Risk
5/28/2010
01:56 PM
50%
50%

IBM Distributes Malware At Security Conference

Promotional USB thumb drives carried an unintended freebie: a keystroke-monitoring Windows worm.

Call it a stealth attack: Attendees at this month's AusCERT information security conference in Australia received an apologetic e-mail last week from IBM warning them that gratis promotional USB thumb drives the company distributed came installed with an unintended freebie: malware.

"At the AusCERT conference this week, you may have collected a complimentary USB key from the IBM booth," IBM's chief technologist in Australia, Glenn Wightwick, wrote to attendees. "Unfortunately we have discovered that some of these USB keys contained malware and we suspect that all USB keys may be affected."

It warned recipients to not use the drives, and requested their return to a postage-free address.

IBM didn't name the malware in question, noting only that it "is contained in the setup.exe and "autorun.ini" files, had been around since at least 2008, and could be detected "by the majority of antivirus products" on the market.

It warned that the malware would automatically run, and advised anyone who had actually plugged in the offending thumb drive to "contact your IT administrator for assessment, remediation and removal."

According to Graham Cluley at Sophos, the drives contained two different pieces of malware: The setup file is known as LibHack-A, and refers to "often otherwise legitimate applications that have been altered to load a malicious library file with a .dat extension," said Cluley on the Sophos blog. Thankfully, a crucial component is missing, which means it doesn't work.

But that's not true for the other piece of malware, a keystroke-monitoring Windows worm known as Agent-FWF. "Hardly the kind of code a security researcher would want running on their computer," said Cluley.

What can other companies do to ensure that their USB thumb drives aren't delivering hidden extras to conference-goers and potential customers? For starters, while auto-run features may seem mandatory to ensure that thumb-drive recipients receive your marketing message, avoid them.

"Auto-run files seem like a good idea because they force the user to view your pre-loaded information but you do, as IBM have discovered, run a very small risk with auto-run files of introducing malware," Phil Battison, director at memory stick vendor USB2U, said in a statement. Better, he said, to stick to just data files, such as Word documents, Excel spreadsheets, PowerPoint decks, or PDFs.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: just wondering...Thanx
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.