We purchased a machine from China and it came with malware preinstalled

The malware is a cherry on top, but the story before that is pretty awful already, and unfortunately seems to be representative of specialized software like that: proprietary (with constant risk of malware, indeed), awkward, poorly (if at all) documented, likely the protocols to speak to the hardware without it are kept in secret, and occasional shipment of Windows machines where just software would do (but probably it&#x27;s written to just barely work on a given system, and won&#x27;t run on others easily).<p>I think the main and annoying problem is those general practices, not just a single instance of malware.<p>Edit: Apparently some focus on the &quot;Chinese&quot; part, but I suspect that hardware being specialized and software being shipped by the hardware manufacturer are larger factors here: at least all the awkwardness before the malware part I&#x27;ve observed to be approximately similar with hardware+software produced by Chinese, European, and US companies.

Given that Windows 7 _Ultimate_ was installed on what is essentially an OEM machine, it&#x27;s very likely that it&#x27;s a pirated copy with a &quot;home brewed&quot; license key.<p>I think the most reasonable explanation is that either the OS was sourced already infected, or the crack tool they used was infected.

The story here is not the fact of the malware - it is the purpose of the malware: industrial espionage. China is well-known in industry for its sheer volume and brazenness of industrial espionage. A pick-and-place machine is especially well placed for this since it will, by necessity, have access to PCB designs and BOMs.

The malware analysis report they&#x27;ve ordered (<a href="https:&#x2F;&#x2F;www.rmcybernetics.com&#x2F;files&#x2F;pdf&#x2F;Malware-analysis-FlyerSMT_HV-zhengbang.pdf" rel="nofollow">https:&#x2F;&#x2F;www.rmcybernetics.com&#x2F;files&#x2F;pdf&#x2F;Malware-analysis-Fly...</a>) is extremely light on details.<p>Yes, some things look suspicious (packing, lack of signatures, hardcoded IP addresses&#x2F;hostnames, network traffic) - but I&#x27;m not seeing any clear-cut evidence that this is malware?

A decade ago, an article [1] was published in the Russian &quot;Hacker&quot; magazine where the author alleged that a Russian OEM manufacturer&#x27;s motherboard sourced from China had a BMC chip (which should&#x27;ve been disabled as per the mobo spec) inject a hypervisor into the host machine.<p>It was, again, allegedly, discovered because the author was developing some kind of distributed computing software that required a hypervisor of its own, and this exact mobo was crashing in a way that was consistent with a hypervisor being already present. The author goes further to describe how he devised a way to consistently detect hypervisors by measuring platform register access timings, and tried to report the findings to the FSB (Russian CIA&#x2F;FBI) to no avail.<p>I personally don&#x27;t put much stock in the story, as the magazine was a rag and I could come up with something like that at the time, but there it is.<p>[1] <a href="https:&#x2F;&#x2F;xakep.ru&#x2F;2011&#x2F;12&#x2F;26&#x2F;58104&#x2F;" rel="nofollow">https:&#x2F;&#x2F;xakep.ru&#x2F;2011&#x2F;12&#x2F;26&#x2F;58104&#x2F;</a>

I am more than a little concerned that since the miniaturization and commoditization of spy hardware (miniature microphones, cameras, and wireless communication), that run-of-the-mill consumer electronics are being bugged by default. Given the cost is pennies or just a couple dollars, from an espionage perspective, it&#x27;d be worth it to spend a few hundred million or even billion putting bugs into literally everything and letting the market put them into the homes of all your political targets in other countries. Then the problem is just sifting the data, which is easy with the massive amount of computational power that every nation state has these days. That&#x27;s a great dystopia.

<a href="https:&#x2F;&#x2F;archive.is&#x2F;DIrdx" rel="nofollow">https:&#x2F;&#x2F;archive.is&#x2F;DIrdx</a>

&gt; AliExpress Says Malware is OK [...] They stated that it does not breach their terms and that no action will be taken.<p>I&#x27;m sure many things don&#x27;t explicitly breach their terms, but surely I expected there to be a catchall that would include malware. Of course, their terms are to protect AliExpress, and not the consumer, so it doesn&#x27;t look like they&#x27;d wanna go above and beyond on that end, but I hoped they&#x27;d at least care about customer satisfaction.

I&#x27;ve bought systems off of Amazon that had pirated Windows licenses on them (otherwise a great little fanless box)<p>In a previous life I was an infosec consultant. We did some work for a hospital that found malware on the control hosts shipped with a brand new turnkey MRI system from a German manufacturer.

