On the official support site of IBM, the company issued an alert to some of its customers this week. The reason for this is that IBM unintentionally sent malicious USB flash drives.
The drives contain software that was used to initialize a professional-grade storage hardware sold under its Storwize brand. Drive transport software for three different models has been affected, and IBM recommends that drives be destroyed or cleaned securely for reuse.
The situation is not as serious as it would have been. The malicious code does not actually work during the initialization process on the Storwize devices for which the disks are intended. IBM also notes that the Trojan is already identified by at least a dozen popular anti-malware applications (the VirusTotal service puts the number about 60).
While the real danger posed by these readers is minimal, the incident serves as an important reminder that digital threats may hide anywhere. In the case of IBM units sent to their customers, they are suspected of being infected somewhere in the supply chain.
Supply chains have been a major safety issue for years. In 2011, the Department of Homeland Security warned Congress of the presence of malicious software in imported electronic products. A year earlier, buyers of some HP flash drives discovered they were pre-infected.
Last spring, the American Dental Association found itself entangled in a USB disk incident very similar to this one. In March of this year, more than three dozen Android devices were infected by Check Point researchers.
It is rather disturbing to think that you could buy an infected device unknown in a department store but it is much more alarming that state-sponsored groups use this tactic to target the types of businesses and organizations that Purchase IBM Storwize devices.
