Malware's new infection route: photo frames

In 2007, Sam?s Club also sold infected frames over the holidays, according to customers who bought them, as did Best Buy, Target and Costco. Sold at Sam's Club, the ADS Digital Photo Frame - 8" has reportedly been the vector for cases of malware after a Bethesda research institute specializing in information security reported cases of computers being infected by digital photo frames. Mike Kepka / The Chronicle less In 2007, Sam?s Club also sold infected frames over the holidays, according to customers who bought them, as did Best Buy, Target and Costco. Sold at Sam's Club, the ADS Digital Photo Frame - 8" has reportedly ... more Photo: Mike Kepka, San Francisco Chronicle Photo: Mike Kepka, San Francisco Chronicle Image 1 of / 3 Caption Close Malware's new infection route: photo frames 1 / 3 Back to Gallery

It wasn't a pretty picture when Rick Sandy plugged in the digital photo frame his wife had given him for Christmas.

When he started downloading pictures to the device, his computer froze. He restarted it, and his Norton anti-virus software went blank. Then, the files that controlled his computer disappeared. And Sandy - an information technology expert himself - was shut out of his own machine.

"It was the nastiest virus I've ever encountered," said Sandy, who spent 12 hours rebuilding his computer.

Sandy's experience was an example of how the continually adapting world of cyberhackers is spreading its tentacles from computers to the electronic devices that plug into them.

Malicious software code has turned up on a wide range of popular electronics, from digital photo frames to compact flash cards to MP3 players - even MP3-playing sunglasses - and retailers are scrambling to respond.

Nobody knows how widespread the infections are. Best Buy said it received about two dozen complaints this week after it posted notices on the Web that it sold some infected photo frames over the holidays under its Insignia brand. The frames were infected during manufacturing. One line, the 10.4-inch frame, has been discontinued.

Sam's Club, where Sandy said his wife bought his frame, is investigating the incident, a spokeswoman said, but has found no other infected frames.

Security researchers at SANS, a computer security research and education organization in Bethesda, Md., say the infections are part of a dangerous trend. They started asking people to report them on Christmas Day, after a different consumer told the SANS Internet Storm Center that he'd received an infected photo frame as a Christmas gift.

So far, the researchers have collected five reports of infected photo frames bought at Sam's Club and half a dozen reports of other infected devices, said Marcus Sachs of SANS, all of which plug into Windows PCs through a USB port.

Security experts say buyers should be aware that digital devices have more computing power than they once had and can run automatically when plugged into a PC. To be sure, digital photo frames are computers unto themselves. The high end models have wireless access - allowing people to ship photos around a home network - and a gigabyte of memory, an amount unheard of in portable devices just two or three years ago.

Although infected devices have turned up before - Apple in 2006, for example, shipped video iPods that were infected with a Windows virus during manufacturing - the malware is getting nastier.

Whatever infected Sandy's computer was smart enough to prevent him from downloading any anti-virus programs after his Norton software failed. Using another computer to run a Google search on the name of the infection he found led him to three Chinese-language Web sites.

Best Buy didn't provide the name of the malware that infected its frames, but said the bad code was detected and contained by up-to-date anti-virus software.

Sam's Club's supplier, Advanced Design Systems in Tuscaloosa, Ala., has found no infected frames at Sam's Club or its manufacturer in China, said Vice President Tommy Randolph. However, ADS is still investigating and has checked hundreds of frames out of the hundreds of thousands sold.

"It makes you aware that whatever you do in prevention, you have to double it," he said.

ADS does not supply Best Buy with frames, nor does it share manufacturers.

SANS also received a report of an infected Seagate hard drive - a shrink-wrapped 250GB Maxtor External One Touch Backup - purchased at a RadioShack and then returned. Both RadioShack and Seagate said they were unaware of the problem.

Seagate did discover some contaminated hard drives in September - a different model - when test machines in one of its manufacturing plants in China were infected with malware that collected passwords for online games and shipped them to a server.

Since then, however, Seagate has tightened processes in all its manufacturing plants and has restricted access to the test machines, which are not connected to the Internet, said BenHur Castro, a senior director of product line management. He has no new reports of infected drives.

A RadioShack spokesman said "products get returned all the time for various reasons," and RadioShack doesn't engage the manufacturer unless there is a "pattern of problems" with a unit.

One difficulty in tracking down these infections is that people don't always report them, said Roel Schouwenberg, a senior researcher at Kaspersky Lab, an anti-virus vendor headquartered in Moscow.

Schouwenberg discovered Seagate's infected hard drives last year, as well as infected MP3 players made by Victory Nederland in Holland, after customers reported their problems to Kaspersky.

When people do report infections, he said, they tend to call their anti-virus vendors. "For these affected companies," he said, "it's something totally new to have shipped out infected devices."