You Wanna Buy A New Harddisk, Better Check This!

[AlexLah]

From (Dutch) Kasperski website:

Security mavens from Kaspersky say they have discovered a nasty virus that came pre-installed on Maxtor external hard drives sold in the Netherlands.

The virus, dubbed Virus.Win32.AutoRun.ah, was found on the Maxtor 3200 Personal Storage, according to this press release from Kaspersky (translated from Dutch to English courtesy of FreeTranslation.com).

The company said the virus roots around a computer in search of gaming passwords. The malicious code also rifles through a computer's contents and deletes mp3 files, according to a separate description of the virus, also from Kaspersky.

A spokesman for Seagate, which recently acquired Maxtor, said the company was investigating Kaspersky's findings. "This scenario seems unlikely because the 3200 does not have any software preloaded on the drive so there is not an opportunity for a virus to be loaded," he said. Yes the drive is formatted but I have never heard of a virus that lives in the master boot record."

The report comes days after the discovery that Medion laptops shipped to stores in Denmark and Germany were infected with a 13-year-old virus. "Stoned.Angelina" was a low-risk virus that infects the master boot record of a hard disk. Apart from its ability to replicate, it carries no payload.

The virus infecting the Maxtor drive, by contrast, was discovered less than four months ago, and considering claims of password theft, it appears to rise significantly above the nuisance level. What's more, it's installed as soon as a user plugs in the drive and double clicks on a corresponding icon, according to Kaspersky. It tries to install itself with an autorun.inf file in the root of the external disk which runs a file called GHOST.PIF.

The virus was found on several Maxtor hard disks of various capacities bought on Monday. Kaspersky speculates they were infected during formating in the factory.

More news as it breaks!!

[Crossy]

A spokesman for Seagate, which recently acquired Maxtor, said the company was investigating Kaspersky's findings. "This scenario seems unlikely because the 3200 does not have any software preloaded on the drive so there is not an opportunity for a virus to be loaded," he said. Yes the drive is formatted but I have never heard of a virus that lives in the master boot record."

The report comes days after the discovery that Medion laptops shipped to stores in Denmark and Germany were infected with a 13-year-old virus. "Stoned.Angelina" was a low-risk virus that infects the master boot record of a hard disk. Apart from its ability to replicate, it carries no payload.

Some people should not be allowed to talk to the press

Particularly 'spokesmen'

Edited September 21, 2007 by Crossy

[cdnvic]

Glad Seagate handles storage, not security

[consumerismsux]

From (Dutch) Kasperski website:

A spokesman for Seagate, which recently acquired Maxtor, said the company was investigating Kaspersky's findings. "

There goes quality harddrives...out the back door with seagate rubbish.

[think_too_mut]

The virus was found on several Maxtor hard disks of various capacities bought on Monday. Kaspersky speculates they were infected during formating in the factory.

Let me tell you how it works, you may find some stupidities in the article when you know what it is really about. Especially how stupid that spokesman was - he had no clue what is involved.

Formatting disks means "zeroing" them. There is a chamber with 3 areas:

Input: carts full of raw disks, about 100 of them on each

"Zeroing" machine - storage arrays with say 400 disk drive slots each

Output: carts where zeroed disks are ofloaded onto and they go further for packaging.

At any time there could be 15-20 thousands of disks in each chamber.

Each disk has a barcode on it and it is scanned at every stage of the process and stored in a database.

What may happen is - somebody can move a cart with disks from input to output area without zeroing them.

Many disks are "reconditioned" returns and if they had a virus or whatever on them it may have survived re-assembly and, without zeroing, hit the market.

That's what probably happened here. Somebody's infected disk that failed had been returned to the manufacturer who made a mistake in the process and re-injected them into the market.

It's such a massive number of disks going through (only 45 million PCs are sold per quarter, all their disks have to come from somewhere, add all the servers, storage arrays and loose disks sold on the market) that there is no room for someone pre-installing the viruses or whatever.

Possible but little probable (not unlike dropping a lizard into a bottle of coke while it is on the bottling conveyor), a malicious employee could have taken them home, infected them and returned them to the "output" cart without zeroing them. Even that is traceable as the disks serial numbers are logged - so even scanned and not zeroed disk can be identified as it won't appear in the "zeroing done" log on the zeroing array.

Finally, someone said "Seagate rubbish" - that's not fair.

At the high end, after Hitachi (who bought IBM's disk business) Seagate is the most trusted HDD vendor.

What Seagate should do here - trace all the the disks that escaped zeroing and publish serial numbers on their web site.

They can obtain that list within hours if they want to.