×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Trojan Found In New HDs Sold In Taiwan

kdawson posted more than 6 years ago | from the bourne-again dept.

Security 344

GSGKT writes "About 1,800 brand new 300-GB or 500-GB external hard drives made for Maxtor in Thailand were found to have trojan horse malwares pre-installed (autorun.inf and ghost.pif). When the HD is in use, these forward information on the disk to two websites in Beijing, China: www.nice8.org or www.we168.org. The article implies that authorities believe the Chinese government is behind the trojans. A later article pins down the point of infection to a subcontractor company in China. A couple of months back the Register was reporting on pre-installed malware detected on Maxtor disks sold in the Netherlands. This earlier report was downplayed by a Seagate spokesman." The more recent Taipei Times article says that Seagate admits the problem on its Web site, but a search there turns up nothing.

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

344 comments

Same (5, Interesting)

renegadesx (977007) | more than 6 years ago | (#21318495)

Lead in paint, malware in HD's same thing really

Re:Same (2, Insightful)

Monsuco (998964) | more than 6 years ago | (#21318619)

Lead in paint, malware in HD's same thing really
Except that pesky death part. Meh details.

Re:Same (1)

RuBLed (995686) | more than 6 years ago | (#21318887)

I hate these scripts that utilizes autorun.inf. In my country they are so popular, everyone makes one, script kiddies! On the bright side, it could be easily removed most of the time.

The current (as of writing) Windows Secrets newsletter features an article that would let you at least prevent most kind of autorun.inf scripts from ever running in the first place. It would save me some trouble from all those college girls (errr.. I mean relatives) that gets infected by these sort of things all the time...

One quick trick [windowssecrets.com]

First off... (5, Funny)

explosivejared (1186049) | more than 6 years ago | (#21318507)

Anyone who doesn't wipe a new drive first off is just begging for this sort of thing. Secondly, I guess it's a new competition for Chinese manufacturers to see what's the worst secret addition to a product sent overseas. Lead in toys, GHB in toys, phone-homes on HDD's... what's next killer bees in new TV's... really. Consumerism bites!!

Re:First off... (1)

corsec67 (627446) | more than 6 years ago | (#21318627)

In windows, wouldn't the HD be mounted before you can format it?

I know in most Linux distros a HD that isn't mentioned in fstab will not get mounted, but what about Windows?

I guess you have to boot from a LiveCD and format the disc to be sure.

Re:First off... (1)

ChrisMounce (1096567) | more than 6 years ago | (#21318751)

I believe that the Windows installation CD is bootable and has a format utility, so you wouldn't necessarily need a Linux CD (I'm assuming that's what you meant by "LiveCD"). If there was malware on the drive, I can't see any way it could get into the Windows installer program as long as you were booting off the CD.

Of course, if you wanted your PC to stay secure, then yes, you would need a Linux CD.</obligatoryjoke>

Re:First off... (1)

ChrisMounce (1096567) | more than 6 years ago | (#21318801)

Wait... Nevermind, I see you were talking about using the drive for external storage — for some reason I was thinking you were installing the drive into a new computer or something.

Re:First off... (3, Informative)

404 Clue Not Found (763556) | more than 6 years ago | (#21318759)

I'm not sure how Windows actually handles "mounting" behind the scenes, but to the user, a new drive typically just shows up automatically as a drive letter (like F:\) both in the GUI and the command prompt. Then when you try to access the drive, you'll get a dialog box saying the drive isn't formatted and asking if you'd like to format it.

In the case of preformatted external drives (which this one is supposed to be), however, not only will the drive immediately become available for access as soon as it's connected, Windows may also try to autorun any programs listed in the drive's autorun.inf.

Re:First off... (1)

zsouthboy (1136757) | more than 6 years ago | (#21318893)

I can confirm windows tries to autorun any such file, if present, and if not, searches the disk for "content" (images, music, etc.) to present an autorun option to the user.

Re:First off... (4, Informative)

404 Clue Not Found (763556) | more than 6 years ago | (#21318895)

Oh, forgot to mention that autorun can be disabled either temporarily by holding down Shift when connecting a drive or permanently via a control panel.

