Asus Ships Eee PCs With Malware 124
An anonymous reader writes "'According to an email sent out by Asus, PC Advisor reports, the Eee Box's 80GB hard drive has the recycled.exe virus files hidden in the drive's D: partition. When the drive is opened, the virus activates and attempts to infect the C: drive and any removable drives connected to the system.'"
How did they... (Score:5, Funny)
Close, but no cigar (Score:3, Insightful)
Quoting TFA:
According to Symantec, the malware is likely to be the W32/Usbalex worm, which creates an autorun.inf file to trigger recycled.exe from D:
The real bug is any O/S stupid enough to be designed to automatically execute things on media when loaded. That's a remarkably stupid design.
Re: (Score:2)
Re: (Score:2)
Prompt or no, it's still a stupid thing to do. You do not want to run anything new landing on a system by default or even prompt to have it run.
It's a remarkably stupid design.
Please clarify how it is remarkably stupid (Score:3, Insightful)
You do not want to run anything new landing on a system by default or even prompt to have it run.
It's a remarkably stupid design.
So should a DVD player or home theater PC not start the DVD or prompt the user to start the DVD? Should a video game console or gaming PC not start the game or prompt the user to start the game? Please clarify.
Re:Please clarify how it is remarkably stupid (Score:5, Insightful)
A DVD player is a single purpose device, it reads data from the drive and may execute some sandboxed scripting, unless there are security holes in the player program it's unlikely to be an issue, and since dvd players are typically standalone its unlikely to be a problem.
A games console is also a single purpose device, it's purpose is for providing entertainment...
A fully fledged computer is not a single purpose device, whereas some are used like games consoles solely for entertainment, some people actually try to get important work done on them and deal with confidential data using them. If something is a toy then fair enough, but for a critical tool that could hold the keys to your business and finances there is no way it should do something so stupid as to execute unknown binaries as soon as media is inserted.
The sooner people separate their devices, and stop trying to conduct business or deal with their finances on the same machine they use as a general toy the better.
Re:Please clarify how it is remarkably stupid (Score:4, Insightful)
The sooner people separate their devices, and stop trying to conduct business or deal with their finances on the same machine they use as a general toy the better.
No. No. No. Thats exactly what the software/hardware companies want us to do. For example, the TiVo is basically a computer, however, it cannot be modified to run whatever we want it to run unlike a computer. The hardware companies and software companies want us to have one device per purpous, that rather than just having 2 desktops and a laptop they want us to have an iPod for playing music, a TiVo to only record shows, a gaming PC only for playing games, a work PC only to work on, a cell phone only to make calls, a camera only to take pictures, etc.
Re: (Score:2)
Don't know why parent would be marked "Insightful".
Hello! This is Slashdot, we LIKE general purpose computers here.
IMO you are making a silly argument to cover for Windows' malware problem (the blame for which rests partly with its crappy architecture, not just its popularity).
Re: (Score:3, Funny)
ubuntu does it (Score:1)
when you insert a ubuntu install dvd....
But seriously, asus should have configured their system to never do it, or at least bundle with avg.
Re: (Score:2)
A prompt will only decrease the percent of people that fall victim.
Exactly, hence my comment "it's a remarkably stupid design."
Re:Close, but no cigar (Score:5, Insightful)
A prompt will only decrease the percent of people that fall victim. IMO, if an inserted media has files flagged to autorun, a prompt should only appear if a user has already installed a program to handle that format. In this sense, a DVD can have a 'play DVD' prompt *IF* the user has approved that behavior and *IF* the program executed is already installed.
DVD (or anything that "has already installed a program") does not "run", it contains no executable code, only data and minimal scripts that are interpreted (or ignored) by the player.
The idea to ACTUALLY RUN EXECUTABLE CODE JUST BECAUSE IT APPEARED ON SOME MEDIA is far, far more stupid than any automated playback. When player is automatically started, it might create a security hole because player may be buggy. Running executables is a security hole all in itself. There should be no questions, no dialog boxes, no anything that will even suggest that the user might want to run those things until the user runs the executable or installs it as a handler for something.
