That TomTom trojan

I’m not normally an investigative journalist – although I have nothing but admiration for the people who are – but as a technology journalist and consultant for more than 20 years, I’ve met a lot of people, and a lot of people know me. That’s how I came to break a major story online that spread quickly from my blog post to the front page of Slashdot and beyond, to be picked up by everyone from online news services, technology publications (PC Pro ran the story first online and in print last month), and even a national newspaper or two. Here’s the story behind the story, how I broke the sad tale of the first virus-infected sat-nav device.

It all started with an email from a PC Pro reader of many years, Lloyd Reid, an IT consultant who had reached the end of his tether with TomTom: “Hi Davey, I know I haven’t contacted you before and hope you don’t mind my copying you on that email to TomTom. I just had to do something about this and wasn’t getting any response from them. Thanks for all your columns over the years – they’ve been great bedtime reading!” The copied email was a complaint about a recent purchase of a TomTom GO 910 sat-nav unit, which, immediately upon connecting to his PC to back up its integrated hard drive, triggered his AV software to flag the presence of two infected files that revealed the presence of not merely one but two trojans.

On calling the TomTom support line, Lloyd was told these files weren’t used by the device and that he should just let his AV software delete them and “all would be fine”. As an IT consultant and regular reader of this column, he knew all was not fine and told them so, suggesting they investigate the matter. The support technician’s response was to tell him to log a request on the website, and to claim they weren’t dangerous trojans and wouldn’t crash his computer. Following a fruitless attempt to contact someone with a better awareness of security issues, Lloyd emailed TomTom’s IT helpdesk (and copied me in) in the hope that might “help you respond to my email with an adequate solution”. It did no such thing, of course, at least not directly.

It took me all of 30 minutes to discover a number of complaints regarding the presence of win32.perlovga.a and tr/drop.small.qp on the sat-nav’s hard drive, and a complete lack of meaningful support from TomTom. Most shockingly, these reports on specialist GPS support forums dated back to the beginning of December, yet there was no mention of the danger on TomTom’s website, no advisory and no guidance for users who may well have received the device as a Christmas gift, for example. My next move was to offer TomTom the opportunity to tell its side of the story, make amends and post a security advisory.

The UK PR team responded quickly to my request for an official statement and passed this to TomTom’s Netherlands HQ for attention, so that by the end of the following day I had the response, an official statement admitting that, “It has come to our attention that a small, isolated number of TomTom GO 910s, produced between September and November 2006, may be infected with a virus. The virus is qualified as low risk and can be removed safely with virus-scanning software. Appropriate actions have been taken to make sure this is prevented from happening again in the future.”

That was pretty much it, apart from removal advice to “allow the virus scanning software to remove the host.exe file, copy.exe file or any other variants”, and that “customers that do not have virus-scanning software are advised to install virus-scanning software”. Amazingly, though, there was still no sign of this statement or the scant advice it contains on the TomTom website. If the firm was hoping it would all just go away, it was in for a big surprise, because now citizen journalism took hold of events. I posted the story and TomTom’s full statement on my Inside Edge blog at DaniWeb, a US forum-based tech-support community I help to run.
This was on Sunday evening, and by Monday morning all hell had broken loose once the post had been picked up by Slashdot and quickly promoted to front-page status. By lunchtime, pretty much every online news, technology, gadget and motoring publication was covering it, the blogs were buzzing and TomTom at last published an advisory on its website. The fact that it took little old me and the combined power of the blogosphere to force that move is nothing short of shocking. The fact that the official TomTom customer newsletter, distributed a couple of days later on the Wednesday (of which I got a copy as a registered user), contained no mention of the situation was more shocking still.

But the story doesn’t end there. As a result of this media storm, I acquired a number of new contacts with stories to tell. While the sat-nav device itself is Linux based and hence can’t be infected by this malware itself, it can act as an efficient infection channel, spreading the stuff onto a Windows PC when it connects to make a data backup. As one security researcher – who asks to remain anonymous – revealed, there’s another bit of malware hiding on the device too, backdoor.win32.small.lo, which could be dropped onto your system, in theory at least, by dropsmall.qp. Although it might not do anything in this case, the mere fact that a backdoor is present makes it nonsense to rate this incident as being “very low risk”.

Martin Campbell, another new-found friend and one of the first to report the infected files to TomTom on 16 December, kindly sent me the logs of his customer support exchange. He’d discovered that the autorun.inf file is also infected, adding entries for copy.exe to the Windows Registry at:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2].

Martin’s experience was that even after allowing his AV software to disinfect both copy.exe and host.exe, the GO 910 drive couldn’t be double-clicked in Windows Explorer because it continued trying and failing to auto-run the now missing virus files – the only way he found to get around this was manual deletion of the Registry entries, which is hardly something your average consumer would be able (or recommended) to attempt.

The morals of this story are twofold. First, if you uncover a security lapse that might affect your customers, come clean and contact them, then put things right. Don’t bury your head in the sand or underplay the importance of such an incident – in the longer term, it will come back and bite you in the arse, as TomTom discovered. Second, don’t write off all blogs as the worst kind of vanity publishing – while many blogs are indeed of the “my dog was sick last night” ilk, among them are genuine examples of citizen journalism, corporate communication and the changing face of business and social networking in the 21st century. Ignore these points at your peril!

