Saturday, June 28, 2008

Insignia NS-DPF10A 10.4" Digital Picture Frame

Here's the box as it was purchased from eBay.

Good packaging, just that if any weight were placed in the middle then your frame would definitely break.

Here's everything that comes in the box.

If you don't like brown then you can go with the default black frame.

This digital frame, per the manual, claims to have 256MB of onboard memory, aside from about 3 different other card slots to expand or plug-in media. To add content, pictures or movies, to show on the frame simply plug-in via firewire-to-USB to a laptop or desktop, open the shared device, and drop the content.

Here's what a Windows user would see using the default view settings, just pictures.

Looks clean, but really its not. By default the auto-start feature is running and has therefore run a file called autorun.inf which in turn has already called another file called server.exe that works in combination and again calls copy.exe. Oh really, where are these files?

Malware and bots have gotten sneakier and abuse some of the experience feaures of Windows, in the particular the use of the hidden and system attributes.

Simply select to un-hide and show extensions as well as operating system files .....

.... suddenly these files I mentioned above are revealed!

For those a bit more versed in the old MS-DOS command shell, you can run the command "dir /ah" (list all hidden files) and you'll see the same files.

And to see the 2nd trick I mentioned, using the system attributes plus making the files read only and resistance to standard deletion we can run "attrib" (list files and their attributes) and voila ....

So for the files mentioned, we've created new descriptions to link them together in an understandable description as WORM_PERLOVGA.G

Essentially the infection on the Insignia is mid-2nd stage attack. Everything starts with a drive-by-download from the web of TROJ_DROPPER.CFV which pulls down BKDR_SMALL.DDE and finally ending up grabbing the WORM_PERLOVGA.G package online and here we are.

No comments:

Post a Comment