Forgot your password?
typodupeerror
Security Worms Hardware

Olympus Digital Camera Ships With a Worm 249

Posted by kdawson
from the do-not-get-too-close-to-the-viewfinder dept.
An anonymous reader writes "Olympus Japan has issued a warning to customers who have bought its Stylus Tough 6010 digital compact camera that it comes with an unexpected extra — a virus on its internal memory card. The Autorun worm cannot infect the camera itself, but if it is plugged into a Windows computer's USB port, it can copy itself onto the PC, then subsequently infect any attached USB device. Olympus says it 'humbly apologizes' for the incident, which is believed to have affected some 1,700 units. The company said it will make every effort to improve its quality control procedures in future. Security company Sophos says that more companies need to wake up to the need for better quality control to ensure that they don't ship virus-infected gadgets. At the same time, consumers should learn to always ensure Autorun is disabled, and scan any device for malware before they use it on their computer."
This discussion has been archived. No new comments can be posted.

Olympus Digital Camera Ships With a Worm

Comments Filter:
  • by 0100010001010011 (652467) on Tuesday June 08, 2010 @09:14PM (#32505024)

    Whew, glad my Canon doesn't mount itself as a external disk. Think of all the grief I've saved myself by having to launch something to get photos off of it.
    [/sarcasm]

    So, where did these cameras originate? China, Japan, Taiwan?

    • Re: (Score:3, Insightful)

      by sethstorm (512897) *

      The despotic People's Republic of China - where the worst of company town practices are in an entire country(if not region).

      • Re: (Score:2, Insightful)

        by Anonymous Coward
        The Autorun worm cannot infect the camera itself, but if it is plugged into a Windows computer's USB port, it can copy itself onto the PC, then subsequently infect any attached USB device.

        Remember folks, that's Microsoft Windows (R)(TM). Too bad it has no effective enabled-by-default security system to prevent this sort of thing. Like I dunno, limited user accounts and non-executable mounts?
        • Like I dunno, limited user accounts
          Limited user accounts have little to do with this unless they are VERY limited (far more limited than any linux system i'm aware of does by default).

          and non-executable mounts?
          You don't need to go that far, just not running stuff without being explicitly told to would be sufficiant to block most of this sort of crap.

          • by delinear (991444)

            You don't need to go that far, just not running stuff without being explicitly told to would be sufficiant to block most of this sort of crap.

            They already tried that with UAC. Users just defaulted to auto-clicking yes every time because they ended up getting a request every time they tried to do pretty much anything.

    • by Anonymous Coward on Tuesday June 08, 2010 @09:32PM (#32505182)

      Didn't see it mentioned in the few dozen comments at the moment, but "more companies need to wake up to the need for better quality control to ensure that they don't ship virus-infected gadgets. At the same time, consumers should learn to always ensure Autorun is disabled" blames the manufacturer of the drive, blames the consumer, but skirts around blaming the OS in question.

      I know it's somewhat passe to pick on an OS because it remains the one commonality in malware infections, but seriously, a design as defective as Autorun's implementation should be beaten with large sticks every chance we can get until it's a bloody pulp, or no more than a stain. Srsly.

      • by denmarkw00t (892627) on Tuesday June 08, 2010 @09:43PM (#32505290) Homepage Journal

        Someone mod this man up! I totally agree that blaming the OS is a bit passe, but Autorun is also the worst "feature" I've ever encountered - "Oh, you plugged something in that has a filesystem I understand? And an executable it wants me to run? Ok."

        Dumb.

        • by grcumb (781340) on Tuesday June 08, 2010 @10:33PM (#32505626) Homepage Journal

          Someone mod this man up! I totally agree that blaming the OS is a bit passe, but Autorun is also the worst "feature" I've ever encountered - "Oh, you plugged something in that has a filesystem I understand? And an executable it wants me to run? Ok."

          Who's blaming the OS? We're blaming the company that made the OS. The same company, by the way, that brought us ActiveX in Internet Explorer, executable attachments in Outlook, Word Document viruses, IIS prior to 7, and 'run as Administrator by default'.

          Dumb.

          Dumb, indeed.

          (I'm not even going to get into the myriad other objectionable actions and statements that they've indulged in since the beginning of the '90s. They're not germane to this discussion.)

          • by causality (777677)

            Who's blaming the OS?

            I'd imagine it's the same people who blame crime on things like guns and drugs and video games, as though they were something other than inanimate objects and ideas.

