Inserting malware at the source

Peter Muhlberger was happy when he bought home his digital camera. He was looking forward to taking high-quality digital images to show his family and friends. But the camera came with an unexpected addition: “I plugged it into my PC and it had a virus on it,” says the programme director for social, behavioural and economic research at the National Science Foundation (NSF). The camera came with the virus straight out of the box. It hadn't been tampered with en route from the store. It turns out that malware and other threats are being inserted in the supply chain, and that this is not an isolated occurrence. Inserting malware in the supply chain is an excellent way to spread it around. After all, distribution is guaranteed if malware is bundled directly into a product. It will reach the computers of a very high percentage of purchasing customers, giving the malware vendor the chance to overcome any defences. In addition to the deliberate or accidental compromise of legitimate systems, customers must also cope with the danger of counterfeit systems that can show up both at the consumer and the enterprise level. Danny Bradbury examines the problem of malware in the supply chain and what's being done to combat it.