IBM distributes USB malware cocktail at AusCERT security conference

Image (2) ibm-auscert-malware.jpg for post 16625

IBM danger
Sheesh. This must rank as one of the most embarrassing things a security company can do at a security conference.

IBM has admitted that the complimentary USB drives it handed out this week at the AusCERT conference on the Gold Coast, Queensland, were infected by not one, but two pieces of malware.

Analysts at SophosLabs have analysed samples of the USB stick in question, and can confirm that the devices are indeed infected. You should exercise care if you plug the device into your computer, since it is an autorun worm – which means it will launch when inserted into a computer if autorun/autoplay is enabled.

In what must have been a highly embarrassing admission, IBM Australia sent an email to all AusCERT attendees warning them of the security screw-up.

Email from IBM about malware on USB stick

Part of the email read:

At the AusCERT conference this week, you may have collected a complimentary USB key from the IBM booth. Unfortunately we have discovered that some of these USB keys contained malware and we suspect that all USB keys may be affected.

So, what is actually on the freebie USB drive that IBM handed out at AusCERT? IBM doesn’t name it in its apologetic email – but Sophos can reveal that there were in fact two examples of malware on the infected thumb drives.

If you were unlucky enough to have picked up one of these IBM flash drives (and examined its contents closely) you may have noticed that it contained both an autorun.inf file and an infected Setup.exe.

The setup file is infected with malware which Sophos detects as W32/LibHack-A.

Files detected by W32/LibHack-A are often otherwise legitimate applications that have been altered to load a malicious library file with a .dat extension (a typical example would be “t32dm.dat”).

The t32dm.dat component is missing from the IBM USB stick, meaning that that part of the program does not function properly. However, if you disinfect the file of W32/LibHack-A a second infection is found: a Windows worm called W32/Agent-FWF which is capable of logging keystrokes.

Wow – a true cocktail of malware. Hardly the kind of code a security researcher would want running on their computer. And I imagine that the security professionals at IBM will have their head in their hands about this breach, because it wasn’t even as though this malware was previously unknown. Sophos has been detecting W32/Agent-FWF, for instance, since June 2007!

Sophos products can successfully disinfect the setup.exe program as well as detect the underlying worm. However our advice, if you received one of these USB sticks, is to simply delete setup.exe and the accompanying autorun.inf.

As the files are hidden from normal view, you may wish to use the DOS attrib command to change their attributes. Here’s an example of what you would type:

attrib -h -s -r e:\setup.exe e:\autorun.inf

Any company handing out USB sticks to the public should take the appropriate steps to ensure that they are squeaky clean, and not secretly infected with malware. That advice should be driven home even more loudly if you’re at a security show like AusCERT.

Sadly this kind of incident isn’t that uncommon – even for security companies at security conferences.

Earlier this year I was at the RSA show in San Francisco. I was asked if I would mind being filmed giving a special “straight-to-camera” version of my talk on social networking.

When I got to the studio for the recording, the young woman who worked for the RSA team asked me for a copy of my presentation so they could play it in a window next to my talking head. Yep, you guessed it, she handed me her USB stick.

As soon as I plugged her USB drive into my MacBook, my trusty copy of Sophos Anti-Virus went vworp! vworp! vworp! and informed me that her flash drive was infected with some autorun malware. Ha! And people question why I run anti-virus on my Apple Mac…

I asked her how many other security professionals she had been filming that day (and had given her their presentations) and she looked a little sheepish.

She wasn’t a security professional, but she was working for a security company – and when she asked me to look at her Windows computer I found she had no anti-virus software installed. With her permission I cleaned up her laptop and installed an anti-virus product on her machine, in the few minutes before I had to jump in front of the camera.

With malware increasingly being discovered that spreads via USB sticks, it’s no wonder that more and more organizations are looking to control access to USB ports. It doesn’t just help stop autorun malware, it can stop sensitive data from leaking out too.

* Image source: Nedko’s Flickr photostream (Creative Commons)