Slashdot Mirror

← Back to Stories (view on slashdot.org)

IBM Distributes USB Malware At Security Conference

Posted by kdawson on from the just-testing-ya dept.

bennyboy64 and other readers let us know that IBM sent out an email to all attendees to the Australian Computer Emergency Response Team (AusCERT) 2010 conference, warning them that some of the USB drives handed out to delegates contained malware. Fortunately it was old malware, which all anti-virus products have detected since 2008. Two years ago telecommunications company Telstra distributed malware-infected USB drives at the same conference.

73 comments

  1. Old malware.... by Rotten · · Score: 4, Funny

    IBM old malware is......OS/2?

    1. Re:Old malware.... by Opportunist · · Score: 5, Funny

      OS/2 was not malware. Malware is unobstrusive, runs usually pretty well with Windows, only occasionally slows down the system and is usually also well maintained.

      Stop badmouthing malware, please.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    2. Re:Old malware.... by NervousWreck · · Score: 2

      Ah, so Vista isn't malware either? Shucks, I can't use one of my favorite lines on friends who ask me for help.

      --
      I do not have a sig. You are hallucinating.
    3. Re:Old malware.... by Anonymous Coward · · Score: 1

      Stop badmouthing OS/2. It was far superior to Windows (its only downfall was lack of Windows 95 app compatibility and hardware compatibility).

    4. Re:Old malware.... by Opportunist · · Score: 1

      No, Vista is a bug. Or a glitch, depends.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  2. Wow... by wandazulu · · Score: 5, Funny

    ...I didn't realize they'd been able to squeeze Lotus Notes onto a USB drive.

    1. Re:Wow... by Anonymous Coward · · Score: 0

      ...I didn't realize they'd been able to squeeze Lotus Notes onto a USB drive.

      USB drives are getting bigger all the time and Blotus Notes is getting smaller...well Market Share wise that is!

    2. Re:Wow... by Hurricane78 · · Score: 1

      To be honest, it was a new experimental USB stick, 1TB of size.
      So the installer did barely fit on it. The installer that you needed to download the actual data, of course.

      --
      Any sufficiently advanced intelligence is indistinguishable from stupidity.
  3. wtf? by Pojut · · Score: 3, Insightful

    Seriously. Come on IBM. You're one of the biggest names in the industry, you hold thousands of patents...and you can't ensure you give devices that have already been secured to conference goers? ::obligatory::

    We can go to the moon...

    --
    Living With a Nerd
    1. Re:wtf? by Anonymous Coward · · Score: 0

      Odds are that the USB drives have been sitting in a box for a year or so in the back corner of someone's Research Triangle Park office.

    2. Re:wtf? by LOLLinux · · Score: 0, Troll

      Or kdawson has been using them as buttplugs.

    3. Re:wtf? by Lunix+Nutcase · · Score: 1

      And they don't scan them for viruses and malware before handing them out?

    4. Re:wtf? by Anonymous Coward · · Score: 0

      We can go to the moon...

      AFAIK, currently we can not ...

    5. Re:wtf? by Pojut · · Score: 1

      Thanks for that. Nothing like a healthy dose of depression on Friday :/

      --
      Living With a Nerd
    6. Re:wtf? by jamesh · · Score: 2, Insightful

      Seriously. Come on IBM. You're one of the biggest names in the industry, you hold thousands of patents...and you can't ensure you give devices that have already been secured to conference goers?

      My first assumption (without RTFA) is that they would have outsourced it.

    7. Re:wtf? by JamesP · · Score: 4, Informative

      No, I'd say:

      It's a security conference, if you can't handle a USB drive with a (Windows program) virus you shouldn't be there.

      --
      how long until /. fixes commenting on Chrome?
    8. Re:wtf? by Yvanhoe · · Score: 1

      MArketing and PR are probably the only department handled by computers running under Windows. Which is obviously a bad move...

      --
      The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
    9. Re:wtf? by alfredos · · Score: 0, Insightful

      While I won't justify IBM's goof, it's fair to say that slips like this happen. What can you do about it? Set up a procedure so that everything going out the door has to pass certain checks? I dare say that the solution would be much worse than the problem.

      Besides, it makes for a nice Slashdot discussion with jokes and all.

    10. Re:wtf? by Opportunist · · Score: 1

      A shuddering thought just hit me. This was a security conference, and of course a USB key containing malware is easily and immediately spotted, dissected, squished and laughed off.

      Not let's imagine this was a markedroid conference... And, extrapolated, what happens at such cons where markedroids and other suits congregate without a clued person within a hundred miles?

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    11. Re:wtf? by dnahelicase · · Score: 2, Interesting

      was it an accident? A good friend of mine works for a defense contractor and they used to do this as part of a security audit. Every once in a while they would just drop USB keys in the parking lot and then notify everyone that had a computer that got infected by it after a few days.

      My biggest concern would be IT security guys that will stick a generic USB drive in their computer without scanning it first. Shame on anyone that goes to a security conference and trusts the graft to be virus-free.

    12. Re:wtf? by Anonymous Coward · · Score: 0

      Seriously. Come on IBM. You're one of the biggest names in the industry, you hold thousands of patents...and you can't ensure you give devices that have already been secured to conference goers? ::obligatory::

      We can go to the moon...

      Yeah, but at least they took quick steps to correct the problem and admit the mistake.

    13. Re:wtf? by Anonymous Coward · · Score: 1, Insightful

      How would you scan a USB drive without first sticking it into a computer?