            You could "blame" the OS in the sense of recognizing that its design or implementation are definitely involved in the cause-and-effect sequence of this infection. Still, I think the blame you're talking about belongs to the moral/ethical realm of accountability. As long as you have large masses of people who will pay m

      • Re: (Score:3, Insightful)

        by schon (31600)

        blames the manufacturer of the drive, blames the consumer, but skirts around blaming the OS in question.

        Well duh - consider the source.. it's an antivirus company. They wouldn't be in business if not for Windows.

        An antivirus company saying that Windows in insecure would be like BP saying that we should all switch to solar power and stop using oil.

        • The antivirus companies will have a market at least as long as users have root privileges on the machines they buy at the store. It doesn't matter if they ship loaded with linux and SElinux *correctly* configured. People will do stupid stuff and the home user doesn't normally having anything worth wasting a first use exploit on, so the virus scanner will continue to be a moderately useful and necessary tool for any computing equipment with significant marketshare. And actually the iPhone is an example sh

          • by delinear (991444)
            True, but GP's point still stands because it's the OS of choice for AV vendors right now (low hanging fruite, and all that - it's much easier to convince a Windows user that they need AV than it is a Linux/BSD/OSX user, not to mention the volumes are there for a decent ROI). They have every reason to want users to stay on an insecure system while publicly decrying security flaws elsewhere.
    • Re: (Score:3, Funny)

      by djupedal (584558)
      Dodged a bullet....? when using windows is like sticking the gun in your mouth? Are you kidding me?

      Here's a news item...stop using windows!!
  • by sethstorm (512897) * on Tuesday June 08, 2010 @09:15PM (#32505030) Homepage

    Third World factories seem to keep on making these mistakes.

    You think they'd try making these in Japan, with full Japanese citizens making them for once?

  • by Nemilar (173603) on Tuesday June 08, 2010 @09:21PM (#32505074) Homepage

    I hate to ask the obvious question, but the article doesn't address it -- could this be intentional, or is it accidental?

    I would imagine that some shady overboss would be willing to pay a relatively sizable amount of money (especially considering that the amount of money you'd have to pay someone in a Chinese factory to do this would not be very high) for the opportunity to infect potentially tens of thousands of computers.

    • Re: (Score:3, Interesting)

      by shadowbearer (554144)

      Without more information as to what exactly the worm does, I can only speculate, but I'd bet that it's a trojan downloader or something else that brings in more malware, and that it was planted on some of those cards by a blackhatass who happens to work in their factory. The fact that it's only on a small portion of the cameras seems to indicate one individual somewhere on the production line.

      In any case it's not likely much of a threat if the users who get those cameras have decent AV soft

    • Re: (Score:3, Insightful)

      by AHuxley (892839)
      Between intentional and accidental is "a Google".
      If you are exposed just quote "“As we said before, this was a mistake,” Google spokeswoman Christine Chen"
      http://www.wired.com/threatlevel/2010/06/google-wifi-debacle/#ixzz0qJdk9Bjv [wired.com]
      Wait, stonewall, wait a bit more and the press moves on :)
  • So.. (Score:5, Insightful)

    by Renraku (518261) on Tuesday June 08, 2010 @09:30PM (#32505156) Homepage

    What kind of compensation are the makers going to offer everyone who's system they hosed?

  • Seriously? (Score:5, Insightful)

    by Anonymous Coward on Tuesday June 08, 2010 @09:32PM (#32505176)

    At the same time, consumers should learn to always ensure Autorun is disabled, and scan any device for malware before they use it on their computer."

    Seriously?

    It's getting to the point where running a computer is turning into a full time job. I need to scan every single product I buy before using it? Isn't that why I bother to pay a premium to get name-brand products from legitimate outlets?

    I'm annoyed that the ultimate time-saving device is becoming more and more of a chore. I'm expected to spend hours researching the ways in which to harden my browser against cookie tracking, to rate virus scanners using contradictory and confusing standards, to assess information that requires a degree in computer science everytime I want to get a PC game to work, to pull out my law degree everytime I use an online product or dive through an EULA, and now this?

    I mean come on, where's it going to end? Should I do independant surge tests on the next microwave I buy before plugging it in? What about my printer, does it need a scan too? Should I take my newly purchased tires to an independant assessor? How about that new CD I bought?
     

    • Re:Seriously? (Score:4, Insightful)

      by Saeed al-Sahaf (665390) on Tuesday June 08, 2010 @09:38PM (#32505238) Homepage

      Should I do independant surge tests on the next microwave I buy before plugging it in?

      Does your microwave connect to your network?

