The recent news of yet another storage device being shipped with "˜pre-loaded' malware raises the question on what level of trust we can assign to a fresh out of box device.
In the most recent incident, HP shipped USB keys used with certain models in its ProLiant server range that were infected with malware detected by Sophos as Mal/Dropper-Y and Troj/VB-CSA. The malicious file detected as Mal/Dropper-Y, using proactive Behavioral Genotype technology, has the functionality to spread via USB keys. The good news for users is detection for both malicious files has been widely available since at least 2007. As such, connecting an infected USB key to a PC running updated anti-virus software would have detected the malware and blocked further infection.
Many would also remember last year that Seagate, another large and reputable vendor, shipped a personal storage device infected with a password stealing Trojan. While such occurrences are not an everyday phenomenon, they do happen and pose a security risk to the unsuspecting user assuming out-of-box means entirely unmolested.
So what can users do to ensure they do not have to plug-n-pray every time they purchase a new storage device? Should users have to follow the same process when attaching any storage device to a computer which is to scan for malware before use? Or should they ensure the device is entirely free of data, malicious or not, by securely overwriting all allocatable storage before use?
An IT Administrator could also disable the autorun facility of Windows so attached devices such as USB keys and CD ROMs do not automatically launch when connected to a PC.
Of course device vendors should not put the security onus entirely on the user. They need to ensure every step of the manufacturing process is covered by strict security practice to limit the chance of these mishaps occurring.
With a little diligence and up-to-date anti-virus, users shouldn't need to rely on faith to be protected from today's malware.