Re:First off... (2)

ozmanjusri (601766) | more than 6 years ago | (#21318963)

A default install of XP will autostart (i.e, autorun.inf) any external drive when it's plugged in. In theory, a program shouldn't run automatically without user intervention. You should get that menu offering to play music, copy files etc.

In practice, it's easy to get an app to run invisibly. If someone is trojaning OEM drives, Microsoft's choice of defaulting to the insecure autorun mode means a lot of people will be infected.

Re:First off... (4, Funny)

Anonymous Coward | more than 6 years ago | (#21319057)

>I'm not sure how Windows actually handles "mounting" behind the scenes

Simple. You install Windows, and feel as if you were being mounted by Ball-mer. With a chair.

Re:First off... (3, Funny)

dotgain (630123) | more than 6 years ago | (#21319063)

Or in my case, it tries to assign a driver letter, fails because there's already a drive using that letter, and says:

24 Volumes ought to be enough for anybody. Bet you never thought you'd run out of drive letter, huh?

Re:First off... (0)

Anonymous Coward | more than 6 years ago | (#21318799)

I always disable autorun and auto insert notification in Windows because it annoys me when discs run their installers or ask to open a media player when I place them in the drive. If it doesn't autorun, you can connect the drive and format it without worry.

Nope (2, Informative)

The MAZZTer (911996) | more than 6 years ago | (#21318891)

Default Windows settings would run the trojan once you plugged the drive in. To avoid this you either have to hold shift for an indeterminate amount of time while plugging the drive in, which can be difficult or impossible. With such a drive you're likely to use a more inaccessible port because you likely won't be needing to unplug it much. The only other alternative is to disable autorun for removable drives. This option is not available in the standard GUI and third party tools (or TweakUI) are needed.

Whoops (1)

The MAZZTer (911996) | more than 6 years ago | (#21318911)

Bah, right after I posted my comment I realized I wasn't thinking straight. Time for bed I guess. Ignore parent and imagine I typed this instead:

Default Windows settings would mount the drive and immediately parse autorun.inf. I'm not sure about running the trojan, but I think MS totally disabled the run part of autorun in Vista and maybe an XP update (instead you get a dialog which shows the autorun action as one of several options you can take including nothing, or opening the drive in explorer).

Not the only...think different (1)

djupedal (584558) | more than 6 years ago | (#21319081)

"The only other alternative is to disable autorun for removable drives. "

Or... chassis it into an external FW/USB/SATA enclosure, cabled to a Mac & either reformat it for OS X & use... or wipe it and format it for a windows box.

Re:First off... (0)

Anonymous Coward | more than 6 years ago | (#21318903)


Anyone who doesn't wipe a new drive first off is just begging for this sort of thing. Secondly, I guess it's a new competition for Chinese manufacturers to see what's the worst secret addition to a product sent overseas. Lead in toys, GHB in toys, phone-homes on HDD's... what's next killer bees in new TV's... really. Consumerism bites!!


Actually, it's Globalism that bites.

Turns out that outsourcing your entire manufacturing industry to a country that cares jack and shit about consumer safety and trade laws isn't really a great idea, eh?

Re:First off... (2, Funny)

uncoveror (570620) | more than 6 years ago | (#21318915)

When I read that these drives were originally for government agencies, I suspected it might be Monkeypoo... VIRUS WARNING: Attention: Computer Labs Inc., makers of Virucide antivirus software have identified a highly dangerous new Trojan worm, MONKEYPOO. It will usually appear in an e-mail with the subject, "Congratulations.You have won!" it will then prompt you to click a link to collect your cash prize. It can also freely spread across networks. Monkeypoo will read your address book, and mail a copy of itself to every address it finds, and it will look like you sent it. It will then invoke the secret self-destruct command held over from the original IBM PC's 8086 command set. This short line of code will cause the processor, ram, hard drive and any floppy drives to spin out of control and overheat until key components melt together, and will most likely cause a fire. James Winklee, a former IBM programmer had this to say. "We developed the self-destruct code so government agencies such as the FBI and CIA could quickly and completely destroy compromised computer systems before an enemy could get their hands on classified information. When we saw how violently a PC executing the command burst into flames, we decided not to publish its existence. It has been kept a secret successfully until now. If you get infected with the Monkeypoo Trojan worm, you may notice your computer going completely haywire. Physically unplug it from power as fast as you can, and send it in for repair. Only a professional can remove this one." While Computer Labs Inc and other antivirus software makers are working on a solution, they haven't got one a home user could successfully run yet. "This is the worst kind of malicious code I have ever seen." said Marcus Polan of Computer labs Inc. Use extreme caution. It is important that as many computer users as possible receive this warning, so send it out to as many people as you can. The entire Internet and every PC connected to it is at risk.