      • Re:Seriously? (Score:5, Insightful)

        by Anonymous Coward on Tuesday June 08, 2010 @10:00PM (#32505416)

        No, but it does connect to my electrics. Should I have to worry that every new gadget in my place is going to cause a fire? No, because we as a society decided that was not the way we wanted to live our lives and we adjusted the legal landscape accordingly.

      • It tries; but the other devices(those that survive) complain that the 802.11 compliance of a $50 1.2 kilowatt cavity magnetron leaves something to be desired...
      • Please don't give them any ideas. Wasn't it GE that had a computer in a fridge? I can just imagine the havoc the microwave could cause if it turned on for an extended time with nothing in it. Couldn't be good.
      • by tehcyder (746570)

        Does your microwave connect to your network?

        Doesn't yours? Jeez, you're so last century.

    • Your printer probably does. A lot of network enabled printers and copiers ship with open telnet ports with widely known root passwords. This has been around for a while, but pwning Windows boxes is so much easier.
    • Re:Seriously? (Score:5, Insightful)

      by indiechild (541156) on Wednesday June 09, 2010 @02:59AM (#32507042)

      Good points. This is why "appliance computing" ala iPad and the like will become increasingly popular over the next few years. Slashdot geeks will decry it as dumbed down computing for the unwashed masses, but in reality, it's computing made usable.

  • by bragr (1612015) *
    Every piece of new writable media gets formated immediately. I also have autorun killed on all my windows boxes.
    • by Anonymous Coward on Tuesday June 08, 2010 @09:38PM (#32505246)

      Unnecessary unless you use an ancient decade-plus-old Windows version. Vista and 7 stop this attack automatically by displaying the Autoplay dialog when a new device is inserted.

      In fact, Windows 7 removes the ability entirely to manually execute Autorun from a flash drive.

    • That's an excellent policy (except for blank CDs and DVDs, of course *g* - wouldn't THAT be a helluva nice vector for infecting machines, if it can be done...)

      I would like to point out that it should apply SPECIFICALLY to external hard drives one buys, especially used ones. I've had three customers in the last four months who bought used(2) and new(1) external hard drives off of Ebay and got infected with malware hidden either in the autorun or in the included software that comes with the

  • Autorun?! (Score:5, Insightful)

    by dido (9125) <dido@@@imperium...ph> on Tuesday June 08, 2010 @09:35PM (#32505204)

    I wonder what bright soul at Microsoft thought it a good idea to extend autorun to all types of removable media. It was tolerable if annoying for CDs and DVDs, but it became downright dangerous once USB sticks and similar rewritable media were included. I wonder why they haven't decided to push an update that disables or limits the damage that this misbegotten feature can do.

    • Re:Autorun?! (Score:4, Interesting)

      by bragr (1612015) * on Tuesday June 08, 2010 @09:40PM (#32505268)
      At the single biggest security problem at the place were I work. We tried disabling it, but we had too many problems of people putting in flash drives or cd and the stupid flash based window not popping up like it did "on their home computer" and that "their computer was broken." Sometimes, its just easier to clean up afterwards, then to preempt it and deal with people complaining.
      • Re:Autorun?! (Score:5, Insightful)

        by rudy_wayne (414635) on Tuesday June 08, 2010 @09:53PM (#32505368)

        At the single biggest security problem at the place were I work. We tried disabling it, but we had too many problems of people putting in flash drives or cd and the stupid flash based window not popping up like it did "on their home computer" and that "their computer was broken."

        So your employees are too stupid/lazy to learn how to use a computer. Either train them or fire them.

        • Re:Autorun?! (Score:5, Insightful)

          by robthebloke (1308483) on Tuesday June 08, 2010 @10:33PM (#32505628)
          The OP didn't say anything about employees - he said workplace. Every worked in a university? It's far easier to ghost the machines at the end of every day or session than deal with hundreds of queries a day from the vast majority of the 20,000 students who struggle to understand the basic concepts of computer security.
          • And they learn nothing about using a computer when pandered to in this way.

            Your laziness in helping your users to utilise IT resources effectively and safely creates the problems actual IT people with workloads beyond reghosting terminals have to fix every single day. Your lack of input when they experience an issue instils their resentment of the IT workforce early on, before they move into Management jobs where they continue to abuse the IT technical people the same way they were abused and ignored when
        • So your employees are too stupid/lazy to learn how to use a computer. Either train them or fire them.

          So your brilliant solution is to fire people you spent training how to do an actual job, and replace them with people who need more training and still will not know how to use a flash drive "correctly".

          All because Windows can't keep its virtual pants on at the sight of a new device.

