]

Better still, keep the original hard disk drive, and buy a new one for your OS and data files. If you want to sell it to trade up or send it in for repair, you can restore the old disk drive without any problems about warranty or data loss.

Press Release: Stunt number 43242

[JK_Huysmans]

Oh, how I love Kaspersky's constant press releases.

"OMG Virus! Buy our product!"

All they seem capable of for marketing is different stunts related to finding viruses in weird places. Come on. Seriously.

Re:

[TinBromide]

I'd be more alarmed if they gave equal press to sky-diving accidents or deep sea diving developments.

Re:

[TinBromide]

That would be alarming. Quite So. Unless they found a hard drive dropped by someone hoping to dispose of the data.

Re:Press Release: Stunt number 43242

[Ilgaz]

As I don't use Windows, AV company security blogs tells me a lot about the security scene after I filter the PR.

Also Kaspersky never says ''buy our product'', they don't need such stupid stunts. A person who buys one of those cheapo TW netbooks won't likely afford their product either. They say ''a security product'' without mentioning any brand while they have right to advertise their own.

Once upon a time, computer vendors (including Taiwanese) were decent enough to run a god damn antivirus (standard was 3 of them) before shipping the computer. I guess they are targeting old timers reminding them it is not the case anymore.

But not with a thumb drive!

[TinBromide]

they install security software, update it by retrieving the latest definition file on another computer, and transferring that update to the new system, then running a full antivirus scan.

Just be sure to scan the thumb drive so you're not infecting it!

Re:

[Technician]

Instead of a thumb drive, I carry a SD card and usb reader combo. The SD card has a write enable switch. Works 100% of the time on foreign untrusted systems.

They really hand-install drivers?

[Anonymous Coward]

I kind of figured that computer manufacturers had hard drive arrays to clone a pre-made installation. Pull each drive off the rack, put it in the computer, and make sure it boots, then box it.

They're really installing drivers by having some schmuck walk around with a USB stick?

Re:

[msobkow]

You're right about using drive images. However, when I was responsible for rolling out lease-return machines, we were re-imaging the systems from install CDs, rather than using "hard drive arrays." It's far easier to pop an auto-installing CD into the tray than it is to remove the hard drive, install it in an array, re-image it, then re-install it back into the PC.

It's not a very painful process -- about all you had to do was click "Ok" after the imaging CD booted and asked you if you were sure you wan

Re:

[John Hasler]

> They're really installing drivers by having some schmuck walk around with a USB stick?

I suspect that a driver update came out after the machines had been imaged but before they shipped and somebody decided the update was critical. Or perhaps a new image incorporating the new driver was going to take a few days to get through engineering and QC and manufacturing couldn't wait (they never can) and so they came up with the USB stick trick (poorly thought out, as is usual for manufacturing's ad hoc soluti

Re:

[DNS-and-BIND]

I wouldn't be surprised. In China, labor is far cheaper than any automation. In addition, this is the sort of crap-ass quality problems that Chinese products typically have.

Convenience!

[clang_jangle]

I'm so glad to see this innovative feature finally being boldly embraced by an OEM. Until now, it's been sheer drudgery, waiting the twelve minutes or so it takes to get a new Windows install infected just felt like forEVar!

Remind me again

[techno-vampire]

Would somebody out there please explain why AutoRun was ever considered a Good Idea? I know that before I got rid of Windows and went Linux only, one of the first things I'd do on a new computer was disable it.

Re:

[techno-vampire]

AutoRun should bring up a prompt, asking if you want to run the software, and remind you that you shouldn't let it run unless you were expecting it and know what it's for. That way, if you have a thumb drive that's not supposed to have anything on it but some driver updates, and the AutoRun prompt shows up, you know something's wrong. It wouldn't be fool-proof, because there are always going to be people who click OK without understanding what's going on, but it probably would have stopped this from happe

Re:Remind me again

[dgatwood]

No, AutoRun should not exist. You can't create a warning that scares people into clicking "no". If you try that, the first thing the customers do is call your support line asking why their copy of [Insert expensive software package here] contains a virus when it is really just set to automatically run their installer. Then, the only valid use of AutoRun becomes a black mark for software vendors and they stop using it, making it a completely useless technology.

The only possible way to make AutoRun be usable without being a gaping security hole is to require that all AutoRun software be signed using a signing key distributed by the OS vendor. Unfortunately, that could be a slippery slope to requiring all apps be signed (at significant cost), which would be a giant step backwards for small software vendors, open source, etc. Such a security measure would also have to have been done from the very beginning to avoid the problem of existing apps causing panic attacks in end users.

The only solution is to kill AutoRun completely. It should not exist. It has no good reason for existing. The only thing it really does is by its nature a security hole. Just shut it off already.

Re:Remind me again

[cdrguru]

Autorun came from "put in the CD, the game starts." This was introduced before there was the possibility of recordable CD-R discs so it was utterly safe, until malware folks start producing CD-ROMs by the 1,000s.

Extending it to USB devices is problematic. Anything that can be written to by a user can then be used to corrupt other machines, assuming that some users have blackness in their hearts. That pretty much means that for CDs it isn't safe anymore either.

Re:Remind me again

[GF678]

The only solution is to kill AutoRun completely. It should not exist. It has no good reason for existing. The only thing it really does is by its nature a security hole. Just shut it off already.

They have, in Windows 7.

Despite what a lot of the morons in Slashdot think, Microsoft does listen to people's complaints.

Re:

[Anonymous Coward]

Self inserts Fallout3 disk into Win7 PC. Autorun brings up dialog box. Nope still there.

