Who scans the scanners?
Some Chinese-manufactured shipping-barcode handheld scanners — of the type used by many United States retailers and warehouses, as well as delivery services such as UPS and FedEx — were found to have sophisticated spyware preloaded on them, according to San Mateo, California-based security company TrapX. Dubbed "Zombie Zero," the information-stealing malware is likely part of a state-sponsored industrial-espionage campaign.
The malicious software is located in the scanners' Windows XP Embedded operating systems, according to TrapX's report. When the handheld scanners connect to a company's Wi-Fi network, the Zombie Zero malware activates, hacking into company servers and stealing information, from shipping manifests to corporate secrets. All the information goes to servers in China.
TrapX was able to trace Zombie Zero back to a Chinese factory that sells proprietary shipping and logistics scanning hardware and software to companies around the world. Eight unnamed companies recently received scanners with advanced malware pre-installed on them.
In stage one of a Zombie Zero attack, the malware uses a number of advanced tricks to escape from the handheld scanners to infect a targeted company's servers. The malware then seeks out company servers that have the word "finance" in the host name, in order to locate corporate financial data, customer data, shipping and manifest information, and more.
In stage two, Zombie Zero then connects to command-and-control servers in China in order to download even more malware onto compromised company servers; the new malware then establishes a local command-and-control server within the infected company's own network.
TrapX determined that one of the remote command-and-control servers was located in the Lanxiang Vocational School in Jinan, Shandong, China, south of Beijing, and the other was located at a facility in Beijing itself.
TrapX notes that the scanner factory is located near the Lanxiang Vocational School, previously linked to the Operation Aurora cyberespionage campaign that stole information from dozens of major American corporations in 2009. (Only a few companies, including Google and Adobe Systems, have admitted being targeted by Operation Aurora.)
In its report, TrapX focused on one unnamed manufacturing company that used 48 scanners, 16 of which were infected, made by the Chinese factory in question. An internal firewall initially stopped the scanner-based malware from spreading throughout the company network, but the malware adapted its attack method and was successful on a second try.
The targeted company had installed security certificates for network authentication on the handheld scanners. But because the malware was already installed on the devices, the certificates were "completely compromised," TrapX said.
By the end of Zombie Zero's attack on the company, "exfiltration of all financial data ... was achieved, providing the attacker complete situational awareness and visibility into the logistic/shipping company's worldwide operations."
TrapX said the malware wasn't only on the handheld scanners. It also found malware in scanner software available for download from the Chinese's manufacturer's website, possibly putting more companies than the originally targeted eight at risk of a "zombie" infection.
This isn't the first time that a Chinese product has been found with malware pre-loaded on it. Last month, the Android smartphone Star N9500, a Samsung Galaxy S4 knockoff, was found to have spyware baked right into its operating system.
- 7 Scariest Security Threats headed Your Way
- Best Android Antivirus Software 2014
- 9 Tips to Stay Safe on Public Wi-Fi