IBM has warned customers that it accidentally shipped a number of malware-infected USB sticks to enterprises ordering its IBM Storwize V3500, V3700 and V5000 Gen 1 flash storage solutions.
The malware is found in the intitialisation tool’s directory, and when tool is launched from the USB stick to configuring the Storwize storage solution, the malware is copied to a temporary directory on the computer’s hard drive.
On Windows systems, that temporary folder can be found at %TMP%initTool, and on Linux and OS X it is /tmp/initTool.
IBM has detected that some USB flash drives containing the initialization tool shipped with the IBM Storwize V3500, V3700 and V5000 Gen 1 systems contain a file that has been infected with malicious code.
The Initialization Tool on the USB flash drive with the partnumber 01AC585 that shipped with the following System models may have an infected file:
IBM Storwize V3500 – 2071 models 02A and 10A
IBM Storwize V3700 – 2072 models 12C, 24C and 2DC
IBM Storwize V5000 – 2077 models 12C and 24C
IBM Storwize V5000 – 2078 models 12C and 24C
IBM Storwize Systems with serial numbers starting with the characters 78D2 are not affected.
IBM has not said how many infected USB sticks it believes it has shipped to customers, but even if it’s a relatively small number that will be of little comfort if you were one of the unlucky recipients.
The good news is that the malware is only copied onto the computer. The initialisation process does not actually run the malicious code, and a computer can only become infected if the malicious file is executed.
While the malware does not target the integrity of the storage systems themselves, if the malicious code is launched it will attempt to infect the Windows computer it is run on, and may download further malware from the internet.
IBM is recommending that the malware-infected USB sticks should either be securely destroyed, or have the offending folder wiped and a clean version of the installation tool package downloaded and installed in its place.
Personally I would think that USB sticks are so cheap that the simplest choice is to destroy the infected one (in order to prevent someone else innocently using it) and download the software you need afresh.
According to IBM, up-to-date versions of the following anti-virus products have been confirmed to detect the malware: AhnLab-V3, ESET NOD-32, Kaspersky, McAfee, McAfee-GW-Edition, Microsoft, Qihoo-360, Symantec, Tencent, Trend Micro, Trend Micro Housecall, ZoneAlarm.
I would imagine other vendors are also busily updating their security products if they have not already done so.
It’s important to remember that malware doesn’t just present a risk to you when you open on an email attachment, or click on a link, or visit a website with poisoned adverts. Your computer can also come to harm through malware which has been physically shipped to you on CD ROM, on a USB stick, or even pre-installed on a hard drive.
We tend to trust companies like IBM to take greater care over what they ship to their customers and assume it to be uncompromised and squeaky-clean. Clearly that trust is sometimes misplaced.
Take care folks.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
4 comments on “IBM has been shipping malware-infected USB sticks”
I remember doing a show a few days after Microsoft shipped Form virus. It was headlines in "Computer Weekly", "Microsoft ships damaging Form virus".
So we put that headline up on our big screen, and got our audience yelling "We love Microsoft"
The MS stand was quite close.
All through that show, we got Microsofties coming round to see what all the yelling was about.
Antivirus used to be *such fun*.
Microsofties….a new word enters my vocabulary forever . Thanks.
Well. All vendors can be vulnerable but not many of them can admit the failure and warn clients.
I'm glad IBM have guts and published this note.
Most of vendors would duck or deny-and also ignore any attempt to report possible problem.
Any more information on the nature and payload of the malware, Graham/anyone?