Forgot your password?
typodupeerror
Security Data Storage IT

Trojan Found In New HDs Sold In Taiwan 344

Posted by kdawson
from the bourne-again dept.
GSGKT writes "About 1,800 brand new 300-GB or 500-GB external hard drives made for Maxtor in Thailand were found to have trojan horse malwares pre-installed (autorun.inf and ghost.pif). When the HD is in use, these forward information on the disk to two websites in Beijing, China: www.nice8.org or www.we168.org. The article implies that authorities believe the Chinese government is behind the trojans. A later article pins down the point of infection to a subcontractor company in China. A couple of months back the Register was reporting on pre-installed malware detected on Maxtor disks sold in the Netherlands. This earlier report was downplayed by a Seagate spokesman." The more recent Taipei Times article says that Seagate admits the problem on its Web site, but a search there turns up nothing.
This discussion has been archived. No new comments can be posted.

Trojan Found In New HDs Sold In Taiwan

Comments Filter:
  • Same (Score:5, Interesting)

    by renegadesx (977007) on Sunday November 11, 2007 @10:39PM (#21318495)
    Lead in paint, malware in HD's same thing really
    • Re: (Score:2, Insightful)

      by Monsuco (998964)

      Lead in paint, malware in HD's same thing really
      Except that pesky death part. Meh details.
      • by Corwn of Amber (802933) <corwinofamber@skyn[ ]be ['et.' in gap]> on Monday November 12, 2007 @03:29AM (#21320545) Journal
        autorun.inf and ghost.pif, yeah, right. Who still uses windows, AND has autorun enabled?
        Answer : Everyone. Even geeks give up configuring Windows to that point after one hundred reinstalls. Or they give up on Windows already... Okay, "who does not reformat new HDs before use?"

        Who buys Maxtor HDs anyway? Never had one that even lasted till the end of warranty, used 8 of those in under two years. And there are not enough hours in one year to make up for the order of magnitude between announced and effective MTBF. (168*52 = way less than "tens of thousands of hours".)

        Not that I excuse them for dataraping their customers. The exec that ordered that should be put to a very slow and painful death. With the Maxtor engineering team. (If there even IS one.)
        • Re: (Score:3, Informative)

          by Lennie (16154)
          The problem is most Windows users format the disk from within Windows.

          Then the malware already automatically gets run.
          • Re: (Score:3, Insightful)

            by Smidge204 (605297)
            Solution? Ship the drives UNFORMATTED. No partitions or filesystems, no malware.

            Most brands ship that brain-dead "install software" anyway, which the clueless will install. Have that "Initialize" the drive for them. The ones smart enough to not install that crap software will be smart enough to format the drive themselves.
            =Smidge=
    • by RuBLed (995686)
      I hate these scripts that utilizes autorun.inf. In my country they are so popular, everyone makes one, script kiddies! On the bright side, it could be easily removed most of the time.

      The current (as of writing) Windows Secrets newsletter features an article that would let you at least prevent most kind of autorun.inf scripts from ever running in the first place. It would save me some trouble from all those college girls (errr.. I mean relatives) that gets infected by these sort of things all the time...

      One [windowssecrets.com]
    • by Anonymous Coward on Monday November 12, 2007 @12:01AM (#21319203)
      By "Trojans Found In New HDs Sold In Taiwan", I thought they meant condoms.

      (OK, who's the comedian? My catchpas is "durable".)
  • by explosivejared (1186049) <hagan,jared&gmail,com> on Sunday November 11, 2007 @10:41PM (#21318507)
    Anyone who doesn't wipe a new drive first off is just begging for this sort of thing. Secondly, I guess it's a new competition for Chinese manufacturers to see what's the worst secret addition to a product sent overseas. Lead in toys, GHB in toys, phone-homes on HDD's... what's next killer bees in new TV's... really. Consumerism bites!!
    • by corsec67 (627446)
      In windows, wouldn't the HD be mounted before you can format it?

      I know in most Linux distros a HD that isn't mentioned in fstab will not get mounted, but what about Windows?

