Sunday 4 July 2010

Big Wirus

Gather round everyone for a tale of woe.
So I loaned one of my many USB keys to Fiona to backup some of our photos to print at a BigW, Mt Gravatt to be precise. I had cleared everything off and handed it over to her to copy over the photos. We tried it in a local BigW (Mt Ommaney) on Saturday but couldn't find a station that worked properly, we managed to get a few photos printed, but Fiona kept the key to see if she could get them printed elsewhere.
Off she trotted to Mt Gravatt BigW on Monday after she dropped the kids at kindy, she printed out the photos and thought nothing of it. Wednesday night I decided I should move my files back, I plugged the USB key in and noticed among the photos a hiden autorun.inf... Not usual for me to have leave that there, a quick read of it in text editor let me see it was trying to run RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\driver.exe scanning the file with clamwin let me know it was Trojan.Poison-36 (it goes by other names, trojan.killav is Symantecs name) a nasty little phone home trojan that was only discovered recently (9/06/10), that uses the usual trick of infecting attached drives with the autorun.inf trick. It also then goes on to try and kill av programs and then once that is done download other malware, see here
I was safe due to my self inflicted draconian software restriction policy, and Fiona who had plugged it in to her laptop was safe due to it being an exe and her running Linux.
So I notified BigW back on the 30th, I think for something so little, I have given them reasonable disclosure. It is something they could have designed against, by using a software restriction policy, or simply making the USB devices read only via policy, or hey you know Antivirus that at least occasionally gets updated...
I was and still am tempted to put my own little exe and autorun on a key to see if the kiosks are still vulnerable, but Fiona has advised against it, my little voice of reason.
My problem with this issue, is that there seems to be little design that has gone into a system that thousands of people probably use a week, and little concern for users of these systems, how many people are going to get home and infect their systems, how many are going to not realise it was due to the dodgy kiosk they used and then blame the internert, Microsoft, or their kids. I am not a big fan of misplaced blame.

Not really much news here, viruses are a part of life. But with most modern USB keys no longer having the nice little feature of a read only switch, there is little you can do to protect yourself. You could try having an autorun.inf on your key that is marked read only, that may work unless the virus knows how to overwrite it.


Jordan said...

That's crazy. I'm reposting this on my Facebook to spread the word to my friends in Australia. Thanks for the great information!

Unknown said...

I just plugged my USB stick in from a kiosk in Port Macquarie, NSW. And my virus popped up that is had detected a virus as well!

Worm:Win32/Conficker.B is a worm that infects other computers across a network by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE). If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled. It may also spread via removable drives and weak administrator passwords. It disables several important system services and security products.

Fiona Storey said...

It was the photo kiosk closest to the cash register at Big W Mount Gravatt. The USB key was blank before I put about 10 photos on it to be printed. These photos were copied from my Ubuntu (linux) eeepc. I installed the USB drive at about 2:20pm. I spend the next 10 minutes editing and ordering the pics I wanted. Print order was time stamped 10 minutes after virus created. It took 40 minutes for the pictures to be printed. When I got home I gave the USB drive to Morgan, he installed it on his PC and found the virus. He looked at the time it was created. I then told him that was when I was at Big W. FIONA STOREY

Anonymous said...

I think the important questions are:

- How did the kiosk get infected in the first place?

- Will the kiosk automatically run any auto-run provided on a customer's USB or SD card?

- Can a trojan be installed to collect future customer's files to the kiosk and then retrieve them later?

- Would being able to auto-run customer provided files provide access to a Big W internal network? What other security holes exist with other machines on the same network?

Unknown said...

Hi Morgan,

It's Kate from Kodak Australia here, we've been watching this story unfold after you initially reported your problem.

I hope you don't mind, but we just wanted to let you know that if you're worried about picking up a virus when you print your pictures, you can always trust a Kodak Picture Kiosk - as it does not write to memory cards or USBs, ensuring yor memories are safe.

I hope this is helpful.


PS. Our Kiosks can be found nationally at Kodak Express stores and Officeworks

Fiona Storey said...

That's priceless Kate.

A perfect Kodak moment.

I will definitely be trying out a Kodak kiosk next


(The one in the corner) said...

To my knowledge most media drives used in Photo Kiosk applications have firmware that does not allow writing back to the cards under any circumstances. This certainly applies to the Atech, YE-data drives as well as other major suppliers of drives. This approach means that the software or the engineers can not inadvertently alter this safe state.

In addition most kiosks only read image files (typically Jpegs, Bit maps and Tiffs) thus only bringing in to the restricted area files that can not be, or are extremely unlikely to be, infected.

On demand virus checking is not really viable in this environment as virus checking say a 1000 2MB files is just going to cripple the speed of the machine. Luckily the two safety measures outlined above reduce the risk to a vanishingly small one.

Should you not take these fairly simple safety measures then you deserve all you get and unfortunately your customers pay the price.

Anonymous said...

It is surprising that this happened in a FujiFilm kiosk. In the US, my team (SCM) delivered the camera card readers for the FujiFulm ADPC solution where write protect is default. In addition we have worked on a secure USB solution to protect the USB front port from any mischief as indicated by @fluke.

Feel like donating to me, Bitcoin; 1BASSxgFZ2j8VfXFrWJHNvYdQXDtJKAUuN or Ethererum; 0x2887D4B4fe1a7162D260CeA7E1131AF8926bd87F