Digital Picture Frames Infected by Trojan Viruses

CR0WTR0B0T writes "The San Francisco Chronicle is running a story on viruses loaded into digital picture frames, similar to the ones we discussed at the end of last year. The difference is in the virus used: 'The authors of the new Trojan Horse are well-funded professionals whose malware has 'specific designs to capture something and not leave traces ... This would be a nuclear bomb of malware.' Apparently, a number of regular folks have hooked them up to their home computer and loaded the virus. And if you think you're too smart to be fooled, apparently the Anti-Virus software makers have not caught up to the threat quite yet."

Well...

[ledow (319597)]

- Run an OS that does not automatically try to mount devices, without user interaction.
- Run an OS that does not execute programs on devices once mounted, without user interaction but preferably not at all. (Autorun, I'm looking at you)

Although what doesn't seem to mentioned specifically is if the viruses are contained on the memory of the frames themselves (i.e. just like any other removeable drive) or whether they are on some sort of driver/bundle CD. It does seem to hint that it means the device itself, which begs the question how is it getting executed? Is there a setup.exe that autoruns like on certain brands of USB drive (DUMB IDEA OF THE CENTURY)? Are there infected data files like JPEG's that just so happen to allow execution of their code on certain OS's? Is there an actual executable that isn't supposed to be on there at all that autoruns or waits for the user to double-click it?

Either way, it's hardly a brilliant way to spread and only a dozen or so people seem to have been affected out of whichever country it's talking about (presumably the US). That sounds more like they had the virus already and it made its way onto their digital photo frames when they first connected them. Yes, it's a worry that malicious code could make its way onto a consumer device at the factory, but more at fault here are the OS and the user practices - we had all this back in the 80's/90's... don't take floppies off people you don't trust without scanning them first. Have we seriously come full-circle to the same dumb, preventable "problem"?

Re:Well...

[by Anonymous Coward]

- Run an OS that does not automatically try to mount devices, without user interaction.

And this would help HOW? Maybe it'd allow certain wiseguys to point at and blame the user for mounting the volumne in question - but ordinary users who just want to put pictures on their frame would *have* to mount it it, and it doesn't matter whether you have to click or whether it happens automatically. In fact, given that you'll likely only ever plug in the frame when you actually do want to access it, automounting seems like a good idea that does save you work in this case.

Automatically running code without the user asking for it is another issue, of course - that is a colossally stupid idea indeed, yes.

Re:Well...

[by Anonymous Coward]

The picture itself in not a virus, rather it becomes one when the malformed image causes some type of overflow /exploit to the program that renders that picture
, so not having something run auomatioally doesn't really matter, when you do open the picture it Runs by exploiting a flaw in the program that renders it. whether it starts automatically or not is of less relevance.

This fact isn't being made very clear in this forum or the document.
  Pictures are not viruses they ar caused to become one on very specific software that render them .
EX: The same image when viewed or if even viewable on different rendering software will have no effect .

Re:Well...

[CR0WTR0B0T (944711)]

The article is saying that these were found to be infected at the point of purchase. These picture frames are designed to be user friendly and will hook up via USB cable and scan your PC for your digital media. They have software loaded on them to play pictures, AVI, and for some odd reason MP3s. The real issue here is the Ma and Pa who bought their new PC at BestBuy to look at pictures of their grandkids and surf the web are at risk. Even the PC already loaded with anti-virus software isn't protected. As soon as they hook up the frame to start downloading the pictures, the virus is activated. Good thing is this round steals someone's online gaming passwords (WOW?), which likely won't affect many since hardcore gamers aren't likely to use digital picture frames. Next round could be mining for TurboTax information or passwords to play Global Thermonuclear War with WOPR [wikipedia.org].

Re:

[DrSkwid (118965)]

> hardcore gamers aren't likely to use digital picture frames

you plucked this assertion out of your ass

Re:Well...

[CR0WTR0B0T (944711)]

Yes. I wondered why my chair was so lumpy.

Re:

[John3 (85454)]

> hardcore gamers aren't likely to use digital picture frames

you plucked this assertion out of your ass

Since there are somewhere over 8 million WoW players (as an example) then I'd have to agree with your comment about the source of the assertion. Many, many of the WoW gamers I chat with online have difficulty upgrading video drivers and managing their PC. If they want to proudly display their WoW toons to their friends of course they will buy a digital picture frame at Best Buy.

Re:Well...

[93 Escort Wagon (326346)]

hardcore gamers aren't likely to use digital picture frames

you plucked this assertion out of your ass

I'd hazard a guess that he's right. Aren't the photos people display in frames usually of friends, lovers, or spouses?

They could infect the driver

[emj (15659)]

You can try to prevent all the attack vectors, but it has nothing to do with "the OS" or "the user", but it's more todays design of security. You can't guard yourself against malware in anyway, the only way to make it harder is not using a computer like normal people do, not allowing the normal vectors to be exploitable.

But if everyone used the computer this way, the attackers would just adapt.

The problem is homogenity, there is no one solution.

Re:

[rah1420 (234198)]

How about 'don't log in as administrator?' Another helpful tip to prevent issues. I wonder if this virus would be able to infect a PC if a "lowly" user plugged in the USB?

Re:

[gallwapa (909389)]

Autorun functions on most (any?) usb device with autorun.inf. You don't have to enable it.
Run procmon when you plug in a usb storage device, watch and see.

Where is the question ...

[moseman (190361)]

Where these virii are being placed on the devices is the big question. It must be someone who has access to the code or software installation process. Look at the manufacturer.

Oh, and run a *nix-based desktop.

It is not "professional", but gov.

[WindBourne (631190)]

The thing is that China is doing to the world, what America did to USSR (and still doing to the world); putting hidden viruses and back doors in our products. Who should be blamed for it? American companies who are building their products in China. After all, you can blame the individual who is working to help their father or mother land.

Nuclear bomb of malware?

[clarkkent09 (1104833)]

How many people does the author think use those silly picture frames?

Re:

[mrxak (727974)]

I saw a huge stack of these things in Best Buy a few weeks ago near the registers. The people in front of me were talking about getting one, but then they pretty much decided they were worthless. I have to admit I largely agree, but then again I don't own any picture frames digital or otherwise.

Re:

[CR0WTR0B0T (944711)]

There were 1.7 million sold in the United States in 2006 [gizmag.com]. These are bought by people that just want to show some pictures they took with their digital camera without having to dedicate a computer to the job. Black Friday was loaded with ads for picture frames for around $70. Given the price point, it was an attractive Christmas gift to give to anyone who may not be computer savvy. PC Magazine is predicting [pcmag.com] that these digital frames will become smarter to give non-computer users more capability like Vide

Re:

[Tony Hoyle (11698)]

Can't see it - digital picture frame: £130 ($260) [amazon.co.uk] (btw. that's cheap - the ones in stores are double that.. I saw one for over £500 just the other day).
Normal picture frame: £5 ($10) [amazon.co.uk]

Cost of devloping photo from a camera? About £2.50 a memory stick in lots of stores. You can do it at the same place you buy a cheap frame from.

In addition the 'digital' frame uses power, can fail (especially if it gets dropped), is only viewable from certain angles, etc.

There's a reason you rarely see

Re:

[SkyDude (919251)]

There's a reason you rarely see them in stores except novelty shops and amazon. They're the classic example of a solution begging for an actual problem.

Could be but I like to think they are purchased by gadget lovers who probably gave birth to current Slashdot readers........

Re:

[M-RES (653754)]

The problem is : you develop all your photos. You put them in an album perhaps. You most likely then put that album on a shelf where you promptly forget about it. You never look through those pictures again. Digital picture frame solution : display all your photos on a rotational basis so you see different pictures all the time - even those you'd forgotten about, bringing back memories of the event/place/people. It makes taking all those pictures in the first place have a point... for a lot of people. I d

Re:

[totally bogus dude (1040246)]

I got one for my parents, and they like it (they've had digital cameras for ages). You're right in that they're very expensive which is why I chose it as a gift: they're a nice thing to have, but hard to justify spending your own money on.

Almost your entire argument is that they're worthless because they're expensive. New tech is always expensive. When they become more affordable I think they'll grow in popularity a lot. The viewing angle is pretty good on the one I got, and LCDs are always improving.

Th

Re:Nuclear bomb of malware?

[Atraxen (790188)]

Here's a real-world example of why it might be 'useful'. Dental hygienists often work part time for a single dentist (full-time over multiple offices) and their patient room is used by someone else when they're not there. So, they usually take their pictures/diplomas off the wall when they leave for the last day of the week, and the other person puts theirs up. Also, consider that many of these patients have been going to the same dentist for >20 years - they know the employees, and want to see the new pictures. That frame allows a few hundred pictures to be in the same spot, and come down easily at the end of your mini-week.

At least, my mom thinks so. In the end, that's the key thing to remember about specialized technology - there is/should always be a niche it fills, and it's most profitable when niche > 1. Nearly nothing is too esoteric to be useful to someone - ask me to show you some of the glassware in my chem lab!

Re:

[uncoveror (570620)]

I don't know about the author, but the Chinese are convinced a lot of us use them. This is all part of China's war on us without firing a shot!. [uncoveror.com]

Put the pieces together

[DNS-and-BIND (461968)]

1. The authors of the new Trojan Horse are well-funded professionals whose malware has "specific designs to capture something and not leave traces,"

2. Computer Associates has traced the Trojan to a specific group in China

3. It spreads by USB drives

4. "It is a nasty worm that has a great deal of intelligence,"

Follow the money. My money's on an espionage tool from the Chinese government or its affiliated corporations. Let the flaming begin...I said "China" and "espionage" in the same sentence, I'm sure folks out there would like to lynch me just for even suggesting that there is such a laughable concept as espionage, or bash me for so-called China-bashing (which includes any criticism of China except those for human rights, that's OK).

Re:

[sinai (989310)]

Since we're all for China bashing, have a look at the U.S. - China Economic and Security Review Commission's 2007 report [uscc.gov] to congress, which states, "Chinese espionage activities in the United States are so extensive that they comprise the single greatest risk to the security of American technologies". Add to that the MI5's recent warning [timesonline.co.uk] that big EU firms were being targetted for web-based espionage, and the lynch mob might have to drop their pitchforks and go think this thing over. I might sound a little

Easy Solution

[BlueStrat (756137)]

Just make sure nobody cares about or likes you enough to ever send you something so sappy.

And before anyone says it, yes, yes, I'm in no danger...right. :P

Cheers!

Strat

Be Safe: Roll Your Own DPF

[wehe (135130)]

Do you want to be on the safe side and have some fun, too? Just make your custom DPF and install Linux on it. Here are some DIY instructions to make a digital picture frame from an old laptop or notebook [repair4laptop.org]. And here is a survey of Linux used on selfmade digital photo frames [tuxmobil.org]

ALERT: People at SANS, incoming CHAIRS!

[SmallFurryCreature (593017)]

Deborah Hale at SANS suggested that PC users find friends with Macintosh or Linux machines and have them check for malware before plugging any device into a PC.

Oh boy, you gotta love that bit. Amusing as the suggestion that Mac's and Linux "machines" are not PC's may be, do you realize just how damning of MS software this is? SANS, a security organisations basically says that if you don't trust a piece of hardware, then it is okay to plug it into a mac or linux machine, to test wether it is safe to plug it into a windows pc.

Is this like those warnings on tv, kids do not try this, if you want to do this experiment, get an adult to help you. Kids do not use windows blindly, if you do wish to add a new device, get someone with a real OS to help you out.

Oh well, to all the windows using women out there, remember, the standard rate for getting a guy to help you out is ONE blowjob. Please form an orderly cue.

Re:

[kunwon1 (795332)]

Best comment of the week, if not longer. Be my friend.

Re:

[theguyfromsaturn (802938)]

On the other hand she is implying that people may have friends running Linux. Considering that the Linux using croud is still composed mostly of geeks, and that geeks being dorks and all don't really have friends, she could have limited the options to finding someone with a Mac.

(Disclaimer: I'm a Linux user and I have no friends.... Will you be my friend?)

Re:

[the_humeister (922869)]

Oh well, to all the windows using women out there, remember, the standard rate for getting a guy to help you out is ONE blowjob. Please form an orderly cue.

Do those sores on your mouth mean anything? No? Carry on then...

The chicken or the egg

[Joebert (946227)]

Updated antivirus software works unless the malware writers get ahead of the antivirus vendors,

Malware writers are always ahead of antivirus writers. Antivirus was invented in response to malware & antivirus updates are dependant on new types of malware.

Three R's again!!!

[MrKaos (858439)]

Well four now, since Vista was released,,

If you're attacked and your PC fails, you'll have to reformat and reload all of the programs.

and it triggers two of the 4 r's of Microsoft

reboot the machine

reload the applications *

reformat/reinstall the OS *

revert to the previous version

but it must be fun cause we do it over and over and over and over and over and over and over and over and over.

Re:

[TheLink (130905)]

The usual:

Retry (it might work the second try)
Restart (the program)
Reboot (the O/S)
Reinstall (the program, and various versions)
Reformat
Reinstall (the O/S + application)
Reinstall (another O/S + application)
Retry (who knows...)
Resign
Resume (rhymes with cafe)
Resume (rhymes with consume)

Then there was: plug and pray and plug and pay and plug and pray and plug and play and plug and pray and plug and yay... finally it works :).

Words of Advice

[terom (1077107)]

Deborah Hale at SANS suggested that PC users find friends with Macintosh or Linux machines and have them check for malware before plugging any device into a PC.

You really just got to wonder what they were ....

[3seas (184403)]

....thinking.

Don't virus writers have better thens to do?

Unless they are vested in anti-virus software, whats teh point other than just causing countless people problems.

Re:You really just got to wonder what they were ..

[mlts (1038732)]

It is a solid revenue stream. If malware succeeds in installing, there is profit to be made from identity theft, theft of CD keys from games, grabbing virtual assets like MMO accounts and selling them (or using the account for EULA-breaking items until the account is permanently banned), blackmail, extortion, botnet making, spam zombies, and many other nasty things

Virus writing is highly profitable, each second a piece of malware goes unstopped on a machine is a second that the machine can continue to spew spam, spy on an internal network, or be a part of a DDoS attack.

Goatse frames?

[ivoras (455934)]

I can't be the only one who thought of this: what if a virus took over the frames just to display the well known image on them, for amusement value? :)

Network Virus Innoculation

[Doc Ruby (173196)]

Since there are now so many network devices in the wild without an admin user interface, and without even an admin user (except maybe some $5 an hour warranty phone tech support dweeb), the wild needs an easy way to innoculate entire network domains against viruses. We should learn from nature how to keep viruses under control. In 5-10 years, practically every human will have 1-100 infectable devices, many of them in the critical path for their convenience, work, and even human health, so we've got to get this under wraps with that deployment explosion on the horizon.

I should be able to subscribe to an antivirus site that distributes inoculation viruses, just like in nature. Install it on my home/office server, and it gets updates which attack my own hosts the same way as the enemy virus does in the wild. But its attack payload is removed, replaced with a payload that patches the infected host against the attack virus. The home server should also scan the network's devices for other signs that they're already infected, including emailing me with instructions how to inspect each device for UI signs that it's infected with the attack vir And periodic (daily/weekly/etc) reports of "health status". When it detects a host, like a networked picture frame, that seems to be already infected but can't be autopatched, it can recommend further manual steps if possible, including wiping the host's storage if that will work. Or just recommend unplugging and throwing away a doomed host, perhaps with a mail-in "thorough treatment" by the antivirus vendor experts, if there's a chance to recover data and the device. Or just throw away a hopeless device.

There's a lot of talk lately about "good worms" which would cruise the Net just like "bad worms", but patch instead of infect. Since "patch vs infect" is in the eye of the human operator, that unsupervised release into the wild can easily go wrong. But this kind of managed release in each LAN, rather than just over the entire WAN (Internet), leaves the "doctor virus" compartmentalized - don't let it route between LAN segments. And more importantly, it leaves the vendor and the home user who started it each responsible, and accountable, for using it right. If it's made extremely simple to operate, with the most minimal user intervention required, this kind of product could really improve security without a lot of hassle. And make antivirus vendors a new ton of money.

Re:

[ciggieposeur (715798)]

Sounds nice until a malware author manages to make their real virus look like an "anti-virus virus" and it walks right through the anti-virus defense.

Re:

[Doc Ruby (173196)]

For one, malware authors can already do that, regardless of whether the antivirus makers do this.

