This is a "go to DEFCON 4" story that never seemed to make it beyond a couple days of headlines. Perhaps it’s because we here in the US are a trusting lot. We go about our business not thinking the world is made up of folks mostly like us, then 9-11 happens, or some other awakening event. Eventually, we all go back to our normal business of "pursuing happiness."

Steve Sechrist
Senior Analyst and Editor

We do get wake up calls now and then, and perhaps this is a time to review just such a call that hit us about a month ago. It seemed innocuous enough at first. A few weeks after Christmas, it was reported that a computer virus was found in - of all things, digital picture frames (DPF) from China sold under the Best Buy Insignia brand. These viruses, Trojan Horses, really, are inactive on the DPF, but induce the host computer to upload and run the program.

The Trojan Horse was first reported by BestBuy as "old" and "easily removed from the picture frame by up-to-date anti-virus software." But that was not the case, nor the end of the story. Weeks later it came to light that the Trojan Horse was not limited to the Insignia brand frames, but Sam’s Club, Target and Costco products as well, all from China. The Trojan horse was also far more complex, "nastier" than once believed.

Computer Associates reported that we were dealing with a Trojan called "Mocmex." They said the virus "is able to block more than 100 types of security and anti-virus software from killing it, and bypasses the Windows firewall to download files from remote locations, spreading them randomly over your hard drive and any portable storage device you plug into your PC - like, for example, a digital photo frame." Go to DEFCON 3.

Nilay Patel of engadget.com went on to report that "The Trojan is apparently set to only steal gaming passwords at present, but CA says it’s capable of stealing nearly any information on your machine, and thinks it might be a test for a much worse virus yet to come."

The same day the San Francisco Chronicle quoted Computer Associates’ Brian Grayek who characterized it as "…a nasty worm that has a great deal of intelligence," they went on to report the authors of the new Trojan Horse are "well-funded professionals" whose malware has "specific designs to capture something and not leave traces," Grayek said. "This would be a nuclear bomb" of malware. Go to DEFCON 2

There’s more, The Chronicle said, "The strength of the malware shows how skilled hackers have become and how serious they are about targeting digital devices, which provide a new frontier for stealing information from vast numbers of unwary PC owners. More than 2.26M digital frames were sold in 2007, according to the Consumer Electronics Association, and it expects sales to grow to 3.26M in 2008.

The new Trojan also has been spotted in Singapore and the Russian Federation and has 67,500 variants, according to Prevx, a security vendor headquartered in England.

Grayek said Mocmex might be a test for some bigger attack, because it’s designed to capture any personal, private or financial information, yet so far it’s only stealing passwords for online games. ‘If I send you a package but it doesn’t explode, why did I send it?’ he said. ‘Maybe I want to see if I can get it out to you and how you open it.’"

This story does get uglier, like the fact that SANS, a group of security researchers in Bethesda, MD reported the new Trojan isn’t the only piece of malware involved. Deborah Hale of Sans said the researchers also found four other, older Trojans on each frame, which may serve as markers for "botnets" - networks of infected PCs that are remotely controlled by hackers. These include products like W32.Rajump that infected Apple’s video iPods during product manufacturing in China back in Oct-06. The Chronicle reported "It gathers Internet Protocol addresses and port numbers from infected PCs and ships them out, according to Symantec. One destination is registered to a service in China that allows people to conceal their own IP"

Computer Associates said they have traced the Trojan to a specific group in China but would not say who they are. But keep in mind back in December we did a DD story "When Your Partner is Not Your Friend" (Dec-4, 2007). It reported on Chinese espionage, the use of the Chinese military and how China is making a significant push out of the traditional warfare areas - land, air, and sea - to a more "modern battlefield" of space and cyberspace. We also quoted a report from our USCC (U.S.-China Economic and Security Review Commission) that left little room for doubt: "Chinese espionage activities in the United States are so extensive that they comprise the single greatest risk to the security of American technologies."

The picture frame incident is not isolated, the virus (spyware) is nested into products bound for the West in manufacturing, and the attacks go well beyond individual hackers, underpaid and disgruntled Chinese workers, perhaps to the Chinese military itself. Go to DEFCON 1: we are under attack.

There is one more aspect of this problem to be considered: from the point of view of Best Buy, Sam’s Club, Target and Costco. When and if this Trojan ever does explode, this may be a nuclear bomb of product liability as well.

Reply to the author