      I guess you have to boot from a LiveCD and format the disc to be sure.
      • Re:First off... (Score:4, Informative)

        by 404 Clue Not Found (763556) on Sunday November 11, 2007 @11:07PM (#21318759)
        I'm not sure how Windows actually handles "mounting" behind the scenes, but to the user, a new drive typically just shows up automatically as a drive letter (like F:\) both in the GUI and the command prompt. Then when you try to access the drive, you'll get a dialog box saying the drive isn't formatted and asking if you'd like to format it.

        In the case of preformatted external drives (which this one is supposed to be), however, not only will the drive immediately become available for access as soon as it's connected, Windows may also try to autorun any programs listed in the drive's autorun.inf.
        • Re:First off... (Score:5, Informative)

          by 404 Clue Not Found (763556) on Sunday November 11, 2007 @11:21PM (#21318895)
          Oh, forgot to mention that autorun can be disabled either temporarily by holding down Shift when connecting a drive or permanently via a control panel.
        • A default install of XP will autostart (i.e, autorun.inf) any external drive when it's plugged in. In theory, a program shouldn't run automatically without user intervention. You should get that menu offering to play music, copy files etc.

          In practice, it's easy to get an app to run invisibly. If someone is trojaning OEM drives, Microsoft's choice of defaulting to the insecure autorun mode means a lot of people will be infected.

          • Re:First off... (Score:5, Informative)

            by colfer (619105) on Monday November 12, 2007 @12:03AM (#21319217)
            Overriding autorun can be done in the registry, so you don't have to remember to hold down the shift key. Does it work for USB hard drives? Probably. These are the notes I have.

            Works for USB drives and CD-ROMS.
            [2007/10, from:
            http://www.mydigitallife.info/2006/09/11/disable-auto-run-and-auto-play-of-u3-smart-drives-launchpad/%5D [mydigitallife.info]

                  1. Click Start -> Run.
                  2. Type RegEdit in the Open text box, then press ENTER.
                  3. In the Registry Editor, locate and click the following registry key:

                        HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDRom
                  4. Modify the value of the Autorun to 0 (zero) so that CD-ROMs and Audio CDs do not run and start automatically when inserted.
                  5. Next navigate to the following registry subkey:

                        HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
                  6. Modify the value of the NoDriveTypeAutoRun entry to 0xb5 value to turn off the AutoRun feature for CD-ROMs by right-click NoDriveTypeAutoRun and then click Modify to type B5 in the Value data box. Select Hexadecimal, and then click OK.
                  7. Quit Registry Editor.
                  8. Restart your computer.
            • Troll Alert... (Score:5, Insightful)

              by Belial6 (794905) on Monday November 12, 2007 @01:36AM (#21319875)
              [Troll]
              That's the problem with Windows. It doesn't Just Work(tm). You have to know these cryptic menus to edit databases just to keep your new USB drive from running whatever application happens to be on it. Maybe one day Microsoft could start doing some real usability testing and get Windows to be as easy for a new user as Linux.
              [/Troll]
              • Re: (Score:3, Informative)

                by Jugalator (259273)
                OK, then use msconfig for a built-in autostart UI, if you must. :-p
                • Re: (Score:3, Informative)

                  by ozmanjusri (601766)
                  use msconfig for a built-in autostart UI,

                  That won't work.

                  msconfig is a diagnostic tool for disabling programs which are loaded at boot time. It has nothing to do with autoloading CDs.

                  There is no built-in autostart ui. If you're scared of the registry, you can download TweakUI, but you'll still need to disable autostart on a drive-by-drive basis.