        • I'm more concerned about an IT policy that allows people to just plug in whatever and run/install it... As for the "Stoopid lusers" mentality, grow up.
        • by tehcyder (746570)

          So your employees are too stupid/lazy to learn how to use a computer. Either train them or fire them.

          His employees are hopefully too busy doing some actual fucking work to worry about how their computers work.

      • Sounds like you turned off the "automatically mount new media" instead of "autorun".

        I seem to remember that you could turn off the autorun but keep the automount. It has been awhile since I had to admin a Windows box though so I could be wrong.
      • by MobyDisk (75490) *

        You can disable autorun without disabling autoplay, which is what asks the user what to do. And you can adjust the contents of the autoplay window so that the option to run programs on the disk isn't there.

      • Unfortunately, this presents an issue for the learning of important IT knowledge by the "lay person." It's generally easier to wait for something to break or "break" than to educate because IT staff are underpaid, not typically sociable (no offense, just a fact I've encountered), and the lay people are often unwilling to change or to really commit to learning. Until you can show them how to disable it, work without it and live in the workplace so that they can go home and do it themselves, no progress can b

    • I wonder what bright soul at Microsoft thought it a good idea to extend autorun to all types of removable media.

      Actually that originated with Apple, back with the Macintosh (or maybe even earlier).

      Idea was to automatically load drivers for new devices from the device, system upgrades from the medium containing the software, etc. for that "plug it in and it just works" experience.

      Of course it wasn't long after the Mac got into users' hands and development tools were available that some bright kid decided to

    • by dbIII (701233)
      Possibly a similar person to the one that decided that the microsoft help agent wasn't advertising itself enough and demanded it frequently manifest itself as "clippy" to make inane comments instead of it's original incarnation of appearing on the rare occasions where it would be helpful. It's the same stupidity of putting a feature directly in your face possibly just to win some pissing contest with internal Microsoft office politics. "We can run stuff off CDROMs, but let's make sure it happens ALL the t
  • by grahamsaa (1287732) on Tuesday June 08, 2010 @09:39PM (#32505254)
    Civil and criminal penalties should be imposed on manufacturers that ship hardware that's pre-loaded with malware. As of right now, there are no consequences, which means that this will continue to happen. The only remedy that will stop, or at least curb this behavior is serious civil or criminal charges.

    Companies may blame this on outsourcing, but they have chosen to outsource. They may blame it on poor quality control, but quality control is their responsibility! There is no excuse for this, and the executives that make decisions that lead to this type of security hole must be held accountable. I wish I could say that I was surprised by this news, but I'm not. It's commonplace. And until hardware and software companies are held accountable, this will continue to happen.
    • Recently I helped a friend who had 1TB disk formatted in FAT32 to convert it to HFS+ Journaled. As I image the disk, I notice some really strange things, like .exe files in Pictures folder, the _hard disk_ itself having autorun.exe. It is not some Taiwanese invention either, it is the Western Digital.I believe it is one of the most expensive ones.

      It turns out, WD _idiots_ had this great idea of installing their USB drivers named something TURBO (no kidding!) who are supposed to speed up the drive transfer.

    • by yuhong (1378501)
      I would not go that far, especially because avoiding it is as easy as a reformat.
  • by by (1706743) (1706744) on Tuesday June 08, 2010 @09:41PM (#32505274)
    ...is pretty funny when translated from the original Japanese [olympus.co.jp] (translated from Chrome):

    For the customers you have the appropriate product is in trouble indeed grateful, bon appétit do so as follows: anti-virus support, thank you.

    Translation issues aside, they do 'fess up honestly:

    Cause

    The lack of production management, computer virus has been contaminated with the camera.

  • by linebackn (131821) on Tuesday June 08, 2010 @09:44PM (#32505298)

    "At the same time, consumers should learn to always ensure Autorun is disabled, and scan any device for malware before they use it on their computer"

    But what if that malware, as it seemingly often is these days, is an actual intentional part of a product?

    • Re: (Score:3, Interesting)

      by mcgrew (92797) *

      And even if it isn't an intentional part of a product (I, for one, will never buy anything ever again with Sony's name on it; my daughter installed XCP on my computer, trusting that "reputable" company), I shouldn't have to worry about getting malware from a reputable company. I shouldn't have to scan a goddamned camera.

  • by rudy_wayne (414635) on Tuesday June 08, 2010 @09:48PM (#32505326)

    but if it is plugged into a Windows computer's USB port, it can copy itself onto the PC, then subsequently infect any attached USB device.

    Why isn't the memory card formatted and completely blank?

    consumers should learn to always ensure Autorun is disabled,

    No, companies should stop selling memory cards with unnecessary crap installed.