It's a bargain! (5, Funny)

techmuse (160085) | more than 6 years ago | (#21318517)

Most PCs ship without professionally produced malware installed. While everyone might *wish* that their PC came with such software, only a small percentage of customers are actually lucky enough to get their malware free of charge. Mac users, don't feel bad that your system won't come with it. You get iLife. :-)

Re:It's a bargain! (0)

Anonymous Coward | more than 6 years ago | (#21318601)

What do you call AOL then? Most PC's seem to come with that these days.

go go gadget china! (0)

Anonymous Coward | more than 6 years ago | (#21318525)

it's the most corrupt mainstream country in the world right now, so what do you expect?

Re:go go gadget china! (2, Insightful)

NeverVotedBush (1041088) | more than 6 years ago | (#21318647)

And China still openly considers the USA to be an enemy. Why manufacturers subject themselves to these liabilities I'll never... Oh wait - they make more money even if they kill children with GHB overdoses, cripple their brains with lead, or export National secrets and financial data to China.

What the hell was I thinking? American businesses that outsource to China are no better than spies and traitors themselves. For all the damage they do, they might as well be.

It's times like this... (1, Informative)

fractoid (1076465) | more than 6 years ago | (#21318527)

...that I'm really glad I switched to Linux. :)

Re:It's times like this... (1)

Brian Gordon (987471) | more than 6 years ago | (#21318551)

I just disabled Windows autorun and I'm equally safe.. *shrug*

Re:It's times like this... (1)

ArcherB (796902) | more than 6 years ago | (#21319069)

I just disabled Windows autorun and I'm equally safe.. *shrug*

I think the GP is implying that he doesn't have worry about things LIKE this.

An example I have would be a buddy of mine at work. He's a technician also, but not really a "geek". Anyway, he got a message from Time Warner the other day saying he was kicked off his cable Internet for sending out spam. Evidently, his desktop machine got infected. He said, "I don't get it. How did it get infected? I never use it. I always use my notebook. It's behind a firewall. It updates automatically. I just use it for remote access." Obviously, he runs a Windows product. I explained how my Linux box has been on the DMZ for years and I've never had a problem. (none of these are "production" machines, btw.)

Anyway, that is what the GP was talking about. When you run an obscure OS, you are secure through obscurity. That and Linux is pretty damn secure on its own.

Re:It's times like this... (0)

Anonymous Coward | more than 6 years ago | (#21319125)

Watch out for the false sence of security. I know OSS can also do things without asking the user first.

Just one example here: a few years ago my FreeBSD/KDE was automounting and executing autorun.inf from a Deus Ex game cdrom I left in a drive. It did not get far since it could not execute setup.exe and gave me a few error dialogs (could not find blah, could not run blah, could not complete blah blah), but it was trying to autorun my CD nonetheless. Had it been an actual virus, and had I properly set up wine, I would get infected (at least with that release of KDE).

Thank goodness for Chinese manufacturing (4, Interesting)

JewGold (924683) | more than 6 years ago | (#21318529)

I mean, so what if there's a trojan that steals my identity and turns my computer into a botnet node? So what the materials it's comprised of let off poisons that will kill me and my whole family? I saved $6 on this baby!

Re:Thank goodness for Chinese manufacturing (1)

sqrt(2) (786011) | more than 6 years ago | (#21318809)

I stopped buying things made in China. It is possible. I've found that most things you could want to buy have an alternative made here in America, except maybe electronics and you can usually get ones made in Japan. I've been saying this to people for a long time, longer than the last six months when we've been hearing all these stories about poisoned Chinese products. Check the labels, shop around if you can. There are alternatives out there.

Can't trust hardware anymore? (4, Insightful)

compumike (454538) | more than 6 years ago | (#21318547)

While the open source movement has done a great deal toward making software understandable, at some point, people have to trust their computers. However, this used to be a great deal easier, because engineers had a good idea of what could be done with a particular amount of circuitry.