If you can’t load the article, the machine is a desktop pick-and-place for populating PCBs and the malware is flagged as a backdoor&#x2F;Trojan for remote access.<p>As these desktop pick and place machines come down in price, I hope that the OpenPnP software package becomes more developed: <a href="https:&#x2F;&#x2F;openpnp.org&#x2F;" rel="nofollow">https:&#x2F;&#x2F;openpnp.org&#x2F;</a> It was originally intended for full DIY PnP machines, but it’s a perfect candidate for converting these existing machines to open source software control.

So they bought a machine from a brand they have never heard of off AliExpress to save a little money, and it was infected with malware. Color me surprised...

Chinese phones sold here were found to not only send telemetry to Chinese IP&#x27;s, some of them send SMS&#x27; to paid services, register Telegram accounts, etc. It&#x27;s like a botnet.<p>Here&#x27;s the article: <a href="https:&#x2F;&#x2F;habr-com.translate.goog&#x2F;ru&#x2F;post&#x2F;575626&#x2F;?_x_tr_sl=ru&amp;_x_tr_tl=en&amp;_x_tr_hl=ru&amp;_x_tr_pto=wapp" rel="nofollow">https:&#x2F;&#x2F;habr-com.translate.goog&#x2F;ru&#x2F;post&#x2F;575626&#x2F;?_x_tr_sl=ru&amp;...</a>

I do wonder if this really was sabotage or if someone building these machines accidentally got their installer USB infected with some unrelated malware. If this was a targeted attack, I&#x27;d expect the manufacturer to ship the infection in the zip file with the replacement program as well.<p>The old components and the lack of modern drivers is a problem many industrial tools seem to suffer from. It&#x27;s crap like the bad capture card that keeps Windows XP and 7 around. I don&#x27;t expect there ever to be any modern drivers for an outdated capture platform unless a hobbyist writes their own open source version, so unless a compatible enough alternative card with modern drivers can be installed, I assume this machine is doomed to run Windows 7 for years to come.

&gt; Presumably it would be a way to steal company information such as designs, accounts, and so on.<p>Does it collect user metrics like a lot of software does or does it actually steal designs? The report is absolutely not clear about this. I have not read many reports like this but are they all like the one they link to? Is that what a malware analysis looks like?<p>I&#x27;m completely behind the idea of calling every single software that collects user data and sends it off to a server malware but this is just not the case. We don&#x27;t say Windows comes with malware, we in the West call it telemetry data to improve the user experience.

I always wondered, how safe from tampering during manufacturing are devices &#x27;designed in US&#x2F;Europe&#x2F;etc&#x27; that are built in China? Can anyone shed some light on the processes&#x2F;practices that keep these devices safe, both from HW and SW points of view?

&quot;The malware would collect user data and send it to a remote address.&quot;<p>unpopular question, but how is this any different than mistakenly forgetting to disclose &#x27;telemetry&#x27; in your code? or backdoors that routinely get disclosed in US embedded hardware products like firewalls and routers? or Discord scanning your entire hard disk? Ill admit the product seems pretty poorly designed from the get-go, but the tactics at work here are pretty standard when you consider things like Alexa and Ring get a pass for similar chicanery.

About 8 years ago one of our devs purchased a couple Android tablets from China to test if they would work as a host for Smoothieware (and&#x2F;or 3d printers). It had malware prebundled at the ROM level. You could not remove it by wiping Android (IIRC..our dev that tracked the issue said he had to block what it was doing). The tablet forced your homepage...regardless of what you set it to...and I believe he said it was phoning home info...likely wifi credentials...etc.<p>It started me off on the thought process of &quot;How many other things can be compromised?&quot; SD cards with fake&#x2F;hidden partitions? MCU counterfeits with entire subsystems?<p>IMHO...anything with an ethernet port, wifi, bluetooth...or anything that is able to at any time connect to those things needs to be watched.

