Schneier on Security

A blog covering security and security technology.

« Gitmo Manual Leaked | Main | More "War on the Unexpected" »

November 20, 2007

Hard Drives Sold with Pre-Installed Trojans

I don't know if this story is true:

Portable hard discs sold locally and produced by US disk-drive manufacturer Seagate Technology have been found to carry Trojan horse viruses that automatically upload to Beijing Web sites anything the computer user saves on the hard disc, the Investigation Bureau said.
Around 1,800 of the portable Maxtor hard discs, produced in Thailand, carried two Trojan horse viruses: autorun.inf and ghost.pif, the bureau under the Ministry of Justice said.

The tainted portable hard disc uploads any information saved on the computer automatically and without the owner's knowledge to www.nice8.org and www.we168.org, the bureau said.

Certainly possible.

EDITED TO ADD (12/14): A first-hand account.

Posted on November 20, 2007 at 12:52 PM • 31 Comments

To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.

Comments

Alex • November 20, 2007 1:17 PM

Kind of doubt it. Seems like potentially way too much data to go unnoticed for long, unless some sort of filtering is performed on file name / size.

TS • November 20, 2007 1:28 PM

Old news. Seagate confirmed the possibility.

http://www.seagate.com/www/en-us/support/...

The Dave • November 20, 2007 1:55 PM

Even if it's happening, this wouldn't be all that much of a threat.

If used as a replacement primary drive, the OS' installer would normally remove such files.

Even as a secondary drive, most modern Windows OSes don't run autorun.inf from internal drives, and the OS' installer will wipe the drive anyway.

This might hit 2000 or unpatched first generation XP, but if that is your environment, you probably have biggest threats to worry about.

I focus on Windows since I don't know any other OS that even runs autorun.inf

tim • November 20, 2007 2:11 PM

There is plenty of precedent for this. Have we forgotten the Apple iPod debacle a couple of years back already?

Somebody • November 20, 2007 2:27 PM

I honestly think that autorun is one of the most brain-dead misfeatures in the history of operating systems.

It causes so many problems, major and minor, and yet has so little benefit.

I don't consider an OS install complete until I disable autorun.

kc0dxh • November 20, 2007 2:38 PM

Are .pif's even needed anymore. Why not just disassociate that extension? Autorun isn't inherently harmful. It's what's run that harbors the potential for harm.

MyCat • November 20, 2007 2:41 PM

The Personal Storage drive is an external drive so that the non-technical user can put their personal files on it. As such it would be preformatted.

Camilo • November 20, 2007 2:50 PM

Yes mycat, it should be preformatted, but what happens if the computer where it is preformatted has a virus/trojan? I think it is more likely that having an "evil" manufacturer putting the trojan. Thinking again, sony put a very high mark on "evilness".

jack c lipton • November 20, 2007 2:52 PM

@MyCat

Sure, it's pre-formatted so people running Windows have "convenience" (laughs).

Mind you, when I get one of those disks, I'm busy re-partitioning it (after a dd if=/dev/zero bs=1048576 count=32 of=/dev/sda or sdb or whatever) and then putting and ext2 (if not ext3) file-system on it. And, yes, there _is_ an ext2 driver/explorer for XP *and* Mac OS X. (Needless to say I do NOT use XP if I can help it; If I need to move files around a LiveCD and tar/ssh to a real server are my preference, though I am not averse to WinSCP if I have no other choice).

But that's just _me_.

Hasn't this trick been tried by Sony on CDs? And hasn't this kind of insanity appeared on flash drives?

I tend to be paranoid about media, but, I also freely acknowledge that, while my paranoia does go to 11, sometimes that is just not paranoid enough.

Stephen Smoogen • November 20, 2007 2:56 PM

Definately true.. and probably not the first time this has happened in the past from various drive manufacturers. The real sweet spot is USB key chains as most people do not reformat them and just plug them in and let the magic machine do what it wants.

bob • November 20, 2007 3:09 PM

The government should buy a couple thousand of these drives and then fill them over and over again with low res porn files and copies of government regulations.

Vitus Wagner • November 20, 2007 3:17 PM

"Yes mycat, it should be preformatted, but what happens if the computer where it is preformatted has a virus/trojan?"

Then it is utter incompetence of the manufacter.
Talleyrand used to say: "It's worse than a crime, it's a mistake". And his long political survival shows that he knew something about crimes.

I think that in the field of IT security incompetence is worse than evil intentions.

UNTER • November 20, 2007 4:42 PM

@Vitus:

In most fields that's true. An "evil" enemy you can discover by the pattern of her actions - she implicates herself. But an incompetent opponent is unpredictable - incompetence is a relatively random series of actions that are uncorrelated with reality. It take a great deal of analysis to distinguish them though, since if you assume that your opponent isn't evil and he is, his pattern will appear at first blush to be random.

Hanlon's razor and Hanlon's bane in action.

Terry Karney • November 20, 2007 6:49 PM

I was reading someone complaining about a Seagate drive which had some pre-installed software, which immediately copied itself to the machine's hard drive; unbenknownst, and then replaced itself on the secondary drive after he'd removed it.

So he had to remove it three times.

Which convinced me I wasn't going to be getting anything from them.

Ross • November 20, 2007 8:25 PM

This message board post has a first hand account: http://forum.rpg.net/showthread.php?...

Eam • November 20, 2007 8:51 PM

@kc0dxh
"Autorun isn't inherently harmful. It's what's run that harbors the potential for harm."