Meethalfway

Despite this new spectre of virus infection, for those of us who have to travel any distance during our work lives, sat-nav is no longer a luxury. I’d go so far as to admit that I’ve pretty much lost the ability to read a map, instead just doing as I’m told by the snooty, robotic-voiced dominatrix. I escaped from London Town close on 14 years ago to live the telecommuter’s dream in rural seclusion, but I still need to meet people face-to-face, so every now and then I find myself using one of the online route planners – and there are plenty to choose from – to get a rough idea of how far and how long it will take to get to somewhere new. While I enjoy driving on country roads, an old neck injury means I don’t enjoy long motorway hauls, which is why I was pleased to stumble across Meethalfway (www.meethalfway.com), which is quite unlike any other travel solution, route planner or mapping site I’ve seen. What’s more, it’s environmentally friendly, because it cuts down the amount of driving you need to do.
As its name suggests, Meethalfway builds on the age-old idea of meeting in the middle, something most of us have done before. For example, pick a service station on the motorway to meet up with a long-lost friend, so you share costs, time and mileage. Doing the same for business meetings has been rather problematical until now, and usually you end up biting the bullet and making the long-haul trip anyway. Meethalfway offers a clever combination of route planner, hotel and conference venue finder, and mapping system. It couldn’t be simpler to use, which is probably why I like it so much: enter the postcodes for both parties, then choose from a list of venues that fall halfway between them, measured either by distance or driving time. Venue type is highly flexible, from a simple meeting room for ten people to a hotel with Wi-Fi and disabled access, for example. As well as enabling you to book most venues online, and adding restaurants and other facilities to your itinerary if asked, the system will email maps and directions to both parties, showing how to get to the meeting place from any additional chosen venues and back home again.

The Sendmail interview

Chances are that, unless you’re a geek like me and proud of it, you’ll never have heard of Eric Allman. No, he wasn’t a member of the Allman Brothers, and he wasn’t on Derek and the Dominos’ recording of Layla – he’s much more important than that because he wrote Sendmail, and as such is the creator of our modern internet email system. Not surprisingly, I jumped at the chance of chatting with Allman during his recent visit to the UK as part of the Sendmail 25th anniversary celebrations. Actually, I need to confess that I was taken ill and so was unable to meet Eric face-to-face as planned, but this paved the way for a somehow quite appropriate conversation via email, which I thought I’d share with you here.

Davey: What has gone wrong with email since the early days when you were involved in creating Delivermail, which later became Sendmail?

Allman: The obvious answer is, of course, spam and viruses. Other problems are mostly unsurprising. Every time we come out with a new communication technology, we need to learn how to use it properly. People who flood your inbox with bad jokes are akin to the folks who can’t get to the point on the phone. But even if we got rid of all the spam and viruses and bad jokes, many of us would still be facing major information overload problem. When I wrote Sendmail, most executives had a personal assistant to handle a lot of the details of the job for them. Now, many companies have eliminated that luxury to reduce overheads. Without a physical manifestation (such as stacks of paper), it’s easy to not realise that many (perhaps most) of us are getting totally overwhelmed.

Davey: So what can be done to put things right, Eric?

Allman: To make spam stop, you have to be able to shut down the spammers, and to do that you have to either make it too expensive to stay in business or make it possible to find them and successfully prosecute them. Making email more costly to send is probably a non-starter today: we’ve all become too accustomed to sending for free. It’s possible that a new, parallel ‘value add’ service might allow charging, in the same way that Federal Express co-exists with the regular postal service, but that’s yet to be seen. Finding and prosecuting spammers is also hard. First, traditional email doesn’t have adequate accountability in the form of authentication. I’ve been working on DKIM (DomainKeys Identified Mail) to enable email authentication and, although that isn’t a total solution, it’s an important step. But even if you can find where it came from, you may not know much. Many spammers have relocated their operations to countries that don’t take the problem seriously, or otherwise decline to co-operate with law enforcement from other countries.
Davey: Okay, then, is email as a viable business and social communication medium doomed and, if so, what’s likely to replace it?

Allman: No, I think email will survive, although it will evolve like any other technology. It hasn’t replaced physical mail or the telephone or the fax machine, although it’s modified how they get used. In the same manner, various forms of instant messaging will supplant some uses of email. Compliance is inevitable in most businesses, since it’s being imposed externally, and any regulated company will ultimately have to respond accordingly. Many companies will provide products and services to manage the problem. Trust is harder, since trust is earned, not imposed. The first thing legitimate companies can do is to authenticate their email. If I know a message is probably from my bank, I’ll probably be willing to let it into my inbox. But will I trust my online bookseller? That depends on whether it’s responsible in how it uses email. If they spam me, I probably won’t trust them. If they limit themselves to informative messages that give me value, I probably will trust them. Most of the issues around trust aren’t technology related.

Davey: Where does Sendmail fit into this viable future of the email equation? What’s happening on the technology side of the fence that can make email better for everyone?

Allman: The open-source Sendmail software remains a favourite piece of email infrastructure on the network today, and it has hooks to allow vendors or other open-source projects to integrate their work. On the commercial side, Sendmail Inc continues to provide major enhancements, some freely distributed as open source, to enhance the email world. For example, our DKIM module is available as open source. We also sell business solutions, including anti-spam and anti-virus, compliance tools, privacy extensions (such as encryption) and, of course, authentication.

Davey: Can you talk a little about your feelings towards the mobile phone effect, and whether email is losing out to SMS as far as the text-obsessed younger generation is concerned?

Allman: Some email will undoubtedly move to text messaging, just as some people send email rather than pick up a telephone. But the telephone remains viable and probably will indefinitely. Some messages are appropriate for short text messages, and sometimes you want more. For example, in business, I often need to send around large documents that would be unwieldy on a mobile phone. At the same time, mobile technology makes email even more useful by providing mobile access. Consider the popularity of wireless email devices such as the BlackBerry as an obvious example.

Davey: And, finally, could you give PC Pro readers a bit of advice for making their experience of email a safer and more satisfying one?

Allman: Know when to send an email, when to use IM, when to pick up the phone and when to write a letter. There’s a time and a place for everything. I also strongly recommend against using any of these technologies late at night, especially when alcohol is involved…