Malware through hardware still around

Following the security fiasco that was the shipping of a HTC Magic phone complete with pre-installed malware, one would think that Vodafone could come up with a better excuse than the “this was an isolated local incident”, especially when you take into consideration that the phone was widely distributed throughout various European countries.

Instead of issuing a widespread notice to warn the users that there is a possibility of their computer getting infected, they chose discontinue the distribution of the phone, and to wait and see if anyone else notices anything suspicious.

It was a wrong call (pun intended) on their part, because the news spread all over the world and there were other IT security workers who bought the phone. One of them works for S21Sec, a company whose speciality is banking trojans and vulnerability research, and upon reading about the news, immediately set out to test the device he received.

Surprise, surprise – the phone contained the Mariposa botnet client with an autorun feature, as well as a a Win32/AutoRun worm. He then contacted Panda Security – the company that discovered the first infected phone – and sent them the microSD card and allowed them to connect to his PC to analyze what had happened.

In short, they found out that the botnet client is the same they encountered last week, made to link with the same C&C servers and to connect to the same botnet. For all those out there who are suspicious of their findings, they included a screenshot of the finding on the AV solution that the researcher from S21Sec had installed (not a Panda solution):

On a related “hardware distributing malware” note, the file bundled up with the Energizer Duo USB battery charger that installed a backdoor Trojan into the users’ PC, was – according to The Register – still being distributed by a European site operated by Energizer as late as this Wednesday evening.

Can you say “adequate response fail”?




Share this