Hard Drives Sold with Pre-Installed Trojans

I don't know if this story is true:

Portable hard discs sold locally and produced by US disk-drive manufacturer Seagate Technology have been found to carry Trojan horse viruses that automatically upload to Beijing Web sites anything the computer user saves on the hard disc, the Investigation Bureau said.

Around 1,800 of the portable Maxtor hard discs, produced in Thailand, carried two Trojan horse viruses: autorun.inf and ghost.pif, the bureau under the Ministry of Justice said.

The tainted portable hard disc uploads any information saved on the computer automatically and without the owner's knowledge to www.nice8.org and www.we168.org, the bureau said.

Certainly possible.

EDITED TO ADD (12/14): A first-hand account.

Posted on November 20, 2007 at 12:52 PM • 31 Comments

Comments

AlexNovember 20, 2007 1:17 PM

Kind of doubt it. Seems like potentially way too much data to go unnoticed for long, unless some sort of filtering is performed on file name / size.

The DaveNovember 20, 2007 1:55 PM

Even if it's happening, this wouldn't be all that much of a threat.

If used as a replacement primary drive, the OS' installer would normally remove such files.

Even as a secondary drive, most modern Windows OSes don't run autorun.inf from internal drives, and the OS' installer will wipe the drive anyway.

This might hit 2000 or unpatched first generation XP, but if that is your environment, you probably have biggest threats to worry about.

I focus on Windows since I don't know any other OS that even runs autorun.inf

timNovember 20, 2007 2:11 PM

There is plenty of precedent for this. Have we forgotten the Apple iPod debacle a couple of years back already?

SomebodyNovember 20, 2007 2:27 PM

I honestly think that autorun is one of the most brain-dead misfeatures in the history of operating systems.

It causes so many problems, major and minor, and yet has so little benefit.

I don't consider an OS install complete until I disable autorun.

kc0dxhNovember 20, 2007 2:38 PM

Are .pif's even needed anymore. Why not just disassociate that extension? Autorun isn't inherently harmful. It's what's run that harbors the potential for harm.

MyCatNovember 20, 2007 2:41 PM

The Personal Storage drive is an external drive so that the non-technical user can put their personal files on it. As such it would be preformatted.

CamiloNovember 20, 2007 2:50 PM

Yes mycat, it should be preformatted, but what happens if the computer where it is preformatted has a virus/trojan? I think it is more likely that having an "evil" manufacturer putting the trojan. Thinking again, sony put a very high mark on "evilness".

jack c liptonNovember 20, 2007 2:52 PM

@MyCat

Sure, it's pre-formatted so people running Windows have "convenience" (laughs).

Mind you, when I get one of those disks, I'm busy re-partitioning it (after a dd if=/dev/zero bs=1048576 count=32 of=/dev/sda or sdb or whatever) and then putting and ext2 (if not ext3) file-system on it. And, yes, there _is_ an ext2 driver/explorer for XP *and* Mac OS X. (Needless to say I do NOT use XP if I can help it; If I need to move files around a LiveCD and tar/ssh to a real server are my preference, though I am not averse to WinSCP if I have no other choice).

But that's just _me_.

Hasn't this trick been tried by Sony on CDs? And hasn't this kind of insanity appeared on flash drives?

I tend to be paranoid about media, but, I also freely acknowledge that, while my paranoia does go to 11, sometimes that is just not paranoid enough.

Stephen SmoogenNovember 20, 2007 2:56 PM

Definately true.. and probably not the first time this has happened in the past from various drive manufacturers. The real sweet spot is USB key chains as most people do not reformat them and just plug them in and let the magic machine do what it wants.

bobNovember 20, 2007 3:09 PM

The government should buy a couple thousand of these drives and then fill them over and over again with low res porn files and copies of government regulations.

Vitus WagnerNovember 20, 2007 3:17 PM

"Yes mycat, it should be preformatted, but what happens if the computer where it is preformatted has a virus/trojan?"

Then it is utter incompetence of the manufacter.
Talleyrand used to say: "It's worse than a crime, it's a mistake". And his long political survival shows that he knew something about crimes.

I think that in the field of IT security incompetence is worse than evil intentions.

UNTERNovember 20, 2007 4:42 PM

@Vitus:

In most fields that's true. An "evil" enemy you can discover by the pattern of her actions - she implicates herself. But an incompetent opponent is unpredictable - incompetence is a relatively random series of actions that are uncorrelated with reality. It take a great deal of analysis to distinguish them though, since if you assume that your opponent isn't evil and he is, his pattern will appear at first blush to be random.

Hanlon's razor and Hanlon's bane in action.

Terry KarneyNovember 20, 2007 6:49 PM

I was reading someone complaining about a Seagate drive which had some pre-installed software, which immediately copied itself to the machine's hard drive; unbenknownst, and then replaced itself on the secondary drive after he'd removed it.

