December 18, 2018

iPods Shipped with Worm Infection

Apple revealed yesterday that some new iPods – about 1% of the new iPod Videos shipped in the last month or so – were infected with a computer worm that will spread to Windows PCs, according to Brian Krebs at the Washington Post. Apparently a PC used to test the iPods got infected, and the worm spread to the iPods that were connected to that PC for testing.

As far as the worm is concerned, the iPod is just another storage device, like a thumb drive. The worm spreads by jumping from an infected PC to any removable storage device inserted into the PC, and then using the Windows autorun mechanism to jump from the storage device into any PC the storage device is inserted into.

Apple tried to spread the blame: “As you might imagine, we are upset at Windows for not being more hardy against such viruses, and even more upset with ourselves for not catching it.” The jab at Windows probably refers to the autorun feature, which MacOS lacks, and which is indeed a security risk. (I hear that autorun will be disabled by default in Windows Vista.) Apple also says that the infected machine belonged to a contractor, not to Apple itself. If I were a customer, I would blame Apple – it’s their job to ship a product that won’t hurt me.

As Brian Krebs reminds us, this is at least the third case of portable music players shipping with malware. Last year Creative shipped a few thousand infected players, and McDonalds Japan recently gave away spyware-infected players.

In all of these cases, the music players were not themselves infected – they didn’t run any malware but only acted as passive carriers. It didn’t matter that the music players are really little computers, because the worm treated them like dumb memory devices. But someday we’ll see a scary virus or worm that actively infects both computers and music players, jumping from one to the other and doing damage on both. Once autorun goes away, this will be the natural approach to writing player-borne malware.

In principle, any device that has updatable software might be subject to malware infections. That includes music players, voting machines, printers, and many other devices. As more devices get “smart”, we’ll see malware popping up in more and more places.

Comments

  1. An interesting twist to this is that device drivers often have large security holes in them, because the authors do not generally consider devices that are physically connected to the computer to be a risk. I imagine that the same would go for the devices themselves.

    In some cases, such as firewire, this is considered a feature rather than a bug. Firewire has DMA transfer modes that let devices directly access the physical memory of other devices without any authentication taking place.

    This means that there are likely to be a large number of currently unknown security holes that would allow a virus to hop from a computer to a smart peripheral and back. Now that the subject has been brought up, I’m somewhat surprised it hasn’t already been done. iPods are more than popular enough to support a virus population.

  2. my very first USB thumb drive came with a boot sector virus. it was harmless, but IBM was very embarrassed!

  3. This is the same story that played out once before, with sneakernet viruses spread by good old-fashioned floppy disks.

    Any removable, portable thing with storage capacity is a potential vector and should be treated as such by users, by AV software, and so forth.

  4. charlie strauss says:

    I’ve read that the underlying problem was more subtle, which might explain some of Apple’s expressed frustration with MS. I can’t confirm this but it may have been that the infected PC got the infection from a blank, formatted, drive from the drive manufacturer. Even if that is not true in this case, there is nothing stopping it from being true.
    It’s a pretty subtle bug that, until now of course, I know would have bitten me since I would not have looked for it. I, and the technicians who work for me, often replace burned hard drives in my clusters and computers with units straight out of the box. In some cases we have pre-formatted hot-swap spares still in the shrink wrap sitting on the shelf waiting to go in.

    On my macs and linux machines, I sometimes use external USB drives to share with Windows PCs. I don’t usually reformat these specifically because I don’t entirely trust that the macintosh disk formatting program will create a prisitine PC FAT format. In all likelihood it can, I just don’t have the ability to know. And I have reason to doubt: past experience has shown that when one OS provider emulates another’s native formats (e.g. Samba or UFS or HFS++ or ZFS or NFS) that the emulation is usually less than complete or has artifacts.

    It would be a major hassle and expense, to have to reformat every drive in a rack of clusters one is upgrading. But apparently that is now the requirement to be sure the manufacturer did not ship you a virus on the “blank” harddrive.

    The problem is perhaps more diabolical than it seems. Imagine some Apple engineer putting out some specs for the process standards the Chinese manufacturer must follow. He’s paranoid they won’t have good practices with keeping their windows boxes clean. He also wants to assure the peripheral performance is comaptible with the ipod loading software and to assure the integrity of the data transfers to the ipod. So he decides that the sure way to do this is to make absolutely certain the box has never been on the internet, and to spec every part, so the machine has to be built at the chinese factory from scratch. They then load in the special Apple approved Windows software CD with apples programs and data. Seems foolproof. But it’s not.

  5. But it’s impossible to get a virus without a network – Diebold told us so! 😉

    Perhaps someone from Apple would educate the people at Diebold about how a virus can spread through a passive memory device – such as a memory card in a voting machine….