The increasing level of integration means that hardware is more and more of a black box. While this has led to huge savings in cost and performance boosts, we've paid for it by being unable to debug the hardware, and unsure of what's really going on inside.

While the case in the article talks specifically about a trojan horse installed normally on the drive -- and thus something that should have been remedied by a good formatting job -- who knows what could happen once we have vulnerabilities embedded directly into the hardware. One could certainly imagine a trojan that was hard-coded in the firmward and kept moving itself around the disc after attempts to delete it.

It's also seems fishy that much sensitive information (of relevance to a foreign government) could be obtained from randomly putting trojans on hard drives... Isn't it possible that this was an unintentional infection from some disk-handling or testing machine along the line?

--
Educational microcontroller kits for the digital generation. [nerdkits.com]

Re:Can't trust hardware anymore? (1)

killmofasta (460565) | more than 6 years ago | (#21318657)

>"people have to trust their computers."

NEVER. I have been using computers since 1970. This book:

http://www.amazon.com/Satan-Psychotherapy-Unfortunate-Kassler-J-S-P-S/dp/059514506X [amazon.com]

Will prove to you, beyound any shadow of doubt, that computers are the essence of all evil.
If you trust your computer, then give your teenager the keys to your car, and your bankcard and tell me how much you'd trust them. 'Trusted-computing' is a self contractictory phrase, like Airline Food, and Military Intelligence.

Re:Can't trust hardware anymore? (0)

Anonymous Coward | more than 6 years ago | (#21318789)

You are an idiot.

Not a trojan (3, Insightful)

techmuse (160085) | more than 6 years ago | (#21318559)

By the way, it isn't a trojan. A trojan is software that convinces the user to install it by looking like something else that the user might want to install. While this may certainly qualify as malware, it isn't a trojan.

Re:Not a trojan (5, Insightful)

Megane (129182) | more than 6 years ago | (#21318611)

A trojan is software that convinces the user to install it by looking like something else that the user might want to install.

Something else like a... hard disk?

Re:Not a trojan (1)

Jeff DeMaagd (2015) | more than 6 years ago | (#21318747)

>>A trojan is software that convinces the user to install it by looking like something else that the user might want to install.

>Something else like a... hard disk?

A hard disk is mostly... hardware. There's a little software in it, even in a good, uninfected unit, but that's called firmware. One doesn't buy a hard disk for that firmware.

I don't know. (0)

Anonymous Coward | more than 6 years ago | (#21318921)

This is not a trojan in the software sense, and I'm not sure it is in the classical sense, either. I think you have to take intent into consideration. The software was not knowingly placed on the drive by the manufacturer; it was slipped in by a contractor somewhere down the line. From the end user's perspective I guess there really isn't any difference (drive goes in, computer gets fucked), but the manufacturer was not trying to dupe their customers.

Re:Not a trojan (2, Insightful)

malvidin (951569) | more than 6 years ago | (#21318685)

Although I agree with your definition of a trojan, I have to say that this is a trojan as well.

If someone puts malware in a device I would willingly put in my computer without me employing security measures, I would consider that more true to the original source of the term.

Re:Not a trojan (2, Funny)

Waffle Iron (339739) | more than 6 years ago | (#21318703)

Computer <-> Troy

SATA connector <-> City gate

Disk drive <-> Big wooden horse

Autorun file <-> Greek soldiers

Re:Not a trojan (1)

Hao Wu (652581) | more than 6 years ago | (#21318785)

A trojan is software that convinces the user to install it by looking like something else that the user might want to install.
What you are basicly saying is that all trojans look alike. As a person of Asian ancestory, I am some what offended by your insensitivity.

Re:Not a trojan (0)

Anonymous Coward | more than 6 years ago | (#21318909)

Yes its shocking isn't it. Why I said just the same thing to my natural redhead Korean friend the other day, and him and his natural blonde Chinese gf totally agreed.

Its a classic Trojan Horse. (1)

Marrow (195242) | more than 6 years ago | (#21318907)

Something physical brought behind your defenses that attacks you un-awares.

