IBM shipped USB flash drives containing malware to an unknown number of customers. The company said the malware is automatically copied to any machine that the drive is connected to, and is warning customers to destroy the drives.
IBM hasn’t released many details on the incident or how the malware got onto the drives. But the company said that the drives shipped with some models of its Storwize storage appliances.
“IBM has detected that some USB flash drives containing the initialization tool shipped with the IBM Storwize V3500, V3700 and V5000 Gen 1 systems contain a file that has been infected with malicious code,” the company said in an advisory.
“When the initialization tool is launched from the USB flash drive, the tool copies itself to a temporary folder on the hard drive of the desktop or laptop during normal operation. While the malicious file is copied onto the desktop or laptop, the file is not executed during initialization.”
The malware shipped on drives that came with the following Storwize models:
IBM Storwize V3500 – 2071 models 02A and 10A
IBM Storwize V3700 – 2072 models 12C, 24C and 2DC
IBM Storwize V5000 – 2077 models 12C and 24C
IBM Storwize V5000 – 2078 models 12C and 24C
The problem of malware coming pre-installed on hardware devices is not a new one. There have been a number of incidents like this over the years with mass market USB drives, digital picture frames, and many other types of devices. In March, researchers discovered a number of Android phones that had shipped with malware on them, as well. In that instance, the infected phones were discovered in use at a company.
“The malicious apps were not part of the official ROM supplied by the vendor, and were added somewhere along the supply chain. Six of the malware instances were added by a malicious actor to the device’s ROM using system privileges, meaning they couldn’t be removed by the user and the device had to be re-flashed,” Oren Koriat of the Check Point Mobile Threat Researcher team said in a post analyzing the attacks.
The malware on the drives IBM shipped is a Trojan that can be used to install other malware on infected machines.
Image: Nedko Ivanov, CC by license.