"We bought a machine in China and it came with malware pre-installed" Company documents experience

By fashionlifeshopping 05/10/2022 833 Views

RM Cybernetics specializes in the development of custom-made electronic devices for scientific research, media projects and product development. They purchased a small Pick and Place machine in China to make small series and prototypes. They decided to document the experience of buying and setting up a Pick & Square ZhengBang ZB3245TSS. The company offers several other models, but RM Cybernetics chose this one because it has 58 possible power slots, which means they could keep almost all the standard SMD components they usually use in the machine. For the record, in the industrial sector, the concept of pick and place (literally translated from English by, "pick up and drop off") refers to the operation of removing goods from one location to place them in another. place. For example, wrapping chocolates as they come off the production lines. RM ordered the machine from AliExpress for a total price of around £4,000 GBP (4,784Є) excluding import duties. It arrived just before the RM offices closed for Christmas and so remained packed for a week before the team started handling it. “There really wasn't much to plug into the machine to get it started. Basically monitor, keyboard, mouse. When turned on, the machine boots very quickly into Windows 7 Ultimate. When we asked the vendor if we could update it to W10, we were told that would cause the machine to stop working. A little disappointing as this is a brand new machine and W7 is no longer supported since January 2020. “The machine came with two aluminum bars and a round rod which were not mentioned in the manual or the videos. Support told me it was to hold the larger spools and sent a pic. Unfortunately it looks like they sent the wrong part as there is no way these parts will fit the machine meaning at this point we can only use smaller spools . They told us they would send us the correct part. "Being a machine direct from China and at a relatively low cost compared to a branded competitor's product, we expected to have to do a little work to start and work around the typical bugs and defects of Chinese products. Much of the operating system and other software on the machine was in Chinese, which is a bit of a pain, but the main operating software was in English (well, sort of). called FlyerSMT_HV brought up an unsurprisingly rudimentary-looking interface, which hosted the machine without any difficulty. We've used pick and place machines before, so we know how they work, so we took a quick look at the settings and controls. They seemed quite familiar although the English words used to describe them were a bit difficult to understand. Well, there's always a full user manual to refer to, right? Is not it ? »Zhengbang ZB3245TSS User Manual« There was a shortcut on the desktop of the machine to an English user manual for the machine. There was also a video file showing the basic setup. The first few pages of the manual show all the parts and buttons showing their names, but only their names and little about what they can do. For example, there's a big button on the side of the machine called "FAST BOOT", and in the manual it's marked with a label saying "Fast Boot"...and that's it! One would guess it was some sort of fast boot for the machine, although with booting from an SSD it was pretty fast anyway. If you also guessed the same, you would be wrong. We had to ask the supplier what it does, because nothing in the manual or the videos describes it. We were told "Fast Boot is a button, if you finish placement once, then click that button, it will directly place another PCB." "One of the first things to do with a pick and place machine is configure the chargers with your components. There is a section on this in the manual, but again it is very vague and we had to contact support to clarify some points. You might expect each of the input parameters to be described in the manual, but unfortunately that's not the case. Bad English makes it even more difficult to understand.Support sent us a selection of YouTube videos with advice that helped us.”Pre-installed malware“At this point we thought we could at least start editing the loaders and configuring so that the software of the machine is saved on a USB key in case we have messed up anything. When you plugged this USB key into one of our workstations, the antivirus immediately displayed a dialog saying that it was disinfecting the drive! Examination of the log showed that it was the file "FlyerSMT_HV.exe" which is the main operating software of the machine! This file was uploaded to VirusTotal to get an idea if it might be a false positive result. VirusTotal told us that 53 out of 69 antivirus products flagged it as malware. Zhengbang support was informed of this and they told us that it was a false positive and not to worry as there was antivirus software installed on the machine. We have received a new zip file containing the software. The contents of this zip file have not been reported as containing malware. “We submitted the file for malware analysis, which confirmed that it did indeed contain malware. The malware would collect user data and send it to a remote address. Presumably, this could be a way to steal company information such as designs, accounts, etc., or install ransomware on other machines. Pretty dodgy stuff! However, it doesn't stop there! “With Zhengbang's new uninfected software, we thought we could just replace the infected one and try again. It seemed to work fine, and we also copied a few malware removal tools to the machine to make sure. When you put the USB back into a workstation, Bit Defender appears again, but now reports installers for the tools we just downloaded! They were all showing as having the same infection as FlyerSMT_HV. How could these be infected when they came from legitimate sources and were not reported during the initial download? other malware, including Trojan horse downloaders. This malware would make a hidden copy of any exe on the USB stick and then repackage it with some included malware. Clever tricks! “A lot of scans and manual work eventually show that the machine is not infected and the USB devices are no longer infected. W7 has been updated as much as possible, and so far it seems OK. Really, it would be better to replace the SSD with a legitimate English copy of Windows and reinstall only the necessary software. However, we will need to make sure we have a copy of all the necessary drivers and so on to get it working again. “The machine comes with a copy of Windows 7 Ultimate installed and with updates disabled. This version of Windows is very common as pirated software and often comes bundled with malware. It could be that this is the source of the malware and Zheng Bang either doesn't know or just doesn't care. As a company, I expected them to check this because they might end up with their own systems at the factory compromised. The fact that they told us to ignore it rather than investigate seems suspicious. It would point more in the direction of some deliberate actions, but who really knows. Since the publication of this article, it has been read thousands of times and caught the attention of Zheng Bang himself. They explained that it was a mistake and offered to fix the problem, right? No ! The manager asked us to delete the article! “AliExpress took no action“We contacted Ali Express to report machines being sold with pre-installed malware, but their response was not received. They said it did not violate their terms and no action would be taken. Whilst this is not against their policy, we know it is against UK law under the Computer Misuse Act.Deliberately infecting systems using subterfuge to access computer data without authorization is a criminal offence. So there you have it, if you want to sell machines with malware for illegal means, Ali Express seems unwilling to stop it! Below is the response they sent to us Submitted by Ali Express Please note that the reported listing(s) are not prohibited or controlled under our Product Listing Policy. sites linked to this article and much of the focus is that the malware is on a new machine. We think that while disappointing, it's not entirely unexpected as Chinese vendors are well known for malware, counterfeit products and poor quality. More significant should be the fact that AliExpress LTD, a company registered and operating in the UK, has chosen to ignore the fact that its website is being used for something illegal. “There were a few other comments asking why we seem to be keeping the machine rather than returning it. First, it was cheap and we expected to have problems with it. There's nothing else like it (as far as we know) in this price bracket other than more Chinese machines. If you've ever bought anything from AliExpress or other products directly from China, you'll know to lower your expectations drastically. It does not work on our network and now has a new SSD and a legitimate operating system, so the risk of further infection is minimal. The hardware seems reasonably robust and we hope to be able to put it to good use. That said, if it turns out that we cannot reliably build a PCB with it, we will of course seek a refund. We are a very small company of only one and a half human beings. COVID has caused all sorts of problems, just leaving us hobbled, so we really want to get this machine going and try to do some things.”