Incident Response, Malware, TDR, Vulnerability Management

IBM distributed infected USB drives at conference

IBM, one of the world's largest security companies, last week distributed complimentary USB drives to the attendees of an Australian information security conference.

The only problem was, the sticks apparently were unknowingly infected with malware.

IBM gave out the devices at the Australian Computer Emergency Response Team (AusCERT) 2010 conference, attended by information security leaders within government, academia and the private sector.

Glenn Wightwick, chief technologist at IBM Australia, in a letter obtained by IT security management blog Beast or Budda, offered an apology to attendees. He said all the devices it gave away were affected.

“The malware is known by a number of names and is contained in the setup.exe and autorun.ini files,” Wightwick said. “It is spread when the infected USB device is inserted into a Microsoft Windows workstation or server, whereby the setup.exe and autorun.ini files run automatically.”

The malware is detected by most anti-virus products and has been known since 2008, the letter stated.

Those who ran the drive, but had the AutoRun feature disabled, were not affected.

Portable storage device threats, such as AutoRun worms, were the most prevalent type of malware worldwide during the first quarter of the year, according to a recent McAfee report. Cybercriminals use AutoRun to automatically install malicious software on a user's PC when an infected removable storage device is plugged in.

IBM's letter provides steps for removing the malware and an address where recipients can send the drive back.

Randy Abrams, director of technical education at ESET, wrote in a blog post Friday that IBM failed to properly vet its manufacturer's work.

An IBM spokesperson did not respond to a request for comment made by on Monday.

The incident is just the most recent example of a growing list of electronics devices that have been found to contain malware after they've been shipped.

In May 2009, it was discovered that a factory-sealed M&A Technology Touch netbook came with trojans installed on the disk image. Moreover, two brands of digital picture frames sold at Wal-Mart and Sam's Club during the 2008 holiday season also arrived infected with malware. The frames, produced by Insignia and Advanced Design System, were compromised during the manufacturing process. And, in October 2006, TomTom shipped a batch of GPS devices that included malware.

For more information about supply chain vulnerabilities, see the upcoming July issue of SC Magazine.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.