Bought a system on Ali Express to save money, the parts don&#x27;t match what they ordered, it is infected with a virus designed to steal their data and infect executables on any USB device plugged into it to spread the infection. Ali Express says computers with viruses on them aren&#x27;t against terms of service. They for some reason continue to use the system and try to get it to work.<p><i>£4k GBP...relatively low cost compared to a branded competitor...We sent the file for proper malware analysis which did confirm that it did indeed contain malware. The malware would collect user data and send it to a remote address.</i>

As much as that sucks, it&#x27;s not all that surprising. You decided to try to undercut everyone else who desired a living wage. That&#x27;s not to say getting infected with malware is &quot;what you deserved&quot;, nobody should have their security compromised. What I&#x27;m saying is that you compromised your security by not working with people you can trust, people who are asking for a living wage and thus don&#x27;t have to resort to putting malware into the products they create.<p>People in China aren&#x27;t bad people, they&#x27;re just people put into a tough situation. It&#x27;s plenty easy to get good quality products out of China, just like anywhere else. The problem is that few people are willing to pay the real price for products, they want cheap regardless of consequences.<p>As someone also in the electronics design and manufacturing space I find this type of behavior very troubling. I demand what I consider a fair wage for my work and in return I also try to support other people in the industry also getting a fair wage. If all you do is buy the cheapest possible services you are really telling others they should do the same and not support you. The only solution I see is to stop pushing the costs of your business onto others that can&#x27;t afford it. Go buy quality used hardware from people you can trust rather than complaining that a former colony of yours is trying to steal something from you.

I bought a laptop once. It came with windows pre-installed. And a bunch of bloatware. And 101 things that phoned home under the guise of checking that a driver was up to date. And Norton. The definition of malware is open to large interpretation.

Since the site seems to have been hugged to death, here is the link to an archived version from a few days ago: <a href="https:&#x2F;&#x2F;archive.md&#x2F;DIrdx" rel="nofollow">https:&#x2F;&#x2F;archive.md&#x2F;DIrdx</a>

Moving manufacturing back to our home countries (assuming a mostly Western audience here) is important not just for economic reasons but also for health, safety, and security. Trying to do so might get you called a racist, but it might depend on what political party is giving it a shot. This is an old problem and too little is being done about it.

I remember I bought a few phones from Aliexpress once for one of my IoT projects. I was somewhat surprised they don&#x27;t really hide the malware, it&#x27;s preinstalled. These are not just the usual bloatware you can&#x27;t install but also the main web browser already modified injecting random crap.

<a href="https:&#x2F;&#x2F;archive.fo&#x2F;DIrdx" rel="nofollow">https:&#x2F;&#x2F;archive.fo&#x2F;DIrdx</a>

Hackaday covered this recently too:<p><a href="https:&#x2F;&#x2F;hackaday.com&#x2F;2022&#x2F;01&#x2F;22&#x2F;zhengbang-pick-places-your-confidential-data-in-the-bag-slowly&#x2F;" rel="nofollow">https:&#x2F;&#x2F;hackaday.com&#x2F;2022&#x2F;01&#x2F;22&#x2F;zhengbang-pick-places-your-c...</a>

Is this anything new?<p><a href="https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Sony_BMG_copy_protection_rootkit_scandal" rel="nofollow">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Sony_BMG_copy_protection_rootk...</a>

China isn’t a single thing… treating it as such creates a tribalistic atmosphere that’s good for no-one at all…

Thank you! We receiced ZhengBang pick and place machine last week and did nit have the time to unpack it yet. We will definitely be careful now.

Website is returning an error. Here&#x27;s a web archive link<p><a href="https:&#x2F;&#x2F;web.archive.org&#x2F;web&#x2F;20220125124520&#x2F;https:&#x2F;&#x2F;www.rmcybernetics.com&#x2F;general&#x2F;zhengbang-zb3245tss-pick-place-machine" rel="nofollow">https:&#x2F;&#x2F;web.archive.org&#x2F;web&#x2F;20220125124520&#x2F;https:&#x2F;&#x2F;www.rmcyb...</a>

The “proper malware analysis” had me cracking up. I really hope they didn’t pay any significant amount of money for that.

I&#x27;ve just passed the 20 year anniversary of my arrival in China. Having lived in at least eight cities over that period and traveled broadly, I would strongly caution against assuming this is a deliberate attack by the vendor, much less the government. The vast majority of Windows instances in China are sourced from pirated distribution media and it is usual for those to be infected. This affects everyone domestically, not just machines shipped out. Furthermore, most apps are pirated with the same issues. Finally, many people&#x27;s thumb drives touch a plethora of dirty machines (printing shops that support the still largely paper-driven bureaucracy, photography shops, work and home PCs, etc.) and thus are excellent vectors for malware. As usual, Hanlon&#x27;s razor: resist over-attribution to malice.

At this point how can they trust any installers they get from the company?<p>The risk the manufacturer bundling some &quot;legitimate&quot; remote access tool that won&#x27;t show up as a virus seems high to me. Once burned twice shy.

