Some viruses come pre-installed

"We'll probably see a steady increase over time," said Zulfikar Ramzan, a computer security researcher at Symantec Corp. "The hackers are still in a bit of a testing period — they're trying to figure out if it's really worth it."

Thousands of people whose antivirus software isn't up to date may have been infected by new products without even knowing it, experts warn. And even protective software may not be enough.

In one case, digital frames sold at Sam's Club contained a previously unknown bug that not only steals online gaming passwords but disables antivirus software, according to security researchers at Computer Associates.

"It's like if you pick up a gun you've never seen before — before you pull the trigger you'd probably check the chamber," said Joe Telafici, vice president of operations of McAfee Avert Labs, the security software maker's threat-research arm.

"It's an extreme analogy, but it's the right idea. It's best to spend the extra 30 seconds to be sure than be wrong," he added.

Consumers can protect themselves from most factory-loaded infections by running an antivirus program and keeping it up to date. The software checks for known viruses and suspicious behaviors that indicate an attack by malicious code — whether from a download or a gadget attached to the PC via USB cable.

One information-technology worker wrote to the SANS security group that his new digital picture frame delivered "the nastiest virus that I've ever encountered in my 20-plus-year IT career." Another complained his new external hard drive had malfunctioned because it came loaded with a password-stealing virus.

Monitoring suppliers in China and elsewhere is expensive, and cuts into the savings of outsourcing. But it's what U.S. companies must do to prevent poisoning on the assembly line, said Yossi Sheffi, a professor at the Massachusetts Institute of Technology specializing in supply chain management.

"It's exactly the same thing, whether it happened in cyberspace or software or lead paint or toothpaste or dog food — they're all quality control issues," Sheffi said.

While manufacturing breakdowns don't happen often, they have become frequent enough — especially amid intense competition among Chinese suppliers — to warrant more scrutiny by companies that rely on them, Sheffi said.

"Most of the time it works," he said. "The Chinese suppliers have every reason to be good suppliers because they're in it for the long run. But it's a higher risk, and we've now seen the results of that higher risk."

The AP contacted some of the world's largest electronics manufacturers for details on how they guard against infections — among them Hon Hai Precision Industry Co., which is based in Taiwan and has an iPod factory in China; Singapore-based Flextronics International Ltd.; and Taiwan-based Quanta Computer Inc. and Asustek Computer Inc. All declined comment or did not respond.

The companies whose products were infected in cases reviewed by AP refused to reveal details about the incidents. Of those that confirmed factory infections, all said they had corrected the problems and taken steps to prevent recurrences.

Apple disclosed the most information, saying the virus that infected a small number of video iPods in 2006 came from a PC used to test compatibility with the gadget's software.

Best Buy, the biggest consumer electronics outlet in the U.S., said it pulled its affected China-made frames from the shelves and took "corrective action" against its vendor. But the company declined repeated requests to provide details.

Sam's Club and Target say they are investigating complaints but have not been able to verify their frames were contaminated.

Legal experts say manufacturing infections could become a big headache for retailers that sell infected devices and the companies that make them, if customers can demonstrate they were harmed by the viruses.

"The photo situation is really a cautionary tale — they were just lucky that the virus that got installed happened to be one that didn't do a lot of damage," said Cindy Cohn, legal director for the Electronic Frontier Foundation. "But there's nothing about that situation that means next time the virus won't be a more serious one."

MORE FROM SECURITY

Security Section Front

Web site design flaws make banking riskier Facebook redesign to weed out toxic spam The end of human customer service? EU warns against buying ring tones online Engineer accused of network tampering Man gets prison time for spamming AOL FCC chief says Comcast violated Internet rules Lawmakers to probe 'adware' practices Red Tape: Thwarting thieves with ... magic? 'Public' online spaces don't carry speech, rights Security Section Front   Add Security headlines to your news reader: