Trojan Found In New HDs Sold In Taiwan

GSGKT writes "About 1,800 brand new 300-GB or 500-GB external hard drives made for Maxtor in Thailand were found to have trojan horse malwares pre-installed (autorun.inf and ghost.pif). When the HD is in use, these forward information on the disk to two websites in Beijing, China: www.nice8.org or www.we168.org. The article implies that authorities believe the Chinese government is behind the trojans. A later article pins down the point of infection to a subcontractor company in China. A couple of months back the Register was reporting on pre-installed malware detected on Maxtor disks sold in the Netherlands. This earlier report was downplayed by a Seagate spokesman." The more recent Taipei Times article says that Seagate admits the problem on its Web site, but a search there turns up nothing.

It's times like this...

[fractoid]

...that I'm really glad I switched to Linux. :)

Obilgitory HOSTS comment:

[killmofasta]

Please add to your host files:
127.0.0.1 www.nice8.org
127.0.0.1 www.we168.org

Comment removed

[account_deleted]

Comment removed based on user account deletion

Seagate admits it

[Camael]

The more recent Taipei Times article says that Seagate admits the problem on its Web site, but a search there turns up nothing.

Untrue. The Seagate article can be found here: http://www.seagate.com/www/en-us/support/downloads/personal_storage/ps3200-sw/ [seagate.com]
So this is not a hoax, after all.

Re:How would that even work

[totally bogus dude]

Autorun can definitely run exe's, that's its main purpose. That's how the installer automatically starts up when you insert a game or application CD. It's possible that the exe needs to be signed or something, but it's more likely that whatever program you were using simply "did it wrong".

Don't forget that you can also disable autorun permanently, rather than having to remember to hold shift every time you insert a disc.

Nope

[The MAZZTer]

Default Windows settings would run the trojan once you plugged the drive in. To avoid this you either have to hold shift for an indeterminate amount of time while plugging the drive in, which can be difficult or impossible. With such a drive you're likely to use a more inaccessible port because you likely won't be needing to unplug it much. The only other alternative is to disable autorun for removable drives. This option is not available in the standard GUI and third party tools (or TweakUI) are needed.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Seagate admits it

[ColdWetDog]

Well that link throws a 404 error. Searching for "Trojan" on the Seagate site just gave me a couple of links to a Terms of Use agreement. I just didn't have the heart to explore that concept further.

More Info on the Worm

[essinger]

The article doesn't state it but this seems to be the worm W32.Drom. [symantec.com] Symantec rates the threat as Very Low with 0-49 total infections. Take that with however many grains of salt you wish.

Re:First off...

[colfer]

Overriding autorun can be done in the registry, so you don't have to remember to hold down the shift key. Does it work for USB hard drives? Probably. These are the notes I have.

Works for USB drives and CD-ROMS.
[2007/10, from:
http://www.mydigitallife.info/2006/09/11/disable-auto-run-and-auto-play-of-u3-smart-drives-launchpad/%5D [mydigitallife.info]

      1. Click Start -> Run.
      2. Type RegEdit in the Open text box, then press ENTER.
      3. In the Registry Editor, locate and click the following registry key:

            HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDRom
      4. Modify the value of the Autorun to 0 (zero) so that CD-ROMs and Audio CDs do not run and start automatically when inserted.
      5. Next navigate to the following registry subkey:

            HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
      6. Modify the value of the NoDriveTypeAutoRun entry to 0xb5 value to turn off the AutoRun feature for CD-ROMs by right-click NoDriveTypeAutoRun and then click Modify to type B5 in the Value data box. Select Hexadecimal, and then click OK.
      7. Quit Registry Editor.
      8. Restart your computer.

Re:First off...

[networkBoy]

Um... I've always found it more convenient to mount drives as a subdir in windows, doubly so if you have tons of drives.
-nB

Re:Nope

[LurkerXXX]

3rd party tools? Who needs 3rd party tools?

gpedit.msc

It's a windows GUI tool.

Computer Configuration > Click "Administrative Templates" > Click "System" > Double-Click "Turn off Autoplay", set it for "All Drives" and click the "apply" button.

Re:Obilgitory HOSTS comment:

[Anonymous Coward]

Domain ID:D145807509-LROR
Domain Name:NICE8.ORG
Created On:11-May-2007 07:20:24 UTC
Last Updated On:27-Sep-2007 05:57:07 UTC
Expiration Date:11-May-2008 07:20:24 UTC
Sponsoring Registrar:Xin Net Technology Corporation (R118-LROR)
Status:OK
Registrant ID:JHV8DUH7W9TIL
Registrant Name:ga ga
Registrant Organization:gaga
Registrant Street1:gagaga
Registrant Street2:
Registrant Street3:
Registrant City:gaga
Registrant State/Province:Beijing
Registrant Postal Code:126631
Registrant Country:CN
Registrant Phone:+86.2164729393
Registrant Phone Ext.:
Registrant FAX:+86.2164660456
Registrant FAX Ext.:
Registrant Email:safsafsa@ca.ca
Admin ID:JHV8DUHMSOOFB
Admin Name:ga ga
Admin Organization:gaga
Admin Street1:gagaga
Admin Street2:
Admin Street3:
Admin City:gaga
Admin State/Province:Beijing
Admin Postal Code:126631
Admin Country:CN
Admin Phone:+86.68492333
Admin Phone Ext.:
Admin FAX:+86.4660456
Admin FAX Ext.:
Admin Email:safsafsa@ca.ca
Tech ID:JHV8DUHO9XXZP
Tech Name:ga ga
Tech Organization:gaga
Tech Street1:gagaga
Tech Street2:
Tech Street3:
Tech City:gaga
Tech State/Province:Beijing
Tech Postal Code:126631
Tech Country:CN
Tech Phone:+86.68492333
Tech Phone Ext.:
Tech FAX:+86.4660456
Tech FAX Ext.:
Tech Email:safsafsa@ca.ca
Name Server:NS2.XINNETDNS.COM
Name Server:NS2.XINNET.CN

I'm assuming "ga ga" is fake; XINNet is not accessible without a Chinese proxy. The Registrant's Phone number: +86.2164729393 links to the contact information to http://www.sogle.com/ [sogle.com] a partner of http://68l.com/ [68l.com] which both appear to be web hosting companies.

So if this is one big Chinese government conspiracy, it seems to be run through a number of companies, including dedicated hosts, not just hardware manufacturers.

Doesn't work for XP Home

[Anonymous Coward]

> It's a windows GUI tool.

Not for XP Home or other crippled MS products...

Technet says 0xff not 0xb5

[Anonymous Coward]

MSS: (NoDriveTypeAutoRun) Disable Autorun for all drives (recommended) DWORD 0xFF

from http://www.microsoft.com/technet/security/guidance/serversecurity/tcg/tcgch10n.mspx [microsoft.com]

and http://www.microsoft.com/technet/security/prodtech/windowsxp/secwinxp/xpsgch03.mspx [microsoft.com]

just FYI

Re:Troll Alert...

[Jugalator]

OK, then use msconfig for a built-in autostart UI, if you must. :-p

Re:Threadjack: WTF?

[Lennie]

The problem is most Windows users format the disk from within Windows.

Then the malware already automatically gets run.

Re:Troll Alert...

[ozmanjusri]

use msconfig for a built-in autostart UI,

That won't work.

msconfig is a diagnostic tool for disabling programs which are loaded at boot time. It has nothing to do with autoloading CDs.

There is no built-in autostart ui. If you're scared of the registry, you can download TweakUI, but you'll still need to disable autostart on a drive-by-drive basis.