Do you want spies with that? McDonald’s gives customers Trojan as free gift.

happygeek

You cannot fault the Japanese arm of Mc Donald’s for moving with the times and giving away Flash MP3 players as prizes in a competition to customers who bought large Coca-Cola drinks. But, to be honest, I would rather have had the usual tacky plastic movie tie-in toy because at least those guys do not come complete with spyware.

Yep, one can only assume that Ronald McDonald has been promoted to head of IT security for the fast food giants, after all it is the only reasonable explanation of how the QQpass spyware Trojan was allowed to be distributed, unnoticed, on the McDonald’s branded MP3 players.

Sure, the security breach was eventually spotted, but not until 10,000 of the infected prizes had already been sent out. The McDonald’s product recall, apology and telephone helpline offering advice on disinfecting a PC are all welcome but should not have been needed in the first place.

As someone who has been a Contributing Editor of computer magazines for two decades now, I seriously thought that the era of the freebie give-away virus infection was over. After all, this is positively old school when it comes to distribution methodology. I can recall some highly serious slip ups over the years, with magazine publishers who should have known better, even in the early 90’s, managing to infect their customers by issuing cover mounted CDs that were not virus-checked properly.

But everyone knows better these days, security is not a black art, it is no longer a secret shared only between those who know the special handshake. Everyone, apart from McDonald’s apparently, understands that if you are giving away an item that contains data and it intended to be plugged into a customer PC then it has to be checked and double-checked and declared clean before it reaches the distribution chain.

Those who really care about their customers, and their brand reputation, would check again at the final stage of distribution before shipping to ensure no malware had been introduced along the way.

Something that did not, obviously, happen in this case. Something made even more surprising given that the McDonald’s branding was emblazoned on the MP3 players, so these would be linked directly to the conglomerate along with any problems.

What did happen was when the MP3 player was plugged into the PC for the very first time, and the user attempts to start the player, so the Trojan was activated. And what does QQpass actually do? Oh, nothing much, just tries to shut down your AV software, steal login details for a Chinese chat application called OICQ and assorted web passwords before emailing them to a number of associated hackers.

It could be argued that the end user is as much to blame if they did not have anti-spyware and adequate firewall protection to prevent infection, but you will not find me arguing it. I am much more likely to be joining the ‘you cannot blame non-technical PC users for trusting a company such as McDonald’s to not be distributing malware’ argument to be honest.

365 Views
About the Author

A freelance technology journalist for 30 years, I have been a Contributing Editor at PC Pro (one of the best selling computer magazines in the UK) for most of them. As well as currently contributing to Forbes.com, The Times and Sunday Times via Raconteur Special Reports, SC Magazine UK, Digital Health, IT Pro and Infosecurity Magazine, I am also something of a prolific author. My last book, Being Virtual: Who You Really are Online, which was published in 2008 as part of the Science Museum TechKnow Series by John Wiley & Sons. I am also the only three times winner (2006, 2008, 2010) of the BT Information Security Journalist of the Year title, and was humbled to be presented with the ‘Enigma Award’ for a ‘lifetime contribution to information security journalism’ in 2011 despite my life being far from over...

Mushy-pea 36 What, you can change this tag?

Have you considered the possibility that it was diliberate on the part of the "Mc". I would imagine you've heard somthing about this:

http://www.alwayson-network.com/comments.php?id=12929_0_40_0_C

Good article by the way.

Steven.

happygeek 2,411 Most Valuable Poster Team Colleague Featured Poster

I think the Sony/BMG rootkit thing was completely different, the problem there being not so much what Sony was doing (although that was bad enough) but the fact that the installed rootkit could easily be exploited by others for overtly criminal activity.

McDonald's would have absolutely nothing to gain from distributing the Trojan concerned, it is a simple password/login collector and as such benefits only the hacker/phishing community. Indeed, as McDonald's has found out, the only payload for it here is bad publicity and lots of well deserved egg on the face.

By the way, and sorry to ask, but if you like the blog posting could you submit it to places like Digg, Slashdot and anywhere else you can think of? We are trying to increase the external traffic we get to Daniweb blogs :)

1337_MilkMan 1 Newbie Poster

I'm NOT lovin' it. Lol.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of 1.20 million developers, IT pros, digital marketers, and technology enthusiasts learning and sharing knowledge.