In light of the recent story regarding hackers loading viruses onto PCs in the factory, David Harley, senior research fellow, ESET and Mark James, technical team leader, ESET UK made the following comments:
David Harley, senior research follow, said, “This isn't just a known factory-specific attack like the Rakshasa Proof of Concept attack, but an attack delivered via unsecured supply chains, which means anywhere from the factory that assembled the PC (potentially even before that, if the factory sources components from outside, though I don't know how often PC factories buy in pre-imaged hard disks) to the retailer from whom the customer received it, including wholesalers (and even transport providers, in theory). More often than not, the customer doesn't know much about the origins of the system he buys, let alone the supply chain by which it reaches him.
“Of course, it's possible for a system to be compromised at the factory, and not necessarily deliberately: I remember early in my AV admin days checking a couple of factory-fresh PCs for the IT department I worked in and discovering at first bootup that they were already infected with Michelangelo. Not a big problem for us, but the supplier was mortified. Nowadays, though, it's far more complicated. In this case, the malware is capable of spreading via USB devices, so if an imaged disk wasn't actually protected before it was despatched - as presumably it wasn't - intentional or inadvertent infection would be all too easy.”
Mark James, technical team leader, said, “It seems the logical place to start, if at all possible, from the malware writer's point of view; a lot of "home" users would just un-box and switch on, with Antivirus software typically being one of the later items people consider installing once the machine is up and running, usually expecting it to be preloaded from Day One. If the machine is already infected and talking to the outside world, the end user may be unaware and accept any strange occurrences as "normal for a new machine". Often the end user notices when a new machine becomes "infected and slower", but in this scenario, may not until a specific problem arises. Apart from installing the operating system (OS) yourself and installing a good Antivirus from day one, there is not a lot users can do to protect against this type of abuse and to be honest, this is often beyond the limits of the average home user. I would hope a business environment would have a procedure in place to test new machines for any kind of infection before it was added to the domain or work environment using a good Antivirus program.”