Tedium of manualrun to start a game (Score:2)
There should be no questions, no dialog boxes, no anything that will even suggest that the user might want to run those things until the user runs the executable or installs it as a handler for something.
Say a user inserts a game disc into a set-top PC. Without autorun, how does the user start the game on the disc? And how do I explain this to Joe Sixpack who hooked his PC up to his HDTV through a VGA cable and just wants to play a game that the Big 3 console makers don't want?
Re: (Score:2)
The same way how he figures out the proper procedure to open extra-armored, welded over the whole perimeter plastic packaging that most of cheap computer peripherals now come in (expensive ones, counterintuitively come in easy-to-open-and-steal cardboard boxes with plastic or foam spacers). I cut those things with scissors that should be straightened and re-sharpened after each such procedure.
It doesn't matter how because it only should be done once.
Re: (Score:2)
http://www.myopenx.com/ [myopenx.com]
Never tried one, just remembered about it and thought you might like to know.
Re: (Score:1, Informative)
Explain to Joe Sixpack that he should go to My Computer and double click on the game's icon there.
Even on Windows systems where autorun is disabled, the autorun will activate if the user double clicks on the drive's icon. Actually exploring the disc requires using the right-click context menu.
Re: (Score:2)
A:\install.bat
Most new PCs no longer include a floppy drive (A:), and the drive letter of the optical drive depends on how many partitions the OEM decided to put on the hard disk (ending up at D:, E:, or sometimes even F:).
Re: (Score:1)
Re: (Score:2)
Automatically launching whatever executable code a magic file like autorun.inf points to, on the other hand, is one of the most frightening security tradeoffs Microsoft has ever made.
The trouble is when MS did it back in 1995 the world was very different. IIRC they didn't do it for floppies or "removable disks", only for CDs and hard drives. Hard drives were things that generally got left in machines (yes external scsi did exist but it was not commonly used). CD burners were practically unheared of so the o
Re: (Score:1)
DVD (or anything that "has already installed a program") does not "run", it contains no executable code, only data and minimal scripts that are interpreted (or ignored) by the player.
That was true for CD's...Until certain media companies decided to make rootkits and other copy protection software install, without prompt, via the autorun feature.
Re: (Score:2)
No. "Certain media companies" (Sony) rootkit relies on... autorun. Without this misfeature of Windows those CDs would be absolutely harmless.
Re: (Score:2)
I agree, my parents always told me not to take candy from strangers.
Re: (Score:2)
In general, yes. But normally one would trust files on your own hard disk.
Re: (Score:2)
In general, yes. But normally one would trust files on your own hard disk.
Sigh. You're new here, let me try a car analogy.
This is like driving a car in the US with a large sign on top that lights up "I WANT TO BUY SEX FROM YOU, open the passenger side door and give it to me baby!" every time you drive by a person of your preferred gender on the sidewalk.
Clear now?
Re: (Score:3, Funny)
Hey, there's an idea!
/runs off to the shop to buy a spray can of paint.
Re: (Score:1, Troll)
1) I'm not new here.
2) Anyone who uses car analogies to explain computers is either a troll or an idiot.
Re: (Score:1)
But I may not trust files on a CD or a USB flash memory. That stupid idea was introduced with windows 95 (I believe), and on windows XP it is very hard to disable (there is no way of just selecting "do not read autorun.inf file", you have to hack the registry to do it (just disabling autoplay in gpedit.msc will work only on media that was inserted after booting windows).
Re: (Score:2)
I believe autorun.inf files should be used only for convenience when installing software from CD's. That's what they were made for.
But an autorun.inf from a read-write medium!? You're 100% right - it's an extremely stupid idea. And it's annoying since my own USB files get infected once in a while. I have to delete the autorun.inf and whatever .exe sneaked in whenever I open it in my Linux box.
Re: (Score:1)
Maybe sutorun was convenient before recordable CDs were invented. Even then, sometimes it was a PITA. For example - I start a game, it prompts me to insert the CD. I insert it and the game begins. Also, setup is launched automatically.
