IBM sent USBs that may have 'malicious code' to customers

Dive Brief:

  • IBM sent out a flash alert to customers after the company identified a "malicious file" distributed on USB flash drives it sent customers as part of an initialization tool for IBM Storwize V3500, V3700 and V5000 Gen 1 systems. 
  • When the initialization tool is launched from the USB, the tool copies itself to a temporary folder on the hard drive of the desktop or laptop, according to the alert. The malicious file is then copied with the initialization tool to a temporary folder, but is not executed during initialization. 
  • It’s unclear how the malicious file made its way onto the USBs. Big Blue outlined how customers can respond if the drive was used for initialization. For those customers who have not yet used the drive, IBM recommends, among other things, to "securely destroy the USB flash drive so it cannot be reused."

Dive Insight:

USBs strike again. The handy tools can pack a punch when plugged into a computer. USB devices are an easy way for hackers to gain access into enterprise systems if such systems lack adequate security measures. If someone can gain unfettered network access, they could spread a rash of malware. 

But when it comes to service providers, customers should be able to trust the technology they receive isn't tainted. No matter how the malicious files were placed on the USB, it is an oversight on IBM's part to distribute the drive without ensuring the integrity of the files. 

People are also curious when it comes to USB drives. A study conducted by a group of University of Illinois researchers last year found almost half of people will plug an unknown USB drive into their computer. 

To test whether hackers could use booby-trapped USBs to gain network access, the researchers dropped 297 USB sticks on the school’s Urbana-Champaign campus. Of those who picked up the drives, 135 people actually opened some of the device's files. 

Filed Under: Security
Top image credit: Flickr user Monitotxi