The author&#x27;s website also has an interesting collection of science gadgets - tesla coils etc.<p><a href="https:&#x2F;&#x2F;www.rmcybernetics.com&#x2F;science&#x2F;diy-projects" rel="nofollow">https:&#x2F;&#x2F;www.rmcybernetics.com&#x2F;science&#x2F;diy-projects</a>

Incredible. How many people are using this exact machine without being aware of this?

See? You don&#x27;t have to install malware yourself - that&#x27;s the service!

If I have a choice I generally try to limit my purchases from “non free” countries.<p>It’s not always easy, the line is hardly easy to see, but it is a choice I will go out of my way to make.

I&#x27;m curious how the Chinese government is able to install malware in chinese-made android phones.<p>It&#x27;s hard to know which brands to avoid, and which brands are more trustworthy.<p>Even brands that are not chinese are still based in China...

or maybe they don’t give a fuck about your tiny company that’s too cheap to buy a decent pic n’place? maybe the malware was actually intended getting ip from the company that manufactured machines like yours in the thousands. why do you always assume US companies are the only ones being copied from?

got a usb on ebay with malware for windows.

In 2019 the Chinese covered up the early spread of COVID then later repeatedly stonewalled anyone doing serious research into the disease&#x27;s origin. By letting COVID spread for months unchecked the Chinese effectively ensured that there was no way to stop this thing from going global, which it did, ultimately killing over 5M people and counting.<p>If we&#x27;re unwilling to hold the Chinese to account for that in any meaningful way, I can&#x27;t imagine we&#x27;re going to do anything whatsoever about a little (or even a lot of) industrial espionage.<p>We&#x27;ll gladly let the Chinese run roughshod over us and humiliate us repeatedly if it means we can still by our iPhones on the cheap.

Cool, talk about value add!

20 years ago, china hide 2nd network card that was in listener mode, transmitting documents at random times, mostly peek. This was at a research company. How it was discovered. We put a card on listening&#x2F;prem mode and mirror everything for that subnet the printer was on. I thought I screwed it up with the double mirror&#x2F;traffic.<p>when investigating why the issue, we found nothing wrong with the config, only when we plugged it to another network, we discovered it was something on the network. We narrow it down quickly to the printer. We told head of security (we were hired for an audit ) and it soon became known it was stealing trade secrets and sending them overseas.<p>that was 20 years ago, and till this day, I remember anytime someone says china doesn&#x27;t steal technology... I remember this printer. this was done at the state level and was caught.

Hug of death probably so I cannot read the article.<p>Anyway that&#x27;s the reason why I don&#x27;t buy Chinese crap anymore. I&#x27;m not saying that I don&#x27;t buy anything made in China, almost everything is made in China, but everyone should avoid Chinese crapware.<p>If something doesn&#x27;t match the description send it back, if you find random executables that you cannot identify send it back, if you are asked to register on some weird Chinese website send it back, if you are asked to download a sketchy application with a Chinese readme send it back, etc...<p>After a while you&#x27;ll notice you are sending everything back.<p>And it is not only Aliexpress or other Chinese marketplaces or websites, Amazon is full of Chinese crapware just the same.<p>edit: read the article from archive, well it just confirms to me what I wrote earlier.

Talk to afraid.org, perhaps they&#x27;ll take down the subdomain.

good thing every local and state government institution in the united states is using Zoom because it is &quot;free&quot;

I bought an HP machine in the US with malware deployed from Windows Updates.

I can&#x27;t read the article from here but attacking the supply chain isn&#x27;t new. It is something that requires constant vigilance.

The malware now has 60&#x2F;67 rating [1] on VT. Their analysis [2] is pretty good too.<p>[1]: <a href="https:&#x2F;&#x2F;www.virustotal.com&#x2F;gui&#x2F;file&#x2F;1679b086f649d92456b2f60028fe3be7169e955830319e7f68063ab76379a37e&#x2F;detection" rel="nofollow">https:&#x2F;&#x2F;www.virustotal.com&#x2F;gui&#x2F;file&#x2F;1679b086f649d92456b2f600...</a><p>[2]: (PDF) <a href="https:&#x2F;&#x2F;www.rmcybernetics.com&#x2F;files&#x2F;pdf&#x2F;Malware-analysis-FlyerSMT_HV-zhengbang.pdf" rel="nofollow">https:&#x2F;&#x2F;www.rmcybernetics.com&#x2F;files&#x2F;pdf&#x2F;Malware-analysis-Fly...</a>