Leaving your new car unlocked in a busy parking lot with the keys in the ignition isn't inherently harmful either.

RobW • November 20, 2007 9:17 PM

@Ross:
That forum posting just doesn't seem right, there's more going on there. Supposedly after connecting his new Maxtor his system slowed to a crawl and one of his other external drives became unusable, to the extent that he says he's going to have to pay >$1000 to have a clean room open up the drive and remove the platters so he can get his data back. This makes little sense to me, if it's true then there's a much bigger story here I think. Sounds like the guy dislikes Maxtor for some reason and saw this story and made his own story up.

jay • November 20, 2007 9:57 PM

its a good thing to do a complete format before any use of the hdd.

jay • November 20, 2007 10:01 PM

To add to my last comment. Always make it a habit to disable Autorun for devices in Windows. Even the USB stick worm propergated using this autorun feature. You can turn it off using TweakUI which is provided by Microsoft. Its easier to do using the GUI than editing the system's registry!

m17 • November 21, 2007 1:35 AM

Autorun on Windows does not work for hard drives. So, unless HD is modified to pretend that it is a CD (as, e.g., in ) the attack vector is simply impossible.

m17 • November 21, 2007 1:38 AM

It was a link to U3 on Wikipedia.

Chris S • November 21, 2007 2:03 AM

Re: Autorun on Windows does not work for hard drives.

Not so - it does not work for *internal* hard drives. But it works just fine for USB connected fixed drives. Windows makes a distinction between "removable media" and "removable drives".

Find the question "What must I do to trigger Autorun on my USB storage device?" at
http://www.microsoft.com/whdc/device/storage/...

The answer makes very clear that fixed disk drives can trigger autorun. And any hard drive can be converted into a USB drive just by connecting it into a USB drive enclosure.

robert • November 21, 2007 2:15 AM

This is how to turn off autoplay on windows and avoid all sort of issues:

Start -> Run -> gpedit.msc -> Local Computer -> Computer Configuration -> Administrative Templates -> System -> Turn Off Autoplay -> Enabled

jay • November 21, 2007 3:38 AM

@m17, Well this is an interesting discussion. Actually I guess its now safe to say that you should always get the new hard drive checked for viruses by using it as a removable storage unit (USB) provided that autorun is turned off.. Plug it to an enclosure and run a thorough scan(may be using multiple virus scanners). But i'm sure if your format the new HDD using it as a RSU i dont think you have to perform the virus scanner anyway

87676 • November 21, 2007 9:37 AM

Bruce: this is fucking OLD news.

Man, get with the program you GEEZER.

jammit • November 21, 2007 9:44 AM

Having the drive pre-formatted as fat32 and including an autorun on it, or adding a boot sector virus is just boring. I'm waiting for the day when the hard drive firmware comes from the factory with a virus on it.

DLL • November 21, 2007 9:57 AM

@tim
"Have we forgotten the Apple iPod debacle a couple of years back already?"

Apparently, I have. What debacle?

Omar Herrera • November 21, 2007 4:58 PM

Happened to me in 2005 in the UK. I bought an MP3 player (a cheap generic) from a store and it had a "surprise" inside. The thing was manufactured in China and had no brand (it wasn't detected by any AV I had at hand at the time but seemed to be a variant of a known trojan horse.

I agree with other comments in this forum. You should format all new rewritable discs (magnetic or memory based).

Paeniteo • November 23, 2007 6:04 AM

@robert: "This is how to turn off autoplay on windows and avoid all sort of issues:"

Autoplay != Autorun

The first is that Windows detects what kind of data is on the newliy inserted drive and presents you with (more or less) sensible options what to do with the inserted drive.
For example, if it's a memorystick with images on it, Windows will offer to copy them to the hard disk. If it's an empty CDR, it will offer to launch your CD recording software.

The latter is about reading autorun.inf and executing a program specified there.

Not given • November 26, 2007 12:35 PM

I am only reporting this here as I assume you know who to send this info to:

Right now (started 11-26-07 11:30am CST)

Walmart.com is being redirected to:
http://a248.e.akamai.net/f/248/16813/7d/...

It also appears all transactions are follwing redirect.

Domain Name: AKAMAI.NET
218.57.11.112

Registrar: TUCOWS INC.
OrgName: Asia Pacific Network Information Centre
ReferralServer: whois://whois.apnic.net
NetRange: 218.0.0.0 - 218.255.255.255
CIDR: 218.0.0.0/8
NetName: APNIC4
NetHandle: NET-218-0-0-0-1

If my sites had all there traffic phished ... I would "pull it".

As of right now, wal-mart is not.

Is this a verified Hack?

Don't panick • November 28, 2007 5:19 AM

@ Anon

I think pulling it would be a bit severe, as its used for load-balancing their webservers. Maybe they should warn their local neighbourhood watch before using such technologies in future!

Post a comment

Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.

Subscribe via Kindle

Blog Menu

Search

Powered by DuckDuckGo

Blog Home Page
100 Latest Comments

Archives by Date

2013 J F M A M
2012 J F M A M J J A S O N D
2011 J F M A M J J A S O N D
2010 J F M A M J J A S O N D
2009 J F M A M J J A S O N D
2008 J F M A M J J A S O N D
2007 J F M A M J J A S O N D
2006 J F M A M J J A S O N D
2005 J F M A M J J A S O N D
2004 J F M A M J J A S O N D