You cannot fault the Japanese arm of Mc Donald’s for moving with the times and giving away Flash MP3 players as prizes in a competition to customers who bought large Coca-Cola drinks. But, to be honest, I would rather have had the usual tacky plastic movie tie-in toy because at least those guys do not come complete with spyware.

Yep, one can only assume that Ronald McDonald has been promoted to head of IT security for the fast food giants, after all it is the only reasonable explanation of how the QQpass spyware Trojan was allowed to be distributed, unnoticed, on the McDonald’s branded MP3 players.

Sure, the security breach was eventually spotted, but not until 10,000 of the infected prizes had already been sent out. The McDonald’s product recall, apology and telephone helpline offering advice on disinfecting a PC are all welcome but should not have been needed in the first place.

As someone who has been a Contributing Editor of computer magazines for two decades now, I seriously thought that the era of the freebie give-away virus infection was over. After all, this is positively old school when it comes to distribution methodology. I can recall some highly serious slip ups over the years, with magazine publishers who should have known better, even in the early 90’s, managing to infect their customers by issuing cover mounted CDs that were not virus-checked properly.

But everyone knows better these days, security is not a black art, it is no longer a secret shared only between those who know the special handshake. Everyone, apart from McDonald’s apparently, understands that if you are giving away an item that contains data and it intended to be plugged into a customer PC then it has to be checked and double-checked and declared clean before it reaches the distribution chain.

Those who really care about their customers, and their brand reputation, would check again at the final stage of distribution before shipping to ensure no malware had been introduced along the way.

Something that did not, obviously, happen in this case. Something made even more surprising given that the McDonald’s branding was emblazoned on the MP3 players, so these would be linked directly to the conglomerate along with any problems.

What did happen was when the MP3 player was plugged into the PC for the very first time, and the user attempts to start the player, so the Trojan was activated. And what does QQpass actually do? Oh, nothing much, just tries to shut down your AV software, steal login details for a Chinese chat application called OICQ and assorted web passwords before emailing them to a number of associated hackers.

It could be argued that the end user is as much to blame if they did not have anti-spyware and adequate firewall protection to prevent infection, but you will not find me arguing it. I am much more likely to be joining the ‘you cannot blame non-technical PC users for trusting a company such as McDonald’s to not be distributing malware’ argument to be honest.

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.

10 Years
Discussion Span
Last Post by 1337_MilkMan

I think the Sony/BMG rootkit thing was completely different, the problem there being not so much what Sony was doing (although that was bad enough) but the fact that the installed rootkit could easily be exploited by others for overtly criminal activity.

McDonald's would have absolutely nothing to gain from distributing the Trojan concerned, it is a simple password/login collector and as such benefits only the hacker/phishing community. Indeed, as McDonald's has found out, the only payload for it here is bad publicity and lots of well deserved egg on the face.

By the way, and sorry to ask, but if you like the blog posting could you submit it to places like Digg, Slashdot and anywhere else you can think of? We are trying to increase the external traffic we get to Daniweb blogs :)

Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.