Malware and Manufacturing

Last week’s news of digital pictures frames being infected with malware reminds us that it is not just our computers that can be infected. Recent reports include similar infections on batches of:

• Hard Drives
• MP3 Players
• USB drives
• GPS devices

But anything that a PC will consider a hard drive (like SD cards for digital cameras if plugged into a multi-card-reader, some cell phones, certain toys, CDs or DVDs) can be infected by a variety of worms, some explicitly designed to infect removable media. Here are a few examples.

So how does an incident like the recent Best Buy one occur? Ironically, the most likely culprit is the QC process at the manufacturer. As devices like this come off of the assembly line, and before they get packaged and shipped to the distributor or retailer, someone has to check some or all of those devices to make sure they work correctly. For media like those in the picture frames, that probably means plugging the frame into a PC to make sure that the operating system sees the memory correctly and can copy files to and from it. Of course, if the Quality Control folks can copy files to the device. Well, so can a worm if one was installed on their test PC.

What does this mean if you are the person ultimately selling this item? It is entirely likely that checking all of the devices you ordered is impractical, not to mention that doing so introduces the same risk to the device if your OWN computers are infected. The right approach may be to apply controls right at the manufacturing process.

If you are purchasing devices to sell, either directly to consumers, or by contract to another wholesaler or distributor, the following tips may help you avoid similar issues:

• Ask for your supplier’s process for ensuring that media are malware-free. They should be able to provide the scanner(s) used, update frequencies, scan settings and audit procedures. What is their process if an infection IS discovered during the check? Verify that their process does not include any connections to other devices after their scanning procedure (so that infections cannot be introduced later downstream).
• Ask whether all devices are checked, or only a portion. If a portion, what percent? Do they all go through the same computer, or multiple ones, and how many? This will help you decide how many you may want to spot-check yourself if you choose to do so. If the supplier/manufacturer checks 1 in 10 devices and does so using 10 different computers, any particular CD has a 1 in 100 chance of being infected if one of those 10 computers has been compromised.
• Request scan logs or audit logs for the specific batch you purchased to be delivered with the devices.

If you buy a device and want to make sure you don’t end up infecting your computer with it, the following tips may help:

• Disable the Windows AutoPlay feature
• Use up-to-date anti-malware software and make sure it is turned on and set to scan removable drives.
• Manually scan the entire drive after first connecting it and with autoplay disabled. If the scan comes up clean, you’re all set.

A little up-front planning can go a long way to staying malware-free. Happy shopping!