Re:Not a trojan (0)

Anonymous Coward | more than 6 years ago | (#21318975)

The above is moded way too high, especially considering that he is wrong. It is a trojan, the user buys what he thinks is a perfectly safe hard drive, but ends up with extra malware

Re:Not a trojan (1)

Kenji DRE (1020807) | more than 6 years ago | (#21318995)

What if i have access to someone's hard disk and install a trojan on it, by your definition it wouldn't be called a trojan, would it?

How would that even work (1)

Paul Carver (4555) | more than 6 years ago | (#21318561)

Do they have some mechanism for surviving the intial format or is this a complete hoax? Even assuming the drive is installed in a Windows computer, isn't the first step always to format the drive? I've added lots of drives to Windows machines and it never occured to me to try to access them without formatting them. Do these come preformatted?

As to the reference about these drives being used for government databases, certainly they would be reformatted when added to a RAID, wouldn't they? Even if preformatted for non-RAID use I don't suppose it would be possible to use them in a RAID without formatting first and what database would ever be on a non-RAID device?

Re:How would that even work (3, Interesting)

myc (105406) | more than 6 years ago | (#21318595)

not for external USB drives that are already pre-formatted with a FAT32 filesystem. Plug it in and go! your box is pwn3d.

Re:How would that even work (1)

ILuvRamen (1026668) | more than 6 years ago | (#21318717)

not if you're smart enough to hold shift when you plug it in. I believe that's still the XP "don't run autorun anything" trigger. It's really that simple, people. Btw I wrote my own autorun file for my USB drive with the assitance of a freeware program for that and the line of set the icon for the drive always worked on every PC and the very next line about running an .exe file on the drive never, ever ran on any machine. And yet there's the U3 crap so how exactly does this work if there's obviously some protection or something about autoruns running .exe files.

Re:How would that even work (2, Informative)

totally bogus dude (1040246) | more than 6 years ago | (#21318773)

Autorun can definitely run exe's, that's its main purpose. That's how the installer automatically starts up when you insert a game or application CD. It's possible that the exe needs to be signed or something, but it's more likely that whatever program you were using simply "did it wrong".

Don't forget that you can also disable autorun permanently, rather than having to remember to hold shift every time you insert a disc.

Re:How would that even work (1)

Chris Pimlott (16212) | more than 6 years ago | (#21318933)

There's more to it in this case. Windows does not autorun executables for USB drives, presumably as a security measure. The way that U3-enabled flash drives get around it is by having a special controller and a read-only area that presents itself to Windows as a CD-ROM drive, for which the OS allows autorun. So in case you were ever wondering, yes, there is a difference between U3 flash drives and normal ones, it's not just branding.

Re:How would that even work (1)

Chris Pimlott (16212) | more than 6 years ago | (#21319085)

I found a short bit about USB autorun on Microsoft's site [microsoft.com]:

Q: What must I do to trigger Autorun on my USB storage device?
The Autorun capabilities are restricted to CD-ROM drives and fixed disk drives. If you need to make a USB storage device perform Autorun, the device must not be marked as a removable media device and the device must contain an Autorun.inf file and a startup application.

The removable media device setting is a flag contained within the SCSI Inquiry Data response to the SCSI Inquiry command [wikipedia.org]. Bit 7 of byte 1 (indexed from 0) is the Removable Media Bit (RMB). A RMB set to zero indicates that the device is not a removable media device. A RMB of one indicates that the device is a removable media device. Drivers obtain this information by using the StorageDeviceProperty request.

Re:How would that even work (1)

QuantumG (50515) | more than 6 years ago | (#21319041)

Yeah, you're wrong. Do this..

1. insert a usb drive, let's say it is mounted to I:
2. edit I:\autorun.inf with a text editor (for example, notepad) and put:

[autorun]
open=calc.exe
action=Run Calculator

3. copy c:\windows\system32\calc.exe to I:
4. remove the usb drive
5. reinsert the usb drive

Windows will pop up a dialog that says:

Windows can perform the same action each time you insert a disk or connect a device with this kind of file:

Program

What do you want Windows to do?