What is more stupid is that there is no "easy" way of disabling it, you have to hack the registry or autorun.inf file will be read even though autoplay is disabled (it will be read on startup, if you leave the CD in the drive or the file is in a hard drive or a USB flash memor
That's why you shut off auto-pwn (Score:1)
Re: (Score:2)
Microsoft should be shot for leaving this feature on by default.
? They are the idiots who incorporated the misfeature ignoring decades of prior experience in the field.
Re: (Score:2, Informative)
Even if you disable autoplay with group policy, the autorun.inf file will be read during startup, if you leave a CD in the drive or the autorun.inf file is on a hard drive...
You have to hack the registry...
Re:That's why you shut off auto-pwn (Score:4, Funny)
hack the registry? that sounds hard i think im just going to install gentoo instead.
Re: (Score:1)
"hack the registry" :)
basically you have to run this command
%systemroot%\system32\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\autorun.inf" /ve /d "@SYS:DoesNotExist" /f
It tells windows to read a registry key called "HKEY_LOCAL_MACHINE\SOFTWARE\DoesNotExist" instead of autorun.inf file (when such a file exists). Since the key does not exist, windows thinks that the autorun.inf file is empty...
more info here: http://nick.brown.free.fr/blog/2007/10/memory-stick- [brown.free.fr]
Re: (Score:2)
autopwn, yay genius
Re: (Score:1)
Shipped it with an 80G hard drive. After you remove all the pre-installed bloat you could have about 10G for whatever you see fit!
Quite an accomplishment ... (Score:3, Funny)
Re: (Score:1)
Asus... (Score:1, Funny)
FFFail.
Appropriate for the D drive (Score:5, Funny)
D:
Windows is NOT a virus (Score:5, Funny)
No, Windows is not a virus. Here's what viruses do:
* They replicate quickly - okay, Windows does that.
* Viruses use up valuable system resources, slowing down the system as they do so - okay, Windows does that.
* Viruses will, from time to time, trash your hard disk - okay, Windows does that too.
* Viruses are usually carried, unknown to the user, along with valuable programs and systems. Sigh... Windows does that, too.
* Viruses will occasionally make the user suspect their system is too slow (see 2) and the user will buy new hardware. Yup, that's with Windows, too.
Until now it seems Windows is a virus but there are fundamental differences:Viruses are well supported by their authors, are running on most systems, their program code is fast, compact and efficient and they tend to become more sophisticated as they mature.
So Windows is not a virus.
It's a bug.
Re: (Score:2)
Re:Windows is NOT a virus (Score:4, Interesting)
Re: (Score:1)
You've obviously not looked at much virus, worm, or malware software. It's mostly crap, assembled by people who think that inventing their own version of a sorting function or a password checker makes them 3l33t. Some of it is insightful, but mostly it's assembled like kids building go-carts from a junkyard of parts.
Ten years ago this was certainly true. A lot of the commercial malware coming out of Russia today is as well written or better written (and certainly better-tested!) than standard commercial software. In capitalist Russia........ Profit!
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
That was really creative and entertaining when I first saw it back in 1998. Thanks for the blast from the past.
Next time, however, maybe you should attempt to come up with, you know, a *new* joke.
Too bad they didn't stick with only Linux (Score:5, Funny)
...then maybe this wouldn't have happened?
Take a great concept- the netbook... a small, light, inexpensive, flash-based, long-battery life, Linux based system. Then ruin it by making it a large, heavier, expensive, hard-drive based, medium battery life, MS-Windows based system.
Oh well. I guess some people didn't "get it".
Re: (Score:1)
Asus ships Windows because they are in this business to make money.
We have been around this track before.
Confirmed orders for the Linux only XO laptop stalled at around 700,000 units. Summary of laptop orders [wikipedia.org]
When MSI ran into serious trouble with Linux returns, the geek was there with 660 excuses. Netbook Return Rates Much Higher For Linux Than Windows [slashdot.org]
Re: (Score:2)
Confirmed orders for the Linux only XO laptop stalled at around 700,000 units.
