Latest problem import? Infected digital photo frames

In 2007, U.S. officials recalled melamine-laced pet food that caused the deaths of cats and dogs and lead-coated toys that endangered toddlers. Now, digital photo frames infected with computer viruses are the latest problem import from China.

"That phenomenon apparently has bled over to the digital side as well," Marcus Sachs, director of the Internet Storm Center at the SANS Institute (SysAdmin, Audit, Network, Security), said of the Chinese manufacturing problems that get exported. "Essentially, it's a supply chain problem. We've become dependent on a cheap source coming out of Asia."

The culprit is believed to be poor quality-assurance testing procedures in which one of every 1,000 or so devices is plucked off an assembly line and tested on a computer that is infected with a virus, he said.

Before Christmas, Samsung and Amazon issued alerts warning customers that some Photo Frame Driver CDs for Samsung's SPF line of digital photo frames contained a virus in the frame manager software. Customer PCs running Windows XP are at risk of being infected by the virus, W32.Sality.AE, which drops a keylogger or backdoor onto the system.

Element and Mercury brand frames sold at Circuit City and Wal-Mart, respectively, also were reported to be infected, according to the San Francisco Chronicle.

Sales of digital photo frame are increasing and Chinese suppliers produced more than 8 million in 2007, according to MarketResearch.com. Their plug-and-play use and the fact that they serve as a digital replacement for paper albums make electronic picture frames popular holiday gifts.

A year ago, Insignia digital picture frames were pulled from shelves and online sites after Best Buy learned they could be carrying a virus. Also reported to be infected then were digital frames from Advanced Design System, Digital Spectrum, and Castleton. But digital frames aren't the only electronic items found to carry a hidden payload. Other malware-infected devices have included MP3-playing sunglasses, a flip video camera, and Maxtor external hard drives, according to the SANS Internet Storm Center.

"Anything that has flash storage or bootable storage is exposed to this kind of threat," said Dave Marcus, director of security research for McAfee Avert Labs. "It doesn't mean you shouldn't buy them. You should just realize before you plug it in that you might want to disable the Windows auto-boot functionality and run an antivirus scan on it, just to be safe."

For instance, the ubiquity and convenience of USB thumb drives make them a growing propagation vector. A virus outbreak on a U.S. Department of Defense network prompted officials to temporarily ban the use USB drives, CDs and removable storage devices in November.

Security Web site Attrition.org maintains a list of products shipped to customers that were found to be infected with viruses and other malicious or odd programs. The list, which goes back to 1990, includes a credit card terminal that contained a bug to steal credit card information, MP3 players, USB drives, and other hard drives with computer worms, and a Cisco VPN Client CD that had MP3s of Mexican drug-runner folk music known as "Narcocorridos," all in 2008. Then there are the infamous Video iPods that shipped in 2006 with a Windows virus. (And just last April, a colleague bought a re-conditioned iPod Nano that arrived with a virus.)

"This list is not complete, yet it should make you realize that nothing is safe," the Attrition.org site says in a cynical warning. "Every piece of electronics you buy and every piece of software you install may come with malware pre-installed. Rather than manufacturers introducing a higher set of quality controls to prevent such incidents, we will no doubt see companies produce new products that will help keep you 'safe' from such threats. These 'controls' would no-doubt be another band-aid on top of band-aids that make up a lucrative market, which is sad commentary about how customers perceive and receive 'electronic security.'"

The problem is getting serious enough to merit congressional hearings on how to protect consumers against getting harmed from the electronic products they buy, said Sachs of the SANS Internet storm.

Right now the best protection against being infected by viruses in new devices is to keep antivirus software up to date, and disable Windows' AutoRun features and instead manually launch programs and installers when devices are inserted. The CERT security research organization has more information on the risks associated with AutoRun on its Web site.