Latest problem import? Infected digital photo frames

In 2007, U.S. officials recalled melamine-laced pet food that caused the deaths of cats and dogs and lead-coated toys that endangered toddlers. Now, digital photo frames infected with computer viruses are the latest problem import from China.

"That phenomenon apparently has bled over to the digital side as well," Marcus Sachs, director of the Internet Storm Center at the SANS Institute (SysAdmin, Audit, Network, Security), said of the Chinese manufacturing problems that get exported. "Essentially, it's a supply chain problem. We've become dependent on a cheap source coming out of Asia."

The culprit is believed to be poor quality-assurance testing procedures in which one of every 1,000 or so devices is plucked off an assembly line and tested on a computer that is infected with a virus, he said.

Before Christmas, Samsung and Amazon issued alerts warning customers that some Photo Frame Driver CDs for Samsung's SPF line of digital photo frames contained a virus in the frame manager software. Customer PCs running Windows XP are at risk of being infected by the virus, W32.Sality.AE, which drops a keylogger or backdoor onto the system.

Element and Mercury brand frames sold at Circuit City and Wal-Mart, respectively, also were reported to be infected, according to the San Francisco Chronicle.

Sales of digital photo frame are increasing and Chinese suppliers produced more than 8 million in 2007, according to MarketResearch.com. Their plug-and-play use and the fact that they serve as a digital replacement for paper albums make electronic picture frames popular holiday gifts.

A year ago, Insignia digital picture frames were pulled from shelves and online sites after Best Buy learned they could be carrying a virus. Also reported to be infected then were digital frames from Advanced Design System, Digital Spectrum, and Castleton. But digital frames aren't the only electronic items found to carry a hidden payload. Other malware-infected devices have included MP3-playing sunglasses, a flip video camera, and Maxtor external hard drives, according to the SANS Internet Storm Center.

"Anything that has flash storage or bootable storage is exposed to this kind of threat," said Dave Marcus, director of security research for McAfee Avert Labs. "It doesn't mean you shouldn't buy them. You should just realize before you plug it in that you might want to disable the Windows auto-boot functionality and run an antivirus scan on it, just to be safe."

For instance, the ubiquity and convenience of USB thumb drives make them a growing propagation vector. A virus outbreak on a U.S. Department of Defense network prompted officials to temporarily ban the use USB drives, CDs and removable storage devices in November.

Attrition.org offers a long and growing list of malware-infected products that have hit store shelves.

(Credit: Attrition.org)

Security Web site Attrition.org maintains a list of products shipped to customers that were found to be infected with viruses and other malicious or odd programs. The list, which goes back to 1990, includes a credit card terminal that contained a bug to steal credit card information, MP3 players, USB drives, and other hard drives with computer worms, and a Cisco VPN Client CD that had MP3s of Mexican drug-runner folk music known as "Narcocorridos," all in 2008. Then there are the infamous Video iPods that shipped in 2006 with a Windows virus. (And just last April, a colleague bought a re-conditioned iPod Nano that arrived with a virus.)

"This list is not complete, yet it should make you realize that nothing is safe," the Attrition.org site says in a cynical warning. "Every piece of electronics you buy and every piece of software you install may come with malware pre-installed. Rather than manufacturers introducing a higher set of quality controls to prevent such incidents, we will no doubt see companies produce new products that will help keep you 'safe' from such threats. These 'controls' would no-doubt be another band-aid on top of band-aids that make up a lucrative market, which is sad commentary about how customers perceive and receive 'electronic security.'"

The problem is getting serious enough to merit congressional hearings on how to protect consumers against getting harmed from the electronic products they buy, said Sachs of the SANS Internet storm.

Right now the best protection against being infected by viruses in new devices is to keep antivirus software up to date, and disable Windows' AutoRun features and instead manually launch programs and installers when devices are inserted. The CERT security research organization has more information on the risks associated with AutoRun on its Web site.

[sparrowhyperion]

It amazes me how companies in the U.S. will still buy these cheaply made, shoddy workmanship items from China. It has become pretty obvious that they si9mply can't handle proper quality control over there where their work climate is to produce as many items as they can, as quickly as they can. Maybe the U.S should start manufacturing over here again.... How's that for a novel idea...?

[hleotan]

I totally agree with you. I'm really tired to see cheap stuff from China all over our shelfs. It's cutting business in America.because they can't compete with the price but, is made with quality. I think it's getting out of hand.

[Gene__]

But, it is not entirely the result of "American companies" buying cheap stuff offshore. It is also largely related to [so many] AMERICANS themselves wanting everything to be cheap, or inexpensive, or however they rationalize it to themselves. And domestic products can be much more expensive for many reasons, including our relatively expensive labor rates (compared to Asian rates of pennies per hour or day), and the increased cost of regulations with which our domestic industry has to comply, but Asian countries either do not have or do not enforce (except against foreign firms operating on their soil). So, a large part of it is what we have done -- and continue to do -- to ourselves to make our own industry so hard-pressed to compete in the world economy.

We ran into this problem this year with two mp3 players that came to our home as gifts (for our children). Can't eliminate the code on the devices that the anti-virus program identified under its heuristics analysis mode, because the devices are locked against such actions.

gggg sssss may also be correct: Is this all "accidental"? Probably not. Some may be intentional, but how much remains a mystery.

[gggg sssss]

next up : pre virused / pre rootkitted Lenovos, to be flogged to defence departments around the world. These are not accidents.

[andeys3]

I think it comes down to be able to research what you buy, and not just picking up things that are on the shelves and assuming that what you buy will be the best for you. You don't do that with your groceries, why do that with an expensive technology? http://www.sitonsantaslap.com/?utm_source=bc