Run Calculator
using the program on the device

Open folder to view files
using Windows Explorer

Take no action

[] Always do the selected action
You can make the action say "Open folder to view files" and you can even make the icon look similar, but Windows will always say that helpful "using the program on the device" and it will never run the exe automatically. So you might be able to trick some people into running your program instead of running Windows Explorer but they would have to be not paying a whole lot of attention.. fair enough, that's not all that uncommon, but I think Microsoft have put some effort into making this both safe as well as useful, so don't come down on them quite so fast.

that said.. (4, Interesting)

QuantumG (50515) | more than 6 years ago | (#21319073)

Try putting this in your autorun.inf:

[autorun]
shell\silly=You're silly
shell\silly\command=calc.exe
shell=silly

now remove and reinsert the USB device. Hmm.. nothing happens.. how strange. Go to My Computer and double click on I: (or whatever your drive is mapped to) and what happens? Yeah, calc.exe is run. Thanks Microsoft.

You may now flame away.

Re:How would that even work (1)

shaka (13165) | more than 6 years ago | (#21318607)

They're external drives. They almost always come preformatted (FAT32), usually with some (autorun) software installed.

Re:How would that even work (1)

dotgain (630123) | more than 6 years ago | (#21319107)

...because heaven knows I just wouldn't be getting value for money if all I got was an empty disk.

Nosirree. Every disk should come with its own file management utilities - that's how I can tell them apart!

Re:How would that even work (1)

FutureDomain (1073116) | more than 6 years ago | (#21318635)

Do they have some mechanism for surviving the intial format or is this a complete hoax? Even assuming the drive is installed in a Windows computer, isn't the first step always to format the drive? I've added lots of drives to Windows machines and it never occurred to me to try to access them without formatting them. Do these come preformatted?

These are preformatted portable hard drives, like the kind you use for backing up your computer. The dangerous part is that the trojan is set to autorun, which can infect your computer by just hooking up the drive. You don't need to click on anything.

~~FutureDomain~~

Re:How would that even work (2, Insightful)

CastrTroy (595695) | more than 6 years ago | (#21318781)

Wrong, the trojan is not set to autorun, the computer is set to autorun. The trojan just contains files that means it will be autorun if the computer is set to do so. There's a difference here. I don't know how anybody ever thought that having computers automatically run executable programs without any user intervention was a good thing, but personally, I can't see how computers are still configured by default to run any drive you hook up to them.

Re:How would that even work (1)

petermgreen (876956) | more than 6 years ago | (#21318705)

I've added lots of drives to Windows machines and it never occured to me to try to access them without formatting them. Do these come preformatted?
In my experiance bare drives don't but drives ready mounted up in USB caddies do.

Sure you could reformat it to remove stuff but by the time you get to the format screen you are probablly already infected.

Re:How would that even work (0)

Anonymous Coward | more than 6 years ago | (#21318709)

Perhaps it is a rouse. This may be a case of counter-espionage where a stupid ineffective spying attempt intended to draw attention to itself is made to cover up for something more stealthy.

Re:How would that even work (1)

Megane (129182) | more than 6 years ago | (#21318711)

Do they have some mechanism for surviving the intial format or is this a complete hoax?

What "initial format"? If you buy this drive and install it, preformatted with the trojan, Windows will see it as already formated and mount it, then autorun the malware. Moments later, the human who doesn't notice it's already formatted goes slowly (to a computer) to the disk format utility. By the time the format begins, the damage has already been done.

I will admit that I have noticed that sometimes brand new drives are already formatted, but then I immediately reformat them as HFS+ volumes. Next time that happens, I'll take a moment to see if there might be any invisible files.

Maybe a format (2, Insightful)

virtualnz (1187667) | more than 6 years ago | (#21318569)

maybe a format of the drive when its purchased will fix. Or because its malware does this mean its going to be embedded into the hardware? It goes to show that we can't even rely on our hardware now without some big "brother" sending information back.

Re:Maybe a format (1)

totally bogus dude (1040246) | more than 6 years ago | (#21318821)

My impression is that they're just regular files pre-loaded on it, so reformatting will work. Provided of course you don't plug it in to a Windows PC with auto-run enabled in order to format it.

I wonder if one day we will see drives that have malware embedded in the controller that can't ever be erased? Maybe it's possible for them to detect "initial connection and probing by Windows" by waiting for a certain sequence of commands, and only expose the malware then. If you look at the drive later, or use a different OS which probes in a slightly different manner or with different timing, the files don't appear.