XO is neither designed as a consumer laptop, nor is available for purchase by individual users.
Re: (Score:3, Interesting)
When MSI ran into serious trouble with Linux returns,
The problem is, MSI doesn't say 4x what.
Thus, it's a meaningless statistic, and every time you read an article that mentions "Linux returns 4x greater than Windows" you wasted time learning nothing.
Re:Too bad they didn't stick with only Linux (Score:5, Interesting)
Strange. I am using Ubuntu right now using WPA2 and it seems to be working. Or, I could just be imagining this.
Which is entirely possible, because I can't understand why someone would be afraid to post a slashdot post without clicking the Anonymous button.
Re: (Score:3, Informative)
The Eee ships without a wireless stack that can do WPA, or at least did. I worked on one for someone, and that was their issue. This may have changed by now, but it sure was a stupid move at the time.
Re:Too bad they didn't stick with only Linux (Score:5, Informative)
That may have been true of the Eee 700 series, but I have an Eee 900 and it had no trouble connecting to my WPA-PSK access point with the default software. It would've been easier with NetworkManager [gnome.org] instead of their custom configuration interface, but it worked nonetheless.
What I really don't understand is why, for a project which started out Linux-only, it contains so much hardware with mediocre-to-poor Linux support: the wireless card and the Ethernet adapter both require out-of-kernel drivers; the ACPI interface can't seem to get the battery capacity right; the sound support is flaky at best due to incomplete specs; and yet another driver was required for basic ACPI support (now part of the kernel). I managed to get it all working under a stock distro (Debian) eventually, and I'm quite happy with it -- I like a challenge now and then -- but if you're going to build a Linux laptop, why not pick hardware known to be compatible?
Re:Too bad they didn't stick with only Linux (Score:4, Insightful)
Because the use of Linux was accidental, not the objective. The target was to make it inexpensive.
Re: (Score:1)
Re: (Score:2)
if you're going to build a Linux laptop, why not pick hardware known to be compatible?
Because for ASUS putting together a set of linux drivers that will make the hardware work is a minor cost. When you are buying in the quantities ASUS is hardware manufacturers *WILL* cooperate.
Afaict thier primary aim was to make a PC that was both small and cheap. I dunno why they shipped with linux first (they provided instructions and drivers for setting up windows from the start) but my suspiscion is they did it primer
No WPA has ALWAYS worked on the eee (Score:2)
The Eee ships without a wireless stack that can do WPA, or at least did. I worked on one for someone, and that was their issue. This may have changed by now, but it sure was a stupid move at the time.
I have a 701 and it connects to my WPA secured access point just fine, and always has (using the default Xandros installation). The setup was an extremely trivial point and click exercise. The hardest bit was correctly entering the passphrase, as it puts it into a password type field (hashed out as you type). That's not a bad security feature, but it doesn't help usability. I ended up copying and pasting it.
If it ever couldn't do that it was *very* early in the piece. I bought one of the first ones in
Re: (Score:2)
Maybe it was PEAP/LEAP. That could have been what didn't work. Or use with hidden SSID's
Re: (Score:1)
Re: (Score:3, Informative)
The 701 EEE could use WPA-PSK, the wireless encryption common to most consumer grade routers.
What it can't do is WPA-EAP that is commonly found in corporate environments and universities. This is probably what the parent was trying to say. You can see it's SSID, but when trying to connect it only gives a box for you to type the password but nowhere for the username.
The workaround for it was to install the wpa_supplicant package from Debian and hope that it worked.
Re: (Score:2)
Perhaps that's what he meant, but I'm going to go out on a limb here and suggest that he was just trolling and couldn't figure out what the hell he was doing.
WPA-EAP isn't quite as common as you make it out to be though; most of the time you'll find multiple SSID's for various networks (or an automatic mac-based authentication scheme.) It sucks because Wireless encryption/auth is still a moving target and it can be difficult to find a middle-ground between supporting the most devices and having the best s
Re: (Score:2)
Hey jackass, that does happen to be what I meant, as my university uses enterprise authentication. But, really, thanks for everything you've added to this conversation. What do I owe you?
