Pre-infected Hard Drives Sold; ChiCom Gov Trojan

[Einhander Sn0m4n]

Bureau warns on tainted discs

FOCUSED ATTACK: Large-capacity hard disks often used by government agencies were found to contain Trojan horse viruses, Investigation Bureau officials warned
By Yang Kuo-wen, Lin Ching-chuan and Rich Chang
STAFF REPORTERS
Sunday, Nov 11, 2007, Page 2

Portable hard discs sold locally and produced by US disk-drive manufacturer Seagate Technology have been found to carry Trojan horse viruses that automatically upload to Beijing Web sites anything the computer user saves on the hard disc, the Investigation Bureau said.

Around 1,800 of the portable Maxtor hard discs, produced in Thailand, carried two Trojan horse viruses: autorun.inf and ghost.pif, the bureau under the Ministry of Justice said.

The tainted portable hard disc uploads any information saved on the computer automatically and without the owner's knowledge to www. nice8.org and www. we168.org, the bureau said.

The affected hard discs are Maxtor Basics 500G discs.

The bureau said that hard discs with such a large capacity are usually used by government agencies to store databases and other information.

Sensitive information may have already been intercepted by Beijing through the two Web sites, the bureau said.

The bureau said that the method of attack was unusual, adding that it suspected Chinese authorities were involved.

In recent years, the Chinese government has run an aggressive spying program relying on information technology and the Internet, the bureau said.

The bureau said this was the first time it had found that Trojan horse viruses had been placed on hard discs before they even reach the market.

The bureau said that it had instructed the product's Taiwanese distributor, Xander International, to remove the products from shelves immediately.

The bureau said that it first received complaints from consumers last month, saying they had detected Trojan horse viruses on brand new hard discs purchased in Taiwan.

Agents began examining hard discs on the market and found the viruses linked to the two Web sites.

Anyone who has purchased this kind of hard disc should return it to the place of purchase, the bureau said.

The distributor told the Chinese-language Liberty Times (the Taipei Times' sister newspaper) that the company had sold 1,800 tainted discs to stores last month.

It said it had pulled 1,500 discs from shelves, while the remaining 300 had been sold by the stores to consumers.

Seagate's Asian Pacific branch said it was looking into the matter.
This story has been viewed 6357 times.

[Resinence]

How did they expect this to work anyway? Any half-competent Admin will notice that the brand-spanking new hard disk is already formatted and has files on it, and partitioning it would destroy them. You can do better than that Beijing!

[Zac Naloen]

Who installs an operating system without completely reformatting the disc anyway?

[His Divine Shadow]

I haven't reformated anything in years, I just delete/create new partitions and let that handle it. Or is that considered equal to formating a drive?

[General Zod]

I haven't reformated anything in years, I just delete/create new partitions and let that handle it. Or is that considered equal to formating a drive?

If you're using all of the partitions, then it's not so useful. Reformatting upon install is the only safe way to ensure you have a clean hdd.

[Netko]

It doesn't matter - this is aimed at XP (and I guess Vista but there you'll get a prompt so there has to be an idiot present to launch the virus) users who are adding a drive hence the autorun file. Just by adding the drive into the case and powering it up you'll get infected (unless you disabled or modified autorun) and after that it doesn't matter what you do with the drive (unless its a really pathetic virus). Interesting attack vector in any case, however shouldn't be able to hit anyone knowledgeable except in the scenario above.

[Pu-239]

These are *external* hard drives- most people don't bother to format these.

[[R_H]]

They come preformatted?

Why would anyone saving anything important put it on a preformatted external harddrive? Or is Beijing just trying to score people's porn backups

[General Zod]

They come preformatted?

Why would anyone saving anything important put it on a preformatted external harddrive?

Typically, when you buy hard drives new it's expected that they're free from malicious software. In theory the only reason anyone should have to format an external drive themselves is if they bought it second-hand.

[Wyrm]

I nuke and pave every hdd I get, so I can recover all the space.

Besides, my computer's OS is immune to these shenanigans, as it does security the Right Way. Really, why should an OS trust anything that came on an unfamiliar hard drive, unless the user gave it an explicit go-ahead? And no, simply connecting the hdd to the computer is NOT an explicit go-ahead to run special software/scripts on that drive. The only reason why China could do this is because Microsoft was being brain-dead stupid. They need negligence charges levied against them.

[montypython]

Who installs an operating system without completely reformatting the disc anyway?

My sentiments exactly, this all just seems more fearmongering than anything else really.

[Admiral Valdemar]

The Chicom Govt. is quite lame when it comes to SIGINT/ELINT spying it seems.

[phongn]

We don't even know if the Chinese government is at fault, anyways, or some hacking group.

The only reason why China could do this is because Microsoft was being brain-dead stupid. They need negligence charges levied against them.

Glad to you know ignored the earlier posts about XP or Vista asking you first.

[Netko]

They come preformatted?

Why would anyone saving anything important put it on a preformatted external harddrive?

Typically, when you buy hard drives new it's expected that they're free from malicious software. In theory the only reason anyone should have to format an external drive themselves is if they bought it second-hand.

Thats the horrid beauty of this scheme - it doesn't care what happens to the drive after it has deposited it viral payload into the system and that is designed so that it happens automatically on XP (and potentially earlier systems if it can function on them) systems with autorun enabled - so you get infected by just plugging in the drive and once that is done it doesn't matter if you format the drive or not, the virus is present on your machine (although, it could potentially matter for propagation - if you format the drive the virus should be killed on the drive unless it can detect that and automatically reinfect the drive after format). Thankfully, MS fixed this in Vista where it doesn't trust any autorun by default but rather always asks you what to do so you need either an idiot user or someone unaware of the risks who previously told Vista to autorun applications.

[General Zod]

>snip<

How exactly is that related to my point?

[Wyrm]

The only reason why China could do this is because Microsoft was being brain-dead stupid. They need negligence charges levied against them.

Glad to you know ignored the earlier posts about XP or Vista asking you first.

I was under the impression that only Vista users got the prompt, and XP goes ahead and runs the autorun file:

It doesn't matter - this is aimed at XP (and I guess Vista but there you'll get a prompt so there has to be an idiot present to launch the virus) users who are adding a drive hence the autorun file.

[Netko]

>snip<

How exactly is that related to my point?

The point is that your point is missing the point

The issue here is not whether or not to format the disk to kill the virus, but rather that you'll be infected by the virus (under some circumstances) before you face that choice.

[DPDarkPrimus]

These are *external* hard drives- most people don't bother to format these.

But when you plug it in and see there are files on it...

[Hawkwings]

They're probably hidden. An inf and pif file? Heck, when I completely format a hdd and view hidden files on it, there's already 1 or 2 .dll or whatever files on it.

[General Zod]

The point is that your point is missing the point

One of us is missing it, and it ain't me. I suggest going back and reading my post again.