Infected MP3 players: Is your business at risk?

Thousands of malware-infected MP3 players have reportedly been sold in recent months, potentially harming several un-protected home and office computers around the world. Initial reports broke in Japan in mid-October, approximately two weeks after McDonalds gave away ten thousand MP3 players as part of a monthly promotion. Then, in an unrelated incident two days later, MP3 manufacturing giant Apple Computer announced approximately one percent of its video iPods, shipped after 12 September contained Windows malware, although the exact quantity remains unknown.

As the reports became public, security vendors swiftly released patches for the infected units, up to four weeks after they originally hit the market. Vendors were quick to blame manufacturers’ neglect as the root of the outbreaks, rather than a direct malicious attack, reflecting the need for manufacturers to demonstrate vigilance when it comes to security.

“It is almost certain that Apple Computer’s manufacturing plant at the product testing stage wasn't running any antivirus product, or, if one was installed, that it hasn't been updated since mid-year 2006,” said Jaime Lyndon A. Yaneza, senior threat researcher and analyst security and intelligence group (CTO) at security vendor Trend Micro.

“It’s just the latest manufacturing mistake, much like the numerous other reported instances from other companies. This isn't the first time we've seen hardware devices and media accidentally shipped with malware,” said Yaneza.

Global security vendor Sophos also believes the outbreak was accidental, rather than intentional., “They probably just plugged some iPods into a Windows computer for testing purposes and accidentally infected them. I don't think this was an intentional malicious attack,” said senior technology consultant Graham Cluley.

The MP3 players carried disparate types of malware designed to extract varying data. The McDonalds’ MP3 players carried the QQPass trojan configured to steal user passwords. “[It] had a key logger enabling it to capture sensitive information from PCs,” said McAfee’s Michael Sentonas, Asia Pacific director of professional services.

The iPods carried WORM_SIWEOL, which is famous for hijacking PCs and propagating across unprotected networks. “[It] virtually makes affected desktops into zombie computers that could be harnessed into a botnet,” explained Yaneza.

Apple declined to add further comment on-top-of its official company advisory, which stated, there were less than 25 reports concerning the problem. The company advised that anti-virus software should remove the malware, and other iPod products were not affected. In addition, Apple stated that Microsoft should have taken appropriate steps to fix the vulnerability in Windows. “As you might imagine, we are upset at Windows for not being more hardy against such viruses, and even more upset with ourselves for not catching it,” said Fiona Martin public relations manager for Apple Computer Australia.

But was this advisory enough? Yaneza believes that the statement lacked information like serial numbers, specific model and batches details and failed to mention preventive steps in further manufacturing processes, instead it left it up to the user. For more information, he was forced to conduct his own investigations which allowed him to discover that the 5.5G version of the 30GB iPod was affected mainly in east coast USA- Dallas, Boston, Madison and Wisconsin.

“A cursory analysis of the advisory shows a lack of really helpful information for users and looks more of a cheap shot at Microsoft’s expense,” said Yaneza.

Whether MP3 players will be a major vector for security risks is debatable. Analyst group IDC said that in 2005 the MP3 player shipments grew by 190.8 percent in Australia and in March 2006 analysts predicted that the market will experience a compound annual growth rate of 12.5 percent from 2005 to 2010, reaching 3.52 million unit shipments. The continued growth rate of MP3 player unit sales indicates the high volume of PCs that could potentially be at risk to this kind of vulnerability in the future. Security vendors, it seems, disagree on the severity of the future risks.

Sentonas believes that infected MP3 players are not a major risk to the future threat landscape, rather the bigger issue is an uncontrollable Windows’ feature.

“The auto-run feature on Windows is a cause for problem as it plays any type of removable media without checking for malware,” said Sentanas.

On the other hand, Yaneza believes the problem has potential risks in the future, especially as the units evolve and increase in popularity. “Ever since portable storage devices were made available, they have been both a boon and bane. As miniaturised, yet larger storage becomes readily available, the threat of information theft also rises.”

Regardless of whether the threat will increase or decrease in the future, control methods for enterprises are available and the common rhetoric voiced by security vendors is the need for education and up-to-date security software.

“Businesses need to implement security policies to protect their assets as well as educate employees on proper usage of these devices within company premises.

“The sage advice that consumers should keep their security and antivirus products/services updated is still the best, particularly since a lot of outsourced manufacturing is being done, and sometimes the ability to monitor the quality of released products is unreliable,” said Yaneza.