After discovering attack code on a brand new Windows XP netbook, antivirus vendor Kaspersky Labs warned users yesterday that they should scan virgin systems for malware before connecting them to the Internet.
When Kaspersky developers installed their recently-released Security for Ultra Portables on an M&A Companion Touch netbook purchased for testing, “they thought something strange was going on,” said Roel Schouwenberg, a senior antivirus researcher with the Moscow-based firm. Microsoft’s Windows XP is considered by many users as the ideal operating system for small form nearly bare bones portable computers known as netbooks.
Schouwenberg scanned the machine — a $499 netbook designed for the school market — and found three pieces of malware.
Here’s a look at some the market’s more expensive netbooks.
“This was done at the factory,” said Schouwenberg. “It was completely new, still in its packaging.”
With a little more digging, Schouwenberg found multiple Windows system restore points, typically an indication that the machine had been updated with new drivers or software had been installed before it left the factory.
One of the restore points, stamped with a February date, included the malware, indicating that it had been put on the machine before then. And the malware itself hinted how the netbook had been infected.
“In February, the manufacturer was busy installing some drivers for an Intel product in the netbook,” said Schouwenberg, citing the restore point. Among the three pieces of malware was a variant of the AutoRun worm, which spreads via infected USB flash drives.
“The USB stick they used to install the drivers onto the machine was infected, and [it] then infected the machine,” said Schouwenberg.
Installed along with the worm was a rootkit and a password stealer that harvests log-in credentials for online games such as World of Warcraft.
Kaspersky has reported its findings to M&A, said Schouwenberg, but the netbook maker has not been in contact with the security company since then.
Although factory-installed malware is rarely found on consumer electronics, there have been cases.
Photo frame scare
Last December, for example, Amazon.com told customers it had sold Samsung digital photo frames before the holidays that came with a driver installation CD infected with a Trojan downloader.
The online retailer warned customers running Windows XP that a Samsung digital photo frame it sold until earlier that month might have come with malware on the driver installation CD.
Samsung first issued an Alert about the SPF-85H, an 8-in. digital photo frame in November — listed five photo frame models as being affected: SPF-75H, SPF-76H, SPF-85H, SPF-85P and SPF-105P.
This warning was repeated by Amazon.com customer service on its online user forum.
In its note to customers, Amazon.com said that a Samsung advisory had been issued for the Samsung photo frame, which Amazon sold for approximately $150 starting last October.
But it reassured Samsung SPF-85H was no longer available on Amazon.com.
Samsung released its advisory on Nov. 27. According to Samsung’s alert, “a batch of Photo Frame Driver CDs contain a worm virus in the Frame Manager software.
This is a risk of the customers host PCs being infected with this worm virus.”Samsung did not specify how the malware got on the CD, or how it escaped the company’s quality control checks.
Amazon’s advisory had identified the malware as W32.Sality.AE, the name assigned by Symantec Corp. Security vendors McAfee Inc. and Trend Micro Inc. have pegged the malware with the names W32/Sality and Troj_Agent.xoo, respectively. Symantec’s write-up said W32.Sality.AE was a “downloader” — a malicious program that, once installed, downloads even more malevolent attack code.
Most security companies said that the malware — variously labeled as a virus or a Trojan — was first spotted in the wild last August, although some reported earlier variations as far back as mid-2007.
Amazon recommended that people who purchased a Samsung photo frame should download an updated — and theoretically malware-free — version of the Windows XP edition of Frame Manager from Samsung’s support site.
Only users running Windows XP are at risk, Samsung and Amazon said; Windows Vista is immune.
Cases of virgin computers being infected with malware are much rarer than the same thing happening with picture frames, according to Schouwenberg
To ensure that a new PC is malware-free, Schouwenberg recommends that before users connect the machine to the Internet, they install security software and update it by retrieving the latest definition file on another computer.
They should transfer that update to the new system and then running a full antivirus scan, the Kaspersky Labs exec said.
“That’s the best course of action, even though it sounds like a lot of work.”