Re:Remind me again

[GF678]

You're getting confused with Autoplay, they're not actually the same thing

Autoplay is what brings up the dialog box based on the contents of the media
Autorun is the method by which the autorun.inf file on the media is executed automatically.

You could normally disable autoplay easily, but autorun.inf files would still run. That doesn't happen anymore.

Re:

[ConceptJunkie]

Despite what a lot of the morons in Slashdot think, Microsoft does listen to people's complaints.

Yeah, AutoRun and not showing the file extensions by the default are two of the most stupid ideas Microsoft ever had, and they have a _lot_ of stupid ideas. Maybe they did listen to complaints, but it took them 15 years to do something about it. Both those features started with Windows 95.

Personally, I'd prefer to do business with a company that doesn't take 15 years to fix its mistakes.

Re:

[PRMan]

And in XP SP3. It's kind of annoying because I like running my PortableApps menu automatically when I insert my USB drive.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[cdrguru]

When showing extensions, Vista behaves correctly for renaming.

Extensions were suppressed for Win95 to make it more Mac-like and user friendly. Extensions were associated with 8.3 file names and any connection there had to be eliminated.

The whole extension vs. magic number vs. file application registration issue still hasn't been resolved properly. The Mac has trouble with foreign files and don't even think about version/vendor changes for a common file format. Windows gets lost if the extension is altere

Re:

[koiransuklaa]

On a back up USB drive to run a script to back up the host automatically.

Why on earth would that be a function of the usb drive and not the something running on the machine -- unless your intention is to 'backup' your friends machines or something -- in other words why wouldn't you implement that as a script on the machine that runs when a specific usb devices are connected to the machine?

Your idea just sounds like you're seeing nails because of the hammer in your hand...

Many more reasons.

Lets hear them, pl

3?

[Anonymous Coward]

Autorun worm, Windows...thats only 2...where is the third malware item?

Obligatory...

[npoczynek]

Wouldn't have happened if they had ordered that netbook with Linux pre-installed!

Re:

[AceofSpades19]

I don't know of any linux distro that has auto-run, so its pretty unlikely that that would happen

Redundant headline?

[noidentity]

Malware Found On Brand-New Windows Netbook

You repeat yourself.

redundant story?

[commodoresloat]

Why is this news? Don't we expect windows to be found on any brand new windows netbook?

Uh, what the... ?

[c]

"transferring that update to the new system, then running a full antivirus scan."

I guess I've been out of the Microsoft ecosystem for a long, long time... is it now common practice to run AV scans in a probably compromised environment? Or are malware authors so lazy these days that they can't even bother to write code which breaks any installed AV software?

c.

Common practice?

[alizard]

1. Yes, it is, most users don't know any better.

2. Malware writers do indeed write code targeting AV software. But not all of them.

I didn't get any malware

[Provocateur]

so I am returning mine. Why do THEY get all the good stuff?? You mean I have to go ONLINE and download this 'malware' myself?? And they get 3 out of the box!

DON'T even THINK about making me pay for shipping the return!!

Buy our shit, seriously!

[billcopc]

Kaspersky releases "news" article about their virus scanner saving the day, while casting doubt on all PC vendors. Solution: Buy our shit!

I don't care whether it's malware, weapons of mass destruction, or kiddie porn. It's all baseless fear-mongering to push corporate or political influence, in the end it's all just money.

What they of course fail to highlight is the fact that the solution is neither effective nor guaranteed to work. Kaspersky's scanner, like any scanner, cannot catch all malware, just like Bush couldn't (wouldn't?) catch OBL. Perhaps worse is the high rate of false positives, such as when your virus scanner mistakenly recognizes a Linux ISO as a boot sector virus, or your republican mistakenly recognizes a Linux hacker as an islamic terrorist. Bullshit all around!

Re:

[artor3]

Is there a corollary to Godwin's Law for comparing people to Bush? 'Cause finding malware on a Windows computer is a hell of a lot more likely than finding WMDs in Iraq.

To ensure that a new PC is malware-free...

[John Hasler]

...wipe it and install a new OS. There are several available. They are quite inexpensive. In fact, they are Free.

Re:

[Culture20]

Or at least take out the drive and scan it as an external drive in a known-good computer. Kaspersky's recommendation of using a scanner on the local OS is silly.

My Solution

[The MAZZTer]

When purchasing a new computer, wipe the drive. This has the added bonus of getting rid of bundleware, too, and sets it up nice for Linux! Well you can install Windows if you really want to. If your computer didn't come with an original Windows install disc, download and burn one (thanks bittorrent!). Hey, you bought Windows anyway with the computer, might as well get what you paid for.

What ought to happen

[Animats]

Recall Alert
U.S. Consumer Product Safety Commission
Office of Information and Public Affairs
Washington, DC 20207
May 23, 2009
Alert #09-993
M&A Companion Touch
The following product safety recall was voluntarily conducted by the firm in cooperation with the CPSC. Consumers should stop using the product immediately unless otherwise instructed.
Name of Product: "Companion Touch" notebook computer
Units: About 9,000
Distributor: M&A

Hazard: The laptop computer may have pre-installed hostile software (a "virus" or "worm") which could result in the unauthorized transmission of private user data, including bank account numbers and passwords, to a remote site.
Incidents/Injuries: None reported.

Remedy: Immediately stop using the device and return it to the point of sale for replacement. If bank account or credit card information has at any time been stored on the device, contact your bank and credit card providers to check for fraud and identity theft.

If computer security is to be taken seriously, such actions are essential.

Re:

[Shados]

It will, if poorly, though that depends on your definition of a netbook. It probably runs ok on a Sony P Series, but do you consider that a netbook? Thats a bit borderline.