A colleague of mine recently asked me to have a look at a laptop they had purchased in one of the large computer stores over Christmas complaining of all the usual symptoms of a virus/trojan/spyware infection. I agreed to have a look at it and clean it up.
After clearing down the most obvious pieces of malware, I set about running Windows update. To my amazement, not one single patch had been applied to the machine, nor even automatic updates enabled. Remember, this machine, a brand name laptop, was just purchased in late December of 2006 from a large computer store. In this day and age, selling a laptop with a fresh install of Windows XP without any patches applied is akin to selling a car without any seat-belts, lights or brakes!
While the laptop is “usable”, as the car would be, it is most certainly not safe for use in any way. I have no doubt that the machine was compromised within minutes of it being connected to the Internet. Within less than two months, 19 pieces of malware had made their way onto the system, all the usual suspects were there including Blaster, NetSky, MyDoom and even ProAgent.
The person in question had made quite a few purchases on-line, including one for WinAntiVirus2006, which did nothing but add more malware to the system and certainly didn’t remove any infections! I told them it would probably be a good idea to contact their bank and have their credit card cancelled as I’m pretty sure something or someone had got a hold of it and it was just a matter of time before it was used.
I’m beginning to wonder if it’s time for a license to sell computers, or at least a basic set of standards a retailer must adhere to before being allowed to sell computers. It doesn’t need to be anything draconian, just some simple rules that ensure that the computers being sold are not putting people at unnecessary risk of on-line fraud, spyware infestation and possibly identity theft.
While I strongly feel that users in general need to be better educated about the need for applying updates, using good anti-virus software and so on, I feel the retailers also need to take some responsibility for the products they sell. Getting back to the car analagy, it’s like the car-dealer telling you after buy the car you need to fit the brakes and the seat-belts yourself.