        • by Anonymous Coward on Sunday November 11, 2007 @11:39PM (#21319057)
          >I'm not sure how Windows actually handles "mounting" behind the scenes

          Simple. You install Windows, and feel as if you were being mounted by Ball-mer. With a chair.
        • Re: (Score:3, Funny)

          by dotgain (630123)
          Or in my case, it tries to assign a driver letter, fails because there's already a drive using that letter, and says:

          24 Volumes ought to be enough for anybody. Bet you never thought you'd run out of drive letter, huh?
      • Nope (Score:3, Informative)

        by The MAZZTer (911996)
        Default Windows settings would run the trojan once you plugged the drive in. To avoid this you either have to hold shift for an indeterminate amount of time while plugging the drive in, which can be difficult or impossible. With such a drive you're likely to use a more inaccessible port because you likely won't be needing to unplug it much. The only other alternative is to disable autorun for removable drives. This option is not available in the standard GUI and third party tools (or TweakUI) are needed
        • Bah, right after I posted my comment I realized I wasn't thinking straight. Time for bed I guess. Ignore parent and imagine I typed this instead:

          Default Windows settings would mount the drive and immediately parse autorun.inf. I'm not sure about running the trojan, but I think MS totally disabled the run part of autorun in Vista and maybe an XP update (instead you get a dialog which shows the autorun action as one of several options you can take including nothing, or opening the drive in explorer).

        • "The only other alternative is to disable autorun for removable drives. "

          Or... chassis it into an external FW/USB/SATA enclosure, cabled to a Mac & either reformat it for OS X & use... or wipe it and format it for a windows box.
        • Re:Nope (Score:5, Informative)

          by LurkerXXX (667952) on Monday November 12, 2007 @12:37AM (#21319469)
          3rd party tools? Who needs 3rd party tools?

          gpedit.msc

          It's a windows GUI tool.

          Computer Configuration > Click "Administrative Templates" > Click "System" > Double-Click "Turn off Autoplay", set it for "All Drives" and click the "apply" button.

    • Re: (Score:3, Funny)

      by MrAndrews (456547) *
      Exactly! The TFA has a definite agenda... in reality, this is a competitive move by Maxtor [pttbt.ca]. You have to do extraordinary things to stand out in this global economy.
    • Re: (Score:3, Funny)

      by uncoveror (570620)
      When I read that these drives were originally for government agencies, I suspected it might be Monkeypoo... VIRUS WARNING: Attention: Computer Labs Inc., makers of Virucide antivirus software have identified a highly dangerous new Trojan worm, MONKEYPOO. It will usually appear in an e-mail with the subject, "Congratulations.You have won!" it will then prompt you to click a link to collect your cash prize. It can also freely spread across networks. Monkeypoo will read your address book, and mail a copy of
  • by techmuse (160085) on Sunday November 11, 2007 @10:42PM (#21318517)
    Most PCs ship without professionally produced malware installed. While everyone might *wish* that their PC came with such software, only a small percentage of customers are actually lucky enough to get their malware free of charge. Mac users, don't feel bad that your system won't come with it. You get iLife. :-)
    • by KPU (118762)
      Dell's worldwide market share may be 13% but that alone is more than "a small percentage of customers" who receive malware free of charge with a new PC.
  • ...that I'm really glad I switched to Linux. :)
  • by JewGold (924683) on Sunday November 11, 2007 @10:43PM (#21318529)
    I mean, so what if there's a trojan that steals my identity and turns my computer into a botnet node? So what the materials it's comprised of let off poisons that will kill me and my whole family? I saved $6 on this baby!
    • by sqrt(2) (786011)
      I stopped buying things made in China. It is possible. I've found that most things you could want to buy have an alternative made here in America, except maybe electronics and you can usually get ones made in Japan. I've been saying this to people for a long time, longer than the last six months when we've been hearing all these stories about poisoned Chinese products. Check the labels, shop around if you can. There are alternatives out there.
      • Re: (Score:3, Insightful)

        by Opportunist (166417)
        It's possible, but how many can? Let's face it, Chinese crap is cheap crap. And with many people just barely making enough money to live on, they can't be choosy. They have to buy what their budget dictates.
        • Re: (Score:3, Insightful)

          by JewGold (924683)
          Maybe part of the reason that people don't have enough to live on is that all the manufacturing jobs, which used to be the cornerstone of the American economy and middle class, are now in China.