    • Re: (Score:3, Interesting)

      by digitalhermit (113459)

      Why isn't the memory card formatted and completely blank?

      Because it's getting more convenient for the user if the manufacturer ships the software on the device. Many laptops do not have CDROM drives. It can also save on packing costs not just for one unit, but for thousands of units. It allows more recent software to be shipped since and update doesn't require another CD manufacturing run..

      No, companies should stop selling memory cards with unnecessary crap installed.

      No argument there.

  • So it's like a bottle of tequila?
  • by Tuqui (96668) on Tuesday June 08, 2010 @09:52PM (#32505354) Homepage

    Olympus should send an Ubuntu CD to their customers.

  • by Ilgaz (86384) on Tuesday June 08, 2010 @09:59PM (#32505404) Homepage

    On a fully secured (DEP, non Admin account, all updates) Windows machine, I can see "quarantined" items which all appear to be "autorun.xxx.worm" , pick anything you like. It is already out of hand.

    If something happened like this on Apple OS X land, Apple would roll out an operating system update and disable Autorun. Perhaps, they could show a help document about installing applications with double clicking.

    Shrink wrapped/boxed software is _dead_. Even if it is not dead, it is trivial to add the "install software" control panel back. Just a line needed to be on box or "driver cd". That is all. It won't be the first time some convenience is given up for security. How many times people install the same software anyway?

    • Yes for all that people moan about Apple being a walled garden yada yada I can see Steve Jobs demanding a quick fix regardless of the consequences if there was this kind of foolishness in OS X.

      At this point in my life when I see the same old things broken and no real fixes from Microsoft (short of taking things into your own hands and disabling it yourself -- something Grandma will never do) I wonder if the internet has been responsible for too many casual "push it out, fix it later" attitudes. The average
    • It won't be the first time some convenience is given up for security.

      Sounds better the way Benjamin Franklin said it; "He who gives up freedom for safety deserves neither."

      So, I guess we are saying Freedom is not Convenient?
    • If something happened like this on Apple OS X land, Apple would roll out an operating system update and disable Autorun. Perhaps, they could show a help document about installing applications with double clicking.

      There were Apple viruses as of the original Macintosh, which had a similar feature for automatically loading drivers, software updates, and such.

      They've been there, had that done to them, and moved on.

      For some reason it took Microsoft decades to get the same message.

    • by blincoln (592401)

      Shrink wrapped/boxed software is _dead_.

      It's easy to assume that your experience is the same as everyone else's, even when it is not. If no one is buying shrink-wrapped/boxed software, why do stores (in the US) like Best Buy, Circuit City, and Target still have large selections of it in stock?

  • I heard it no longer enables autorun on USB drives by default!

    • Re: (Score:2, Funny)

      by ZeBam.com (1790466)
      Well, one way to find out...
  • It's a feature!
  • by DigiShaman (671371) on Wednesday June 09, 2010 @01:09AM (#32506560) Homepage

    I've ran into this worm before (or one like it). One of my clients got an external HDD full of video data. They're into video production (not porn), so often they will require data from their clients. Anyways, this worm hides in a fake Recycle Bin folder which is executed by the autorun.inf file. In turn, the infected PC will replicate to all possible drive letters. Once on a server share, all other clients will soon get infected.

    It's real annoying. But if all your PCs and Servers have an up-to-date anti-virus scanner, it they should now all prevent from getting infected.

  • The larger problem (Score:2, Insightful)

    by istartedi (132515)

    Everybody harping on autorun. The larger problem is insecure defaults. Autorun hasn't been nearly as bad as "Hide file extensions". For people like myself, it lead to filenames like foo.txt.txt before I realized that stupidity was turned on. For people who weren't paranoid enough, it was the legendary HotChick.jpeg.exe kind of stuff.

    But I digress. The real problem is poor default choices. Again and again. MS needs to realize that you can't pander too much to the very stupidest users who haven't used t

  • by adolf (21054)

    Amusingly, this sort accidental infection would be totally prevented if media (including SD cards, device internal storage, etc) were shipped unformatted, just like it was back in the days of floppies.

    It wouldn't really be a big deal: First time you switch the device on, or insert the thumb drive, or whatever, it/your computer simply formats the media. Done.

    This would obviously not stop a more sinister (firmware-based) attack, but I see nothing here to indicate that this particular attack vector was delib

  • I mean there is a worm in Mezcal as well and nobody complaints. They even use it in their marketing and advertising.

After an instrument has been assembled, extra components will be found on the bench.

Working...