HP Admits Selling Infected Flash-Floppy Drives

bergkamp writes "Hewlett-Packard has been selling USB-based hybrid flash-floppy drives that were pre-infected with malware, the company said last week in a security bulletin. Dubbed "HP USB Floppy Drive Key," the device is a combination flash drive and compact floppy drive, and is designed to work with various models of HP's ProLiant Server line. HP sells two versions of the drive, one with 256MB of flash capacity, the other with 1GB of storage space. A security analyst with the SANS Institute's Internet Storm Center (ISC) suspects that the infection originated at the factory, and was meant to target ProLiant servers. "I think it's naive to assume that these are not targeted attacks," said John Bambenek, who is also a researcher at the University of Illinois. Both versions of the flash-floppy drive, confirmed HP in an April 3 advisory, may come with a pair of worms, although the company offered few details. It did not, for instance, say how many of the drives were infected, where in the supply chain the infections occurred or even when they were discovered."

In case anyone wonders

[initialE]

The main purpose for having floppies in servers is because Windows requires them to install mass storage drivers during installation on hardware such as RAID arrays and SATA drives

Re:In case anyone wonders

[Cheesey]

When I tried to install XP, I found it could recognise a USB drive. It would even allow me to install Windows onto it! But it wouldn't read the SATA drivers off it. I needed to find a working floppy disk in order to get those drivers onto the machine!

Reminded me of Slackware back in the mid 90s. It's just as well most Windows users get the OS preloaded by the PC manufacturer. If they all had to install it themselves, surely most would give up and install Linux instead. The installer boots from the CD and includes all the drivers? What crazy person thought of that insane idea.

Re:In case anyone wonders

[MBCook]

OK, I missed something. I don't know if anyone else did because it the summary wasn't clear to me.

This thing is not an actual floppy drive with some flash storage built in, which is what I thought (and a somewhat stupid idea). It's a standard flash drive that is capable of identifying it's self like a floppy drive so that Windows will find it when looking for a floppy drive.

That's actually a very smart idea.

With that detail this this is not a real floppy drive of any kind, this all makes more sense. Question withdrawn.

Re:In case anyone wonders

[cyanid3]

When I tried to install XP, I found it could recognise a USB drive. It would even allow me to install Windows onto it! But it wouldn't read the SATA drivers off it. I needed to find a working floppy disk in order to get those drivers onto the machine! Reminded me of Slackware back in the mid 90s. It's just as well most Windows users get the OS preloaded by the PC manufacturer. If they all had to install it themselves, surely most would give up and install Linux instead. The installer boots from the CD and includes all the drivers? What crazy person thought of that insane idea. You can slipstream your storage drivers into your Windows installation media with nLite (www.nliteos.com). Just add them as textmode drivers and the setup will pick up your storage controllers without any fuss. Vista, otoh, allows you to supply drivers via USB drives too.

Re:In case anyone wonders

[utopianfiat]

Does anyone here have a problem with the fact that HP is clearly not checking the contents of their drives before they leave the factory? Because I think that's pretty important.

Someone's going to reply "blah blah chain of supply blah blah limited liability" but (back in my day) a manufacturer was liable for tainted/poisoned product that originated at the manufacturer. Everyone should be able to demonstrate that a product works before selling it.

Security improvements

[headkase]

Although still in a woeful overall state, Vista has one critical security difference from XP that helps here. By default in XP the device will autorun. By default in Vista it will ask you if you would like to autorun. So in Vista you can plug a new device when it asks you to autorun say No and then format the sucker. This default is something Microsoft should seriously back-port to XP.

Re:Security improvements

[Lxy]

There's an option in Group Policy to disable autorun on all drives.

Start --> Run --> gpedit.msc
Computer Configuration --> System --> Turn of Autoplay
Enable on all drives

You're right, this should be default, but at least there's a fix.

Re:Security improvements

[SEMW]

Unfortunately, you can't use the Group Policy Editor on Windows XP Home Edition. Who in their right mind would have XP Home edition installed on an HP ProLiant Server?

So where's the recall?

[Animats]

Here's the HP HP security notice. This was discovered in January/February, according to HP, but not announced by them until April.

Where's the recall notice? HP should be recalling these items. Failure to do so immediately is willful negligence.

Here are the part numbers:

• Part # 442084-B21 HP 256MB USB 2.0 Floppy Drive Key
• Part # 442085-B21 HP 1GB USB 2.0 Floppy Drive Key

They're still for sale on Amazon, for example.

In a situation like this, HP should recall the product and reissue a replacement product with a new part number to distinguish old product from new product.

Because...

HP's recall supply chain will dump the recalled product to shady asset recovery firms and it will just end up on Ebay and not destroyed.

(Where do you think recalled Dell batteries went?)

Anonymous for a reason.

Advisory's recommendion is braindead

[vic-traill]

From the advisory:

If the optional HP USB Floppy Drive Key has been used in an environment without current (up-to-date) anti-virus software then the W32.Fakerecy or W32.SillyFDC virus may have spread to any mapped drives on the server. In this case HP recommends that the server and mapped drives are scanned with current (up-to-date) anti-virus software.

Does HP actually think that a potentially worm-infected server should be a/v scanned and (possibly) cleaned, and that's the end of it? That's beyond dumb; any production server so exposed requires a bare-metal rebuild. In the absence of a tripwire-esque delta, you have no understanding of the state of the server installation after undergoing an infect/clean cycle, and there's no way that box should be left in production in that state.

Who made them? What country? What are HP QCs?

[dickmc]

What is notably left out is: Who made them and in what country? What are normal HP quality controls? What is HP planning on changing to prevent this in the future?

Re:Dear Smart People,

[SEMW]

No-one's suggesting that this was a deliberate policy decision by HP; the suggestion is that it was a disgruntled worker or somesuch that did it deliberately for some unknown ends.

HP software is malware *anyway*

[joe_n_bloe]

Anyone who has ever installed an HP scanner or All-in-one knows that the consumerware/bloatware that HP deliberately installs is truly awful. The print monitor behaves strangely, faceless apps hang and get respawned without the existing processes being killed, all kinds of crap is installed that is difficult to remove, and et cetera. If you don't seek out and install the thin "enterprise driver," and find alternative helper apps, you wind up with all this junk.

So I don't see what the big deal with shipping some more malware is. It's HP. *shrug*