What's playing on an iPod near you? Apple and the Windows worm
The news that Apple shipped iPods containing malware came as a bit of a surprise yesterday. After all, you expect a company like Apple to have plenty of safeguards and checks and balances in place to prevent this kind of thing happening. The truth is however that a chain is only as strong as its weakest link and putting your trust in someone else's chain is rarely a good idea.
This shows yet another serious crack in the Apple manufacturing processFirst, some information. The malware shipped by Apple to iPod customers is called RavMonE.exe. It also goes by other names, for example Win32.RJump.a, Backdoor.Rajump, W32/Jisx.A.worm, WORM_SIWEOL.B, Troj/Bdoor-DIJ. Trend Micro has a pretty good writeup of its capabilities:
This worm propagates via mapped drives. It lists all mapped drives on an affected system and drops several files in the root folder. It also propagates via removable drives such as flash disks and floppy disks.
It has backdoor capabilities. Using random ports, it connects to a remote user. Once a connection is established, the remote user issues commands on the affected system.
This malware made its way onto Video iPods available for purchase after September 12, 2006. If you bought a Video iPod after that date, there is, according to Apple, a "less than 1%" chance that your iPod is home to the malware. Apple is playing the numbers game here and attempting to minimize the scale of the problems. If you play the lottery or have every gambled at a casino then you obviously believe that odds far lower than 1 in a 100 are significant enough to bet money on. The iPod nano, iPod shuffle and Mac OS X users are not affected, and all Video iPods now shipping are virus free. With 8 million iPods shifted by Apple in the third quarter, less than 1% starts to mount up.
Apple then goes on to take a cheap shot at Microsoft:
As you might imagine, we are upset at Windows for not being more hardy against such viruses, and even more upset with ourselves for not catching it.
I don't know. Some people think that is cute or funny, but really it's another marketing trick, this time called reframing. You take the situation you are in and try to deflect the problem onto someone else. If Apple doesn't want to do business with Windows users then there's a very easy way that it could do that - withdraw support in iTunes for Windows. While the company continues to want to do business with Windows users they have a duty to treat this issue seriously. That statement proves to me that Apple aren't taking security seriously and have little respect for their customers who choose to use the Windows platform. It shows yet another serious crack in the Apple manufacturing process ... but that's another story entirely.
Apple have been economical with information about this issue but it seems to me that this malware is triggered as soon as the device is connected to a PC as long as AutoPlay is enabled on the system for that drive. Most users have this enabled by default in Windows because it is seen as a convenient system mechanism - but it's open to abuse. Because of that it's a good idea to disable AutoPlay and AutoRun because that puts you in the driving seat and allows you to control what is run and when. For information on how to disable this in Windows XP, check out this post.
If you are worried that your iPod is playing host to this nasty malware, McAfee have released a new version of their Stinger removal tool. McAfee Stinger is a free standalone utility tool that can detect and remove specific viruses, including the W32/RJump.worm, also named RJump.worm and the W32/QQPass.worm, also named QQPass.worm.
This incident also highlights the importance of scanning all your devices for malware. Just because a device has come from Apple or Microsoft or any of the other big names doesn't mean that it's clean. Always scan new storage devices with an up-to-date antivirus solution. Don't leave this kind of thing to chance.
Removable storage media is also a headache for businesses. While it might be hip to allow employees to hook up their iPods or other removable media to a company PC, it's not a good idea. Not only are they a vector for malware, but they can allow data to leak out of the company. It's one of those things where you have to outweigh the risks against the benefits (almost always the risks outweigh any possible benefits).