Steve Riley on Security

Formerly of Microsoft's Trustworthy Computing Group.

Throw away your digital picture frames

Throw away your digital picture frames

  • Comments 4
  • Likes

Surely time itself has warped and it's suddenly April 1st. Come on, if you read the following, wouldn't you first think it was a hoax, as did I?

Virus from China, the gift that keeps on giving

An insidious computer virus recently discovered on digital photo frames has been identified as a powerful new Trojan Horse from China that collects passwords for online games -- and its designers might have larger targets in mind.

"It is a nasty worm that has a great deal of intelligence," said Brian Grayek, who heads product development at Computer Associates, a security vendor that analyzed the Trojan Horse... The authors of the new Trojan Horse are well-funded professionals whose malware has "specific designs to capture something and not leave traces," Grayek said. "This would be a nuclear bomb" of malware.

Mocmex is its name. Reportedly, it can evade hundreds of anti-malware and firewall products, including the Windows Firewall. I suspect that this succeeds only when users are logged in as administrators, so here's yet another reason to stop doing this altogether, as is the US Government with its new Federal Desktop Core Configuration for Windows XP and Windows Vista.

The virus actually propagates to just about any kind of removable USB storage device, jumping from various well-concealed hiding places on your PC whenever such a device is inserted. Picture frames are implicated because the virus apparently originated in the factory where the frames were built (in turn sold by Best Buy, Sam's Club, Target, and Costco, but now discontinued). Amazingly, according to the UK security firm Prevx, over 67,500 variants of this thing exist!

Even more amazing:

[Mocmex] isn't the only piece of malware involved. Deborah Hale of Sans said the researchers also found four other, older Trojans on each frame, which may serve as markers for botnets -- networks of infected PCs that are remotely controlled by hackers.

There is W32.Rajump, which deposits the same piece of malware that infected some of Apple's video iPods during manufacturing in October 2006. It gathers IP addresses and port numbers from infected PCs and ships them out, according to Symantec. One destination is registered to a service in China that allows people to conceal their own IP addresses.

Then there is a generic Trojan; a Trojan that opens a back door on PCs and displays pop-up ads; and a Trojan that spreads itself through portable devices like Mocmex does.

More reasons to disable Autorun, I suppose. Yet this isn't a cure-all: if you're logged in as administrator, the virus helpfully re-enables Autorun. Sheesh! If you own one of these frames, SANS suggests that you take it to a friend who has a Mac or Linux box and plug it in there. Yeah, that's good advice; there exist no viruses for these operating systems, correct? It's irrelevant which operating system you're using -- if you run with full privileges, you'll get 0wn3d soon enough.

It's fascinating that the thing targets online games, although it could certainly harvest just about any private information stored on your PC. Mining online game accounts might be pretty profitable, you know. Consider the number of people who pay real money for virtual (=fake) stuff in World of Warcraft, Runescape, and whatever else. I suppose losing their passwords to picture frames might help such people regain a tenuous foothold on reality.

Comments
  • PingBack from http://apple.joejoeblogs.info/?p=17929

  • Steve, I think you may be inadvertently trying to gloss over something here:

    >If you own one of these frames, SANS suggests that

    >you take it to a friend who has a Mac or Linux box

    >and plug it in there. Yeah, that's good advice; there

    >exist no viruses for these operating systems,

    >correct?

    I think that a bar chart of "# of malware in the wild (or even in the lab) per OS" would show up the nature of the risk.  There may even be an (as in, one) autorunning USB worm for the Mac or Linux.  But there are hundreds for Windows, which is why the factory that make the digital photo frames has them.

    It's also the case that people run with full privileges on Windows because, when you don't, strange things happen, or unexpectedly don't.  I still remember a product manager for NT 4.0 Workstation - touted as highly secure when it came out - dismissing the Nth privilege elevation exploit, with "well, 3/4 of corporate customers give full admin rights to their users anyway, so this doesn't represent a threat at all".

    Anyway, if anyone wants a *permanent* fix to this and all other USB-drive worms, head on over to

    http://nick.brown.free.fr/blog/2007/10/memory-stick-worms.html

    Cheers

    Nick

  • Yes, but another bar chart shows that Microsft products place you in the fewest days of risk -- that is, we acknowledge and repair vulnerabiliites more quickly than other operating systems. Yet another bar chart shows that of currently-available operating systems, Windows has the fewest number of vulnerabilities. Check out some of Jeff Jones's research.

    People run with full privs on Windows because so many third-party apps fail otherwise (even our own apps had this problem once upon a time). We've been advocating for years now that developers write for standard users, customers are now demanding that products run as standard user, and UAC is compeling vendors to write for standard user. There is no longer any excuse for a product to require admin privs -- I consider such products to be fundamentally broken.

  • I searched Secunia and Sans and didn't find any about 'mocmex', wasn't strange? regards!