Obilgitory HOSTS comment: (5, Informative)

killmofasta (460565) | more than 6 years ago | (#21318575)

Please add to your host files:
127.0.0.1 www.nice8.org
127.0.0.1 www.we168.org

Re:Obilgitory HOSTS comment: (5, Funny)

lordofthechia (598872) | more than 6 years ago | (#21318681)

Why not take some initiative.You can block the sites, or you can send them what they want! DATA! Send them lots of data, format it like it was sent with the virus and have fun coming up with a random assortment of websites to include in it (sure we could thing of a couple).

So why ignore when you can use up their bandwidth and screw up their database. Just an idea.

Re:Obilgitory HOSTS comment: (2, Interesting)

NeverVotedBush (1041088) | more than 6 years ago | (#21318777)

Excellent suggestion and I hope you get modded informative.

There is a blacklist website that had the www.nice8.org site listed a while back (I serched in mine before entering it) but the we268 site wasn't in there and still isn't.

The URL to the hosts blacklist file: http://www.mvps.org/winhelp2002/hosts.htm [mvps.org] This really speeds up browsing too as a lot of the tracking sites get blocked.

Re:Obilgitory HOSTS comment: (1)

ColdWetDog (752185) | more than 6 years ago | (#21319009)

There is a blacklist website that had the www.nice8.org site listed a while back (I serched in mine before entering it) but the we268 site wasn't in there and still isn't.

I think we Slashdotted it. They're not responding.

Re:Obilgitory disable autorun comment (1)

Technician (215283) | more than 6 years ago | (#21318941)

Please add to your host files:
127.0.0.1 www.nice8.org
127.0.0.1 www.we168.org

Be sure to put them in the upstream router. Autorun may compromise the system.. DUH it's a trojan. Since the affected drives are portable drives, it is very important to disable autorun as well as block the sites upstream of the compromised machine.
   

Re:Obilgitory HOSTS comment: (2, Funny)

IgnoramusMaximus (692000) | more than 6 years ago | (#21319127)

Please add to your host files:
127.0.0.1 www.nice8.org
127.0.0.1 www.we168.org

You bastard! I did and that unsavory host at 127.0.0.1 (isn't the 127.x range like the dark back-alleys of the Intertubes?) infected me with a nasty trojan, probably because it has like a million gajigabytes of completely illegal, pirated contents on it!! A veritable pirate hive, that! I hold you pesonally responsible for directing us, pure, innocent Slashdotters to it!

catgotmytongue (1)

newr00tic (471568) | more than 6 years ago | (#21318587)

"

The tainted portable hard disc uploads any information saved on the computer automatically and without the owner's knowledge to www.nice8.org and www.we168.org, the bureau said.
"

-Fill the suckers with Linux distros or something, then..

(Yeah, big chance of it uploading 'everything,' anyway. - ANYTHING, maybe, not every..)

But who's affected? (1)

r_jensen11 (598210) | more than 6 years ago | (#21318591)

The summary doesn't state who is at risk here. For all I know, these could be hard drives for servers. I suppose the files autorun.inf and ghost.pif hint that it's targeting Windows. Would this also be a security issue if someone attempted to execure those files within Wine or Parallels?

Re:Wine no, Parallels mabye (0)

Anonymous Coward | more than 6 years ago | (#21318735)

Wine doesn't support autorun so it is safe. Parallels will be affected assuming it doesn't disable autorun in the host OS, which most VM software does.

Taiwan or Thailand? (1)

overcaffein8d (1101951) | more than 6 years ago | (#21318599)

Taiwan or Thailand? Two completely different places.

Looks like a "typo" tag to me.

Re:Taiwan or Thailand? (1)

corsec67 (627446) | more than 6 years ago | (#21318663)

Were they "Sold in Taiwan" and "Made in Thailand"?
That would be consistent with the headline and summary, but they could also be very wrong.

Re:Taiwan or Thailand? (0)

Anonymous Coward | more than 6 years ago | (#21318761)

Taiwan has become too expensive for low-skill labor-intensive manufacturing, such as used for hard drives.

Re:Taiwan or Thailand? (1)

night_flyer (453866) | more than 6 years ago | (#21318665)

from TFA

"Around 1,800 of the portable Maxtor hard discs, produced in Thailand, carried two Trojan horse viruses: autorun.inf and ghost.pif, the bureau under the Ministry of Justice said."