For another, that's the cat/mouse game they're already playing. So the antivirus I'm describing has to be able to protect from that attack, too. Again, regardless of whether the antivirus is deployed as I describe, or not.

The only change I make is that the software the user is already installing now will also cruise their network patching their own hosts without an admin UI or admin user (probably eventually all

Switch off autorun already, huh?

[sw155kn1f3 (600118)]

It's the first thing I do when installed fresh copy of windows. I do this with TweakUI XP - it's download at MS site. Very handy little tool to make initial tuning.

NoDriveTypeAutorun

[WD (96061)]

You'll want to set the NoDriveTypeAutorun [microsoft.com] registry value in HKLM to 0xFF. This will disable Autorun/Autoplay for all device types. What's interesting, though, is that according to that article, the default configuration for Windows is to disable Autorun for removable disks that aren't "CD" devices. What's not clear is whether this digital picture frame actually does automatically run, or whether it requires the user to double-click on the device icon in Windows explorer. (The latter of which will run so

Strange virus

[edwardpickman (965122)]

Why did I get this image of the picture frame displaying Condom ads?

Fire the metaphor writer

[brusk (135896)]

'specific designs to capture something and not leave traces ... This would be a nuclear bomb of malware.'

Say what? Whenever I want to sneak in somewhere and get away all quiet-and-subtle-like, my first thoughts are of atomic weaponry. Want to steal sensitive documents? Just detonate a small thermonuclear device and no one will even realize you were there, and you'll leave no traces (unless you count a loud bang, bright light, mushroom cloud, charred corpses, fallout and a spike in cancer rates and radiation levels).

Ninjas. Men in Black-style mindwiping. Cat burglar. Evil hypnotist. Lots of available analogies. Nuclear bomb ain't one of them.

Too smart to be fooled?

[cbiltcliffe (186293)]

And if you think you're too smart to be fooled, apparently the Anti-Virus software makers have not caught up to the threat quite yet.

That doesn't bother me in the least, as I haven't run any antivirus software for going on 5 years, now. That includes on my Windows machines (and yes, I run as administrator). I've never been infected with anything, either.

There's a few simple rules that you can follow to do this yourself:

1. Hardware router. I personally use pfSense, due to the necessary complexity of my home network, considering that I run my computer service business out of my home. Any consumer router will work, though, as long as it's got UPnP turned off, and the password's been changed.
2. Never, ever, ever plug an untrusted computer into your trusted network. See my point number 1. Customer machines are plugged into a completely separate subnet that is firewalled off from my trusted network.
3. Turn off everything like autorun, automatically find network shares, etc.
4. Secure your wireless. Mine's open, but it's even firewalled from my untrusted network. Use WPA-PSK, with a password that looks like this: awdfvA@#F54q2a3A#% Don't even think about using WEP. I've broken it in less than 30 minutes, and the longest it's ever taken me is 45. If you're wireless devices won't support WPA, replace them, or upgrade the wireless. A Startech PCMCIA card that supports WPA is only about $55 retail, so there's really no excuse.
5. Don't be a moron, and click on anything someone sends you. Even if you think they're really computer savvy. Even if you know they have functional antivirus software.
6. Anything that's of even remotely questionable trustworthiness, scan with an online scanner. But don't do it right away. Wait a week or two, then scan it, then run it. This is what I do with things like program cracks that people seem to get hosed with all the time. Download it from P2P, then let it sit for a week or so. Then scan it. If it's fine then, you're probably OK.

Some people tell me I'm paranoid, and they're probably right. But there are two people in the world that I know of that have never had a virus. Myself, and Bill Gates. And I'm sure Bill Gates probably runs antivirus software to prevent it.

Re:

[Nazlfrag (1035012)]

7.Never run any antivirus software so there is nothing to report an infection.

MOD PARENT DOWN: Shock site

[CRCulver (715279)]

The parent post links to GNAA's admirable "Last Measure" shock site.

Re:

[MrKaos (858439)]

Don't click the link, it's a malicious site.

Lucky I wasn't browsing as root, I could have been in *real* trouble.

Re:

[urcreepyneighbor (1171755)]

*click*

Re:

[TheThiefMaster (992038)]

I clicked the link, and Avast! Antivirus automatically broke the connection because it found malware.

Good enough for you?