Incidentally, in your basement, WPA-EAP is not as common as parent makes it out to be, but in universities, enterprise offices, etc. it is common enough to have generated quite a bit of traffic to the network manager mailing lists whenever a certain combination involving WPA-EAP stopped working.
Re: (Score:2)
Hello Mr. Hyper-Sensitive Man!
I was actually referring to the original poster that posted AC - the one that said "I'll tell you what I didn't get: an operating system that can speak WPA2 without shitting all over itself."
I have actually run about a dozen WiFi network installation projects (businesses/schools with over 50 AP's) in the last year.
I've also consulted various businesses around the state as part of my job, and not a single one was using EAP because of device compatibility.
It's a good tech, and ho
Re: (Score:2)
Something tells me 12 places is not enough for a representative survey.
Re: (Score:2)
Yea just ignore the whole part about you flying off the deep end because you thought I was making a negative comment about you. Good move.
I mean, you could have just let it be, and retained maybe a LITTLE bit of dignity, but nope, that's not how you roll, little man.
I've been PM for at least a dozen fairly large wireless installations, and I've been all over the Northeast to hundreds of different businesses - big and small - and only five used EAP because of the current device compatibility issues. It's
Re: (Score:2)
"Parent" would be me, not the other guy.
Kinda funny how everyone on Slashdot has worked for hundreds of different big businesses whenever they need to prove a point with very little evidence, isn't it?
Re: (Score:2)
I agree with ryanov, the poster might have been commenting about problems with WPA2 on the EEE pre-installed version of Linux, rather than Linux, in general. Or, he might just be a troll.
But cbreaker is also right- loading Mandriva (or certain other distros) on the EEE will certainly solve the WPA2 problem with the stock, limited Linux.
Re: (Score:2)
Every time I've tried Ubuntu, it couldn't speak WPA1 (but WPA2 was fine) without shitting all over itself, nor could it work with APs that weren't broadcasting their SSID...
Re: (Score:2)
I tried out the latest Ubuntu beta as recently as today with WPA2 and a hidden SSID. Worked with an Intel 3945abg in a laptop. My problem with random hardware is always sound in Linux, not networking :/
Re: (Score:2)
Last time I tried it with wireless was with 7.10, though, with an Atheros card, not sure the exact model.
Re: (Score:2)
It's probably a "YMMV" type thing. Both notebooks I've been running Ubuntu on have Intel WNICs. And, there's sometimes big differences between Intel cards. Maybe I've gotten lucky.
The support is there in the OS, and I've found that Ununtu is better at dealing with LAN/WLAN switching and VPN connections than Vista (more flexibility for sure) and the problems usually come from driver issues (or kludgy work-arounds to make them work under Linux.)
Just sloppy. (Score:3, Insightful)
Just another reason to always build and verify your own system images, I guess.
Re: (Score:2)
I guess so. But out of the millions and millions of PC's that have shipped with Windows, only a very, very small few (thousands) have shipped with something like this. And of those, only a few hundred of these went out, and it's not like the virus was running - it was in the deleted items area.
Sloppy, yea, and a big oops. But really, I don't think it's that big a deal.
Re: (Score:2)
Re: (Score:1)
... And of those, only a few hundred of these went out, and it's not like the virus was running - it was in the deleted items ...
Except that all autorun.inf viruses that I saw (on a USB flash memory) used \RECYCLED to store their executable, and the .inf file would look like
open=\RECYCLED\desktop.exe
Re: (Score:1)
because it suggests that high-density fuckupitude, rather than sophisticated malice
Hammer hits nail square on the head.
Wish I had the mod points
What's the problem again? (Score:2)
I was only interested in a couple things with the eee:
- It runs Linux well.
- It's really small.
- It's pretty cheap.
That's about it. Any business of this thing running Windows in the first place is a mystery to me. We bought a number of these for students here and they love them to death (yes, even with Linux).
Re: (Score:2)
A lot of folks love running Linux on these small devices. It's small, boots fast, does what you want it to do. I know I like Linux on these kinds of toys.
