A loyal ISC reader pointed us to this note from AUSCERT. The basic story is that HP has optional "floppy USB keys" for some of their Proliant servers. The 256 KB and 1 GB versions include a batch that also came with 'W32.Fakerecy' or W32.SillyFDC' designed to infect your machine if you insert them. The interesting note is that these keys seem only to be shipped for Proliant servers which could indicate an attempt to "target" by the attackers or that they just hit some factory and got lucky. Either way, with the prolific trail of stories of USB devices shipping with malware pre-installed, it is now an attack vector that we need to be concerned about. Here are some steps to protect yourself against USB-based (and Fireware, which isn't immune from these stunts) malware:
1) Take the vendor who made the device and do a google news search on it. Odds are you aren't the first to buy it and if it comes with badware it may be news. If you see a story about it, check the vendor webpage and see if you can compare serial numbers of infected/non-infected versions. If not, return it and get something similar. Additionally, you can check the vendor page, sometimes (but shamefully not enough) they do the right thing and let their customers know what to do.
3) If you do receive a malware hit, let us know via our contact page. Fair, this isn't the most important step, but also let the store know where you got it and the manufacturer of the device know. Depending on what product we are talking about, it may not be easy to find contact information, we can work on that too. We like malware samples, if you feel comfortable and know how to do it, send them to us. We will analyze and forward them on to our list of anti-virus vendors.
4) Even if you do not see any malware, there is a possibility you are not safe. If you notice "odd" behavior of your machine (connections to a random machine you don't know, changing your default homepage, etc), be wary. Update your DATs and scan again, or check mailing lists (or with us) to see if anyone else is having problems.
5) If you are a manufacturer/vendor of external data storage (USB, Fireware, etc), outsourcing may still make sense for you. But just because a business model meets the cost-benefit equation doesn't mean you can go "Baghdad Bob" about the risks (or costs) associated with outsourcing. Whatever is done outside your control is... outside your control. When you have a factory make these devices for you, scan them yourselves and examine them for signs of badware *before* you ship to the consumers. The extra QA step may cost you money up front, but build consumer good will. Consumers like companies that look out for them.
6) Turn off "autorun" software on your operating system. It makes life less convenient, but it saves you from automatically running software that you don't want. If you want complete safety and it doesn't void your warranty/ability to return the device or make the device irrelevant (such as USB keys provided by vendors of servers and appliances for updating software) format the drive completely using a data shredder or other tool to torch every single byte that is on the device.
I recommend that if you get a malware hit on a USB device to simply return it and get something else (unless there is no alternative). I don't see a point in keeping hardware that came preinstalled with malware, there is no telling what else is on there that isn't detected and you know it's already be tampered with. It's generally best practice to do a complete reinstall of an infected machine, I would posit the best practice for the purchase of an infected device is simply to return it while your window of return is still open. There are plenty of product chooses of picture frames, USB memory sticks, SD cards, USB/Fireware harddrives, etc that have not gotten hit with malware to worry about cleaning a compromised device.
UPDATE: It's not the first time USB keys for "targetted" victims has been found. CheckPoint recently got hit with some of their USB keys for "reset to factory default" devices to plug into some of their firewalls.
Apr 7th 2008
9 years ago