Re:Taiwan or Thailand? (1)

404 Clue Not Found (763556) | more than 6 years ago | (#21318693)

Not a typo... the drives were designed in the US, produced in Thailand, sold in Taiwan, and spying for China (allegedly).

Re:Taiwan or Thailand? (1)

nihaopaul (782885) | more than 6 years ago | (#21318935)

and then you follow it back to american servers...

www.we168.org. 3594 IN A 75.126.97.113

$ whois 75.126.97.113

OrgName: SoftLayer Technologies Inc.
OrgID: SOFTL
Address: 1950 N Stemmons Freeway
City: Dallas
StateProv: TX
PostalCode: 75207
Country: US

NetRange: 75.126.0.0 - 75.126.255.255
CIDR: 75.126.0.0/16
OriginAS: AS36351
NetName: SOFTLAYER-1-4-3
NetHandle: NET-75-126-0-0-1
Parent: NET-75-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.SOFTLAYER.COM
NameServer: NS2.SOFTLAYER.COM

$whois 222.122.180.190 ;; ANSWER SECTION:
www.nice8.org. 3600 IN A 222.122.180.190

inetnum: 222.96.0.0 - 222.122.255.255
netname: KORNET-KR
descr: Korea Telecom
country: KR

the US one could easily be shut down, and the same with the korean ones, plus the .org records dont have real details so you can have them shut down too, xinnet does track users by their government issued identity card (you can't register without one) so they could trace it back to the one that made the order on the domain and how it was paid.

Seagate admits it (3, Informative)

Camael (1048726) | more than 6 years ago | (#21318763)

The more recent Taipei Times article says that Seagate admits the problem on its Web site, but a search there turns up nothing.
Untrue. The Seagate article can be found here: http://www.seagate.com/www/en-us/support/downloads/personal_storage/ps3200-sw/ [seagate.com]
So this is not a hoax, after all.

Re:Seagate admits it (2, Informative)

ColdWetDog (752185) | more than 6 years ago | (#21319051)

Well that link throws a 404 error. Searching for "Trojan" on the Seagate site just gave me a couple of links to a Terms of Use agreement. I just didn't have the heart to explore that concept further.

Seagate should never have bought Maxtor (1)

CranberryKing (776846) | more than 6 years ago | (#21318767)

I was surprised when Seagate bought them. Maxtor was always a 'eh..' kind of disk manufacturer and Seagate has always been one of my favourite in terms of quality. Sorry Seagate but I'm not buying Maxtor disks ever.

It was meant to benifit the customer (3, Funny)

edwardpickman (965122) | more than 6 years ago | (#21318901)

They figured it was a time saving feature that would save bandwidth for the buyer having the Trojans preinstalled.

Just more proof that autorun is insanely stupid (4, Insightful)

0123456 (636235) | more than 6 years ago | (#21318967)

Why oh why does Microsoft still automatically run software off any disk that's inserted into your PC? Surely decades of floppy-carried virii should have convinced them of what a frigging stupid idea that is?

Re:Just more proof that autorun is insanely stupid (0)

Anonymous Coward | more than 6 years ago | (#21319035)

People aren't smart enough to install stuff themselves.

Lenovo (1)

DustyShadow (691635) | more than 6 years ago | (#21318985)

So if the Chinese government is willing to do this with just hard drives, it makes me wonder what they are putting on Lenovos.

I think ... (2, Funny)

PPH (736903) | more than 6 years ago | (#21319067)

... the makers of third party malware should sue. Having OEM malware preinstalled is going to drive them out of business eventually.

Perhaps the EU can take up their case.

A simple solution. (2)

rice_burners_suck (243660) | more than 6 years ago | (#21319095)

There is a simple solution to problems like this. Whenever you purchase a new (or used?) hard drive, write zeroes to the whole darn thing and then format it with your filesystem of choice. Badda bing batta boom.

First Hard Drives, then Motherboard BIOSes (2, Insightful)

shoor (33382) | more than 6 years ago | (#21319111)

What happens when they put malware in the BIOS on your motherboards.
How will you know? How will you get rid of it, (I know flash the
BIOS, but maybe the BIOS doesn't want to be flashed.)

There's talk that the next war will be a cyberwar. I guess that's
better than the other kind, but these are some of the ways to do it
I'd say.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...