  6. Thank You, Apple!

    It’s inevitable that something like this will happen. I am not to concerned about my home PC’s but so many at my work plug in their mp3 players, and although IT tried a year or so to get mp3 players banned, they lost that fight (Architects, is they are going to work overtime, want their music, and believe it or not, quite a few will not take no for an answer. It must be interesting working in the IT dept of a company which consists of so much ‘creative talent’

  7. Regardless of the fault that lies with Apple for lack of due diligence, the underlying issue seems to be that for the purpose of Windows, every storage medium can be made “bootable” by putting an autorun.inf on it. In the days of floppies, the boot sector virus related danger was limited to booting from it, for which there was hardly a need (other than floppies forgotten in the drive).

  8. Peter da Silva says:

    The number of avenues of infection that Microsoft has retained and even introduced over the past decade are so great that, as far as I’m concerned, criminal charges against the officers of Microsoft would not be too strong a response.

    Their arrogance and contempt in the DoJ trial was astonishing, especially when the way they integrated IE and the Desktop to try and work around their agreement with the DoJ has been one of the greatest sources of virus infection in Windows boxes since 1997… and the underlying vulnerability STILL has not been fixed now and WILL NOT be fixed in Vista. Every year I’m newly astonished at their disdain for their own customers as some new aspect of their slapdash approach to security comes to light. Even in Apple’s stupidest moments (“Open Safe Files after download”, for possibly the worst example) they at least give the user a way to avoid exposing themselves. Not Microsoft.

    They should be down on their knees thanking Apple for accepting the *majority* of the blame, rather than griping about it.

  9. Peter da Silva says:

    Oh, and as for the two-way “cross device” infection… Symantec and other Antivirus companies have been using that as a boogeyman to try and push their PalmOS and WindowsCE antivirus solutions for at least five years.

    PDAs are general purpose devices and thus a MUCH more fertile ground for distributing infective malware than special-purpose embedded devices, and there *have* been examples of non-infective malware that runs natively on both… and yet there’s been zero cases of actual infections, cross-device or device-device, and many people have had crashes or lost data to false positives and unforseen interactions from their antivirus.

  10. Wouldn’t setting “Enable Disk Use” to off in iTunes and using the “Restore” option on the iPod have solved this problem? Or does Windows need some other settings changed to avoid attaching the iPod as a drive?

    I think it’s very odd that people are arguing about whether Apple or Windows are to blame for this, and no one is suggesting that the author of the virus is to blame.

    Yes, Apple could have been more diligent.
    Yes, Windows could be made more secure.

    But someone still had to write the virus and release it. That person (or persons) is who people should be angry at.

    If someone straps a time bomb on your car and you (unknowingly) park in your office parkade and the bomb blows up the building, it would be insane to suggest that you (the driver) and the parking attendant are to blame for the incident and should be the focus of public anger. The person who attached the bomb to your car is the proper target of anger.

    How often are you expected to check under your car for bombs? Do you ever check? Does your office building check? Very probably not, because the risk is low. But you COULD be more diligent and check anyway. (I predict that you won’t)

    Supposedly, this was a non-networked Windows box that went from the shipping crate to the desktop. When was the last time you ran virus software off a bootable CD-ROM on all the drives on a new, unused machine? It’s not common practice.

    Apple, Windows and the consumer are all victims in this situation. If it happens AGAIN, after Apple has had an opportunity to modify their procedures, then consumers can blame them. Until then, blame the “l33t haXor” who made the freaking virus.

  11. “Every year I’m newly astonished at their disdain for their own customers as some new aspect of their slapdash approach to security comes to light.”

    Not I. I’ve long since quit being astonished by anything Microsoft says or does.

    “Even in Apple’s stupidest moments (”Open Safe Files after download”, for possibly the worst example) they at least give the user a way to avoid exposing themselves. Not Microsoft.”

    Or their opponents. It’s actually fairly easy to disable autorun, if you know what you’re doing.

    (I assume that “Open Safe Files after download” still runs the risk that the file exploits a buffer overrun vulnerability, given the supposition that “Safe Files” means non-executable — documents and jpegs and suchlike. Or I suppose it may harbor a macro virus, though it’s mainly MS Office apps and, more recently, Windows Media Player that are susceptible to bad .docs and .wmas.)

  12. But someone still had to write the virus and release it. That person (or persons) is who people should be angry at.

    I think people assume that anger at the virus creator and releaser is a given, but they then get really annoyed at the people who can stop it but refuse to do so. To use your car bomb analogy: if you have car bombs as you see them now — very rare — how can you be too mad at the people who built the car or the parking garage or anyone but the bombers (and possibly the people who did whatever to get them mad, depending on what that was). But that’s not what we have with computer viruses. In fact it’s not all that great an analogy, but sticking with it anyway, it’s as if car bombs were constantly being used in each and every garage and car and there were some fixes that could detect and/or disarm them but the car makers, the garages, and the authorities mostly shrugged them off, pointed fingers at each other whenever one went off, and refused to put in those fixes, or did them belatedly or slapdash (opening other avenues of attack while closing one). Would you only be mad at the bombers then? Would it not be justified — in your view — to be mighty mad at the garages, the car makers, the authorities?