But, this one is billed out to be a mini-PC, and a lot of people wanted Windows on it, so Asus made a model that is big enough to run Windows.
Ho hum.
Re: (Score:2)
Re: (Score:2)
Afaict there are two types of user for theese new "netbooks" and the closely related EEEBox
One is people who want a simple system for web email and maybe some light word processing. Theese people are happy with the cheaper linux models.
Then there are people who want an ultraportable laptop (or in the EEEBox's case a miniture desktop) but couldn't previously afford one. Yeah the specs on an EEE aren't great but it's perfectly capable of running older games like starcraft (blizzard generously modified this to
Thank FSM (Score:2)
Oh thank god I have the 20GB version. Also Linux.
Inaccurate Title (Score:5, Informative)
The Eee PC is Asus' line of netbooks. The Eee Box is Asus' line of nettops. While in some ways they are similar, in other important ways they are very different products.
Re: (Score:1)
Re: (Score:1)
Re: (Score:2)
With the malware, maybe they should be called "Aieee"?
Re: (Score:2)
The EEEBox looks pretty similar to the EEEPC 1000H to me. The differences seem to be
* more flexible memory card reader
* more ports
* no battery
* no screen
Storage, processor, chipset and ram all seem to be the same.
Linux Version (Score:5, Funny)
I bet it doesn't come on the Linux version.
When will we get equal treatment from hardware vendors?
Re: (Score:2, Interesting)
Re: (Score:1)
Re: (Score:2)
>> Dear Slashdot Reader
>> This is an open-source virus.
>> Please forward it to all your friends
>> Then, as root, run "dd if=/dev/urandom of=/dev/sda"
There - fixed it for you.
Re: (Score:2)
Windows on netbooks/nettops really makes no sense. I bought my wife an EEE PC a while back. She doesn't like computers in general, and I can't say that she's seen the difference really. She cares about browsing the net and reading her email. That works like a charm with the included Xandros Linux.
When I get mine (they are soo cute, gotta have one ;) it's going to be sporting Ubuntu EEE which seems to be maturing nicely.
I have the linux version! (Score:2)
And no, I don't have it!
Though on a more serious note, I must admit the headline did concern me. The Xandros linux which ships with the EEE is very easy to use, albeit setup a little insecurely. I like the fact that I don't have to login, but it makes me wonder if they did a good security analysis. If they did, and decided to do automatic login for usability, I don't have a problem with that; but I can't help but wonder if for the sake of expedience they discarded all of the other security as well.
Re: (Score:2)
Simply because it wouldn't be so hard to just load a virus, written specifically to the Linux version that EEE is using. Shouldn't be hard and will achieve the same thing.
Isn't that always the way, though? Here the community has provided perfectly functional [wikipedia.org] Linux malware and the manufacturer has ignored all that work. Talk about a missed opportunity.
Re:Linux Version (Score:4, Funny)
Shouldn't be hard and will achieve the same thing.
What's that, watching people download porn or blag stuff to Facebook?
You should never use one of these for anything serious anyway, you can get root on one of them by scratching its belly and rubbing its ears.
Asus 3e. Now with Windows! (Score:2)
And a bright, shiny prize in every box.
Good to the last byte!
But mind the spoilage date.
Re: (Score:3)
Why is it that many people suddenly don't seem to learn punctuation and capitalization in school anymore? Your post might be very interesting or insightful but sorry, my eyes hurt just looking at it.
Re: (Score:2)
I think they learned punctuation and capitalization, but don't use it because it is a pain in the ass to use them in sms texts, and those habits have carried over to the internet.
Look on the bright side. You can save space by reducing ascii to five bits. we won apostrophe t have all the numbers or any puctuation comma but you can just spell those out stop it will be exactly like the old telegram messages in movies stop cool exclamation smiley stop
Re: (Score:2)
Wow. Just... wow. (Score:3, Funny)
I don't know if it's because I'm running on no sleep, or that images of patch panels are swimming in front of my eyes due to a late-night rack-a-thon, but that was one fine rant.