[ale] Checking photo frames for Windows malware

Robert Reese~ ale at sixit.com
Tue Dec 30 14:04:00 EST 2008 

> The SFGate article reports that "Deborah Hale at SANS suggested
> that PC users find friends with Macintosh or Linux machines and
> have them check for malware before plugging any device into a PC."
>
> My questions is - how could this be done? Could I boot with a Live
> CD and then plugin and scan a USB picture frame for malware?

No need to go through so much trouble.  On a non-Windows computer, just open the 
USB picture frame as a drive and look at the files. There should be no 
executable files there unless you find reference to those files in the 
documentation or the packaging.  If you do find them there, delete them or 
rename the extension to ".suspect" or something similar.  Personally I'll zip 
and delete the source.

On a Windows computer, the best way to avoid that type of infection is to make 
sure that Explorer shows hidden and system files and shows extensions.  Why MS 
hid extensions is mystifying to me.  Also, turn OFF autorun capabilities.  
Google has plenty of returns on how to do this specific to the version of 
Windows.  Further, NT-based systems should be using limited accounts rather than 
Admin accounts.  And lastly, good anti-malware software is critical for all but 
the most tech-savvy Windows users.

By the way, this is more common than you'd imagine; I have first-hand experience 
two years ago.  Fisher-Price, the large toy maker, sold a child's MP3 player (an 
"FP3" player) that used proprietary formatting and Windows software to convert 
and play the software.  Very DRM-heavy.  So I wasn't completely shocked when I 
found the player had an executable in its memory.

I don't like DRM so I pulled it down and examined the file.  It turned out to be 
a trojan/worm (Win32/Perlovga.A  to be exact).  This was a factory-sealed 
product when I got it; I'll bet you never heard a word from Fisher-Price warning 
its customers about this.  Of course, they quietly and abruptly halted 
production of this last year... right around the time the lead paint problem was 
prevalent.

But it really isn't necessary to go through the hassle of scanning the thing for 
malware using specialized disks or software.

Cheers,
Robert~

More information about the Ale mailing list