          I don't know how much faith I have in this "new economy," which seems to be based on people selling overpriced houses to each other and getting further and further in debt.
    • Not after shipping from China!
  • by compumike (454538) on Sunday November 11, 2007 @10:45PM (#21318547) Homepage
    While the open source movement has done a great deal toward making software understandable, at some point, people have to trust their computers. However, this used to be a great deal easier, because engineers had a good idea of what could be done with a particular amount of circuitry.

    The increasing level of integration means that hardware is more and more of a black box. While this has led to huge savings in cost and performance boosts, we've paid for it by being unable to debug the hardware, and unsure of what's really going on inside.

    While the case in the article talks specifically about a trojan horse installed normally on the drive -- and thus something that should have been remedied by a good formatting job -- who knows what could happen once we have vulnerabilities embedded directly into the hardware. One could certainly imagine a trojan that was hard-coded in the firmward and kept moving itself around the disc after attempts to delete it.

    It's also seems fishy that much sensitive information (of relevance to a foreign government) could be obtained from randomly putting trojans on hard drives... Isn't it possible that this was an unintentional infection from some disk-handling or testing machine along the line?

    --
    Educational microcontroller kits for the digital generation. [nerdkits.com]
    • Re: (Score:3, Interesting)

      by M. Baranczak (726671)

      It's also seems fishy that much sensitive information (of relevance to a foreign government) could be obtained from randomly putting trojans on hard drives... Isn't it possible that this was an unintentional infection from some disk-handling or testing machine along the line?

      How do you know it was random? Let's say they have a specific target in mind, and they know what sort of hard drives the target uses, and which supplier he gets them from. They infect a whole container load of disks which is bound for that supplier. Whoops, they overdid it - now some unrelated hacker wound up with one of those things, noticed the shenanigans and published them on the net.

      Although the second scenario (the boring one) is a lot more likely.

  • Not a trojan (Score:4, Insightful)

    by techmuse (160085) on Sunday November 11, 2007 @10:45PM (#21318559)
    By the way, it isn't a trojan. A trojan is software that convinces the user to install it by looking like something else that the user might want to install. While this may certainly qualify as malware, it isn't a trojan.
    • Re:Not a trojan (Score:5, Insightful)

      by Megane (129182) on Sunday November 11, 2007 @10:50PM (#21318611) Homepage

      A trojan is software that convinces the user to install it by looking like something else that the user might want to install.

      Something else like a... hard disk?

      • >>A trojan is software that convinces the user to install it by looking like something else that the user might want to install.

        >Something else like a... hard disk?

        A hard disk is mostly... hardware. There's a little software in it, even in a good, uninfected unit, but that's called firmware. One doesn't buy a hard disk for that firmware.
        • Re:Not a trojan (Score:5, Interesting)

          by tftp (111690) on Monday November 12, 2007 @12:15AM (#21319311) Homepage
          A hard disk is mostly... hardware. There's a little software in it, even in a good, uninfected unit

          Two cases here. First, you got an external USB HDD. It often contains lots of software. I have a Seagate USB/FireWire HDD, it comes with FreeAgent backup and configuration software. I bought the software with the HDD unit, they are one set. I would be an idiot if I format the HDD first.

          Another case is when you get an internal HDD that is supposed to be unformatted. But you don't know if it is or isn't - not before you install it into your Windows box and power it up. If the HDD is blank, as it should be, then you need to format it, and all is well. However if it is already formatted for you and contains something, Windows has no way of knowing why it is so, and it will treat it as any other removable drive - namely, will read the autorun.inf and proceed running all the viruses in the world that the drive may contain, all that before you even realize that something is wrong.

          In either case, if your antivirus finished loading by this time it may save you, if it is good enough. But I recall some recent review that claimed that a typical antivirus fails to catch as many as half of the viruses.

    • Re: (Score:2, Insightful)

      by malvidin (951569)
      Although I agree with your definition of a trojan, I have to say that this is a trojan as well.