So he had to remove it three times.

Which convinced me I wasn't going to be getting anything from them.

EamNovember 20, 2007 8:51 PM

@kc0dxh
"Autorun isn't inherently harmful. It's what's run that harbors the potential for harm."

Leaving your new car unlocked in a busy parking lot with the keys in the ignition isn't inherently harmful either.

RobWNovember 20, 2007 9:17 PM

@Ross:
That forum posting just doesn't seem right, there's more going on there. Supposedly after connecting his new Maxtor his system slowed to a crawl and one of his other external drives became unusable, to the extent that he says he's going to have to pay >$1000 to have a clean room open up the drive and remove the platters so he can get his data back. This makes little sense to me, if it's true then there's a much bigger story here I think. Sounds like the guy dislikes Maxtor for some reason and saw this story and made his own story up.

jayNovember 20, 2007 10:01 PM

To add to my last comment. Always make it a habit to disable Autorun for devices in Windows. Even the USB stick worm propergated using this autorun feature. You can turn it off using TweakUI which is provided by Microsoft. Its easier to do using the GUI than editing the system's registry!

m17November 21, 2007 1:35 AM

Autorun on Windows does not work for hard drives. So, unless HD is modified to pretend that it is a CD (as, e.g., in ) the attack vector is simply impossible.

Chris SNovember 21, 2007 2:03 AM

Re: Autorun on Windows does not work for hard drives.

Not so - it does not work for *internal* hard drives. But it works just fine for USB connected fixed drives. Windows makes a distinction between "removable media" and "removable drives".

Find the question "What must I do to trigger Autorun on my USB storage device?" at
http://www.microsoft.com/whdc/device/storage/usbfaq.mspx

The answer makes very clear that fixed disk drives can trigger autorun. And any hard drive can be converted into a USB drive just by connecting it into a USB drive enclosure.

robertNovember 21, 2007 2:15 AM

This is how to turn off autoplay on windows and avoid all sort of issues:

Start -> Run -> gpedit.msc -> Local Computer -> Computer Configuration -> Administrative Templates -> System -> Turn Off Autoplay -> Enabled

jayNovember 21, 2007 3:38 AM

@m17, Well this is an interesting discussion. Actually I guess its now safe to say that you should always get the new hard drive checked for viruses by using it as a removable storage unit (USB) provided that autorun is turned off.. Plug it to an enclosure and run a thorough scan(may be using multiple virus scanners). But i'm sure if your format the new HDD using it as a RSU i dont think you have to perform the virus scanner anyway

jammitNovember 21, 2007 9:44 AM

Having the drive pre-formatted as fat32 and including an autorun on it, or adding a boot sector virus is just boring. I'm waiting for the day when the hard drive firmware comes from the factory with a virus on it.

DLLNovember 21, 2007 9:57 AM

@tim
"Have we forgotten the Apple iPod debacle a couple of years back already?"

Apparently, I have. What debacle?

Omar HerreraNovember 21, 2007 4:58 PM

Happened to me in 2005 in the UK. I bought an MP3 player (a cheap generic) from a store and it had a "surprise" inside. The thing was manufactured in China and had no brand (it wasn't detected by any AV I had at hand at the time but seemed to be a variant of a known trojan horse.

I agree with other comments in this forum. You should format all new rewritable discs (magnetic or memory based).

PaeniteoNovember 23, 2007 6:04 AM

@robert: "This is how to turn off autoplay on windows and avoid all sort of issues:"

Autoplay != Autorun

The first is that Windows detects what kind of data is on the newliy inserted drive and presents you with (more or less) sensible options what to do with the inserted drive.
For example, if it's a memorystick with images on it, Windows will offer to copy them to the hard disk. If it's an empty CDR, it will offer to launch your CD recording software.

The latter is about reading autorun.inf and executing a program specified there.

Not givenNovember 26, 2007 12:35 PM

I am only reporting this here as I assume you know who to send this info to:

Right now (started 11-26-07 11:30am CST)

Walmart.com is being redirected to:
http://a248.e.akamai.net/f/248/16813/7d/www.walmart.com

It also appears all transactions are follwing redirect.

Domain Name: AKAMAI.NET
218.57.11.112

Registrar: TUCOWS INC.
OrgName: Asia Pacific Network Information Centre
ReferralServer: whois://whois.apnic.net
NetRange: 218.0.0.0 - 218.255.255.255
CIDR: 218.0.0.0/8
NetName: APNIC4
NetHandle: NET-218-0-0-0-1

If my sites had all there traffic phished ... I would "pull it".

As of right now, wal-mart is not.

Is this a verified Hack?

Don't panickNovember 28, 2007 5:19 AM

@ Anon

I think pulling it would be a bit severe, as its used for load-balancing their webservers. Maybe they should warn their local neighbourhood watch before using such technologies in future!

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..