      If someone puts malware in a device I would willingly put in my computer without me employing security measures, I would consider that more true to the original source of the term.
    • Re: (Score:3, Funny)

      by Waffle Iron (339739)
      Computer <-> Troy

      SATA connector <-> City gate

      Disk drive <-> Big wooden horse

      Autorun file <-> Greek soldiers

    • Something physical brought behind your defenses that attacks you un-awares.

  • Do they have some mechanism for surviving the intial format or is this a complete hoax? Even assuming the drive is installed in a Windows computer, isn't the first step always to format the drive? I've added lots of drives to Windows machines and it never occured to me to try to access them without formatting them. Do these come preformatted?

    As to the reference about these drives being used for government databases, certainly they would be reformatted when added to a RAID, wouldn't they? Even if preformatte
    • by myc (105406) on Sunday November 11, 2007 @10:49PM (#21318595)
      not for external USB drives that are already pre-formatted with a FAT32 filesystem. Plug it in and go! your box is pwn3d.
    • by shaka (13165)
      They're external drives. They almost always come preformatted (FAT32), usually with some (autorun) software installed.
    • I've added lots of drives to Windows machines and it never occured to me to try to access them without formatting them. Do these come preformatted?
      In my experiance bare drives don't but drives ready mounted up in USB caddies do.

      Sure you could reformat it to remove stuff but by the time you get to the format screen you are probablly already infected.
    • by Megane (129182)

      Do they have some mechanism for surviving the intial format or is this a complete hoax?

      What "initial format"? If you buy this drive and install it, preformatted with the trojan, Windows will see it as already formated and mount it, then autorun the malware. Moments later, the human who doesn't notice it's already formatted goes slowly (to a computer) to the disk format utility. By the time the format begins, the damage has already been done.

      I will admit that I have noticed that sometimes brand new drives are already formatted, but then I immediately reformat them as HFS+ volumes. Next time

  • Maybe a format (Score:2, Insightful)

    by virtualnz (1187667)
    maybe a format of the drive when its purchased will fix. Or because its malware does this mean its going to be embedded into the hardware? It goes to show that we can't even rely on our hardware now without some big "brother" sending information back.
    • My impression is that they're just regular files pre-loaded on it, so reformatting will work. Provided of course you don't plug it in to a Windows PC with auto-run enabled in order to format it.

      I wonder if one day we will see drives that have malware embedded in the controller that can't ever be erased? Maybe it's possible for them to detect "initial connection and probing by Windows" by waiting for a certain sequence of commands, and only expose the malware then. If you look at the drive later, or use a

  • by killmofasta (460565) on Sunday November 11, 2007 @10:47PM (#21318575)
    Please add to your host files:
    127.0.0.1 www.nice8.org
    127.0.0.1 www.we168.org
    • by lordofthechia (598872) on Sunday November 11, 2007 @10:55PM (#21318681)
      Why not take some initiative.You can block the sites, or you can send them what they want! DATA! Send them lots of data, format it like it was sent with the virus and have fun coming up with a random assortment of websites to include in it (sure we could thing of a couple).

      So why ignore when you can use up their bandwidth and screw up their database. Just an idea.
    • Re: (Score:3, Interesting)

      Excellent suggestion and I hope you get modded informative.

      There is a blacklist website that had the www.nice8.org site listed a while back (I serched in mine before entering it) but the we268 site wasn't in there and still isn't.

      The URL to the hosts blacklist file: http://www.mvps.org/winhelp2002/hosts.htm [mvps.org] This really speeds up browsing too as a lot of the tracking sites get blocked.
      • There is a blacklist website that had the www.nice8.org site listed a while back (I serched in mine before entering it) but the we268 site wasn't in there and still isn't.

        I think we Slashdotted it. They're not responding.

    • Please add to your host files:
      127.0.0.1 www.nice8.org
      127.0.0.1 www.we168.org

      Be sure to put them in the upstream router. Autorun may compromise the system.. DUH it's a trojan. Since the affected drives are portable drives, it is very important to disable autorun as well as block the sites upstream of the compromised machine.
         
    • Re: (Score:3, Funny)

      Please add to your host files:
      127.0.0.1 www.nice8.org
      127.0.0.1 www.we168.org

      You bastard! I did and that unsavory host at 127.0.0.1 (isn't the 127.x range like the dark back-alleys of the Intertubes?) infected me with a nasty trojan, probably because it has like a million gajigabytes of completely illegal, pirated contents on it!! A veritable pirate hive, that! I hold you pesonally responsible for directing us, pure, innocent Slashdotters to it!

      • 127.0.0.1 is MY computer! Say that again and I sue you for slander, I'm not spreading malware!

        (The scary part is that I'm not so convinced I couldn't find a judge who wouldn't allow that suit...)
  • The summary doesn't state who is at risk here. For all I know, these could be hard drives for servers. I suppose the files autorun.inf and ghost.pif hint that it's targeting Windows. Would this also be a security issue if someone attempted to execure those files within Wine or Parallels?
  • Seagate admits it (Score:3, Informative)

    by Camael (1048726) on Sunday November 11, 2007 @11:07PM (#21318763)

    The more recent Taipei Times article says that Seagate admits the problem on its Web site, but a search there turns up nothing.
    Untrue. The Seagate article can be found here: http://www.seagate.com/www/en-us/support/downloads/personal_storage/ps3200-sw/ [seagate.com]
    So this is not a hoax, after all.
    • Re: (Score:3, Informative)

      by ColdWetDog (752185)
      Well that link throws a 404 error. Searching for "Trojan" on the Seagate site just gave me a couple of links to a Terms of Use agreement. I just didn't have the heart to explore that concept further.
  • by Tribbin (565963) on Sunday November 11, 2007 @11:16PM (#21318839) Homepage
    I once bought a computer with Windows preinstalled.
  • by edwardpickman (965122) on Sunday November 11, 2007 @11:23PM (#21318901)
    They figured it was a time saving feature that would save bandwidth for the buyer having the Trojans preinstalled.
  • by 0123456 (636235) on Sunday November 11, 2007 @11:30PM (#21318967)
    Why oh why does Microsoft still automatically run software off any disk that's inserted into your PC? Surely decades of floppy-carried virii should have convinced them of what a frigging stupid idea that is?
    • by Shados (741919)
      It does? When I put a disk in my PC, it -asks- me if I want to run the auto-run, or if I wanna do something else with it...
  • So if the Chinese government is willing to do this with just hard drives, it makes me wonder what they are putting on Lenovos.
  • I think ... (Score:3, Funny)

    by PPH (736903) on Sunday November 11, 2007 @11:40PM (#21319067)
    ... the makers of third party malware should sue. Having OEM malware preinstalled is going to drive them out of business eventually.

    Perhaps the EU can take up their case.

  • What happens when they put malware in the BIOS on your motherboards.
    How will you know? How will you get rid of it, (I know flash the
    BIOS, but maybe the BIOS doesn't want to be flashed.)

    There's talk that the next war will be a cyberwar. I guess that's
    better than the other kind, but these are some of the ways to do it
    I'd say.
  • by essinger (781940)
    The article doesn't state it but this seems to be the worm W32.Drom. [symantec.com] Symantec rates the threat as Very Low with 0-49 total infections. Take that with however many grains of salt you wish.
    • Any AV company can only rate any kind of malware by the amount of samples they encounter through their various sources, which usually include spam or webpages. Hard drives usually are not on their detector network.

      I'd take that number with a quite unhealthy dose of salt. Most likely Symantec got a sample from somewhere (a customer, their cooperation with other AV researchers) but didn't encounter any samples through their detectors (well, how would they if that trojan is distributed in ways they cannot dete
  • Why would the Chinese government do something so obvious? And the drives were sold in Taiwan? Given the relationship between the Chinese and the Taiwanese... it seems more like this was _meant_ to be found in order to destabilize the Taiwan economy more than to do any sort of real information gathering... if the Chinese government wanted to gather information I'm sure they could and would be far more covert than this... and compared to the other systems they surely have in place this is nothing.....

    This

"Marriage is low down, but you spend the rest of your life paying for it." -- Baskins

Working...