    14. Re:wtf? by tlhIngan · · Score: 2, Interesting

      My biggest concern would be IT security guys that will stick a generic USB drive in their computer without scanning it first. Shame on anyone that goes to a security conference and trusts the graft to be virus-free.

      Which makes it kinda ironic, isn't it? A security conference with virus laden USB keys given out, and a good proportion of participants get infected. If even the security guys (whose job is to prevent such things) can't secure their machines, what hope does Joe Average have?

      I suppose the bigger question is - how come this wasn't reported... earlier? Surely someone at that conference must've seen it and disinfected, and saw others and posted something about it before IBM?

    15. Re:wtf? by Anonymous Coward · · Score: 0

      There is no such thing as bad publicity.

    16. Re:wtf? by Farmer+Tim · · Score: 1

      So it's really just a way of keeping the attendees entertained? See, IBM really does care...

      --
      Blank until /. makes another boneheaded UI decision.
    17. Re:wtf? by jdgeorge · · Score: 1

      You scan the USB drive by sticking it into a non-Windows computer, or one that doesn't by default execute software installed on the medium.

      Yes, you deserve a funny mod instead of an obvious response.

    18. Re:wtf? by Anonymous Coward · · Score: 0

      Perhaps if IBM would allow it's employees to run something more secure than Symantec (which we all know is crap) then perhaps, just maybe, we wouldn't be reading about an incident that ultimately means that an IBM employee has been infected on their production machine. Just maybe.

      Nod32 for tha win. ~_^

    19. Re:wtf? by Runaway1956 · · Score: 1

      Heh - GP asked the question that was on my mind, and you gave the obvious answer. Now - it's time we came up with a "Secure USB scanner". Yes, yes, yes, of course it's a gimmick. And, of course, it's gonna be a ripoff. All we have to do is, get a USB cord, terminate it inside a stupid little box with a light that flashes as data transfers, then plug our USB into the box. It will make dummies feel good that they have "securely" scanned their USB before plugging it into a computer.

      I smell money - dishonest huckster money, to be sure, but money all the same!!

      --
      "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
    20. Re:wtf? by Anonymous Coward · · Score: 0

      Thanks for that. Nothing like a healthy dose of depression on Friday :/

      Try going outside tonight to find a female, even though they may be even further out of your league. There are no Amazon Women on the Moon.

    21. Re:wtf? by Gilmoure · · Score: 1

      Ricky the intern was just given a box with 500 thumb drives and told to format them.

      --
      I drank what? -- Socrates
    22. Re:wtf? by aldld · · Score: 1

      Or maybe it just means that you need to be there.

    23. Re:wtf? by Anonymous Coward · · Score: 0

      With budget cuts there are no interns, Outsourced to (place your favorite location here)

    24. Re:wtf? by PassiveAggressive · · Score: 1

      Or at least get some new malware and not that old 2008 crap. Sheesh...

      --
      Is passive resistance passive aggressive ?
  4. All Anti-virus ? by JavaBear · · Score: 3, Insightful

    If all Anti-virus products have detected this one since 2008 it obviously begs the question, why didn't IBM's?

    1. Re:All Anti-virus ? by Lunix+Nutcase · · Score: 3, Informative

      The "all" was added by the summary writer. In the article the IBM spokesman said "most" anti-virus software.

      Wightwick said the malware, which dated to 2008, was detected by most anti-virus products.

      "The malware is known by a number of names and is contained in the setup.exe and autorun.ini files.

    2. Re:All Anti-virus ? by JavaBear · · Score: 1

      It would still be nice to know which ones don't :)

    3. Re:All Anti-virus ? by Opportunist · · Score: 1

      The one that boasts "IBM uses our solution" on their homepage. Just look around, I'm sure they wouldn't let that juicy piece of PR opportunity slip.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    4. Re:All Anti-virus ? by xelan · · Score: 1

      As I think back about a decade ago.... I seem to recall IBM offering an anti-virus app. Didn't it get absorbed by Symantec?

    5. Re:All Anti-virus ? by Demonantis · · Score: 1

      If you want to talk serious semantics anything made before 2008 wouldn't detect it. So I would say most anti virus would not(unless the market has exploded since 2008), but the all isn't because the requirement is that they are made after 2008. Bennyboy64 just made corrected the spokes persons mistake.

    6. Re:All Anti-virus ? by Anonymous Coward · · Score: 0

      It prompts the question.

      It PROMPTS the fucking question!

      (I know this reads like flaming, but you lose a lot of intellectual cred by fucking that one up.)

    7. Re:All Anti-virus ? by Anonymous Coward · · Score: 0

      The USB drive was most likely done by India or Argentina. Internal IBM reports show malware infection rates of 50% to 75% for most non-US IBM work locations.

    8. Re:All Anti-virus ? by ViViDboarder · · Score: 1

      Because IBM doesn't manufacture the drives and they probably didn't plug each one in to test it...

    9. Re:All Anti-virus ? by saskboy · · Score: 1

      So the question is, which one was IBM using on the computer(s) loading information onto the USB drives?

      --
      Saskboy's blog is good. 9 out of 10 dentists agree.
  5. IBM CEO by dandart · · Score: 3, Funny

    Mwuhahahahaa... destroy them all! That'll show 'em! They should've chosen OUR DOS, and we shouldn't have given them OUR PCs...

  6. Good thing a corporation did it by British · · Score: 4, Interesting

    If some individual did it, they would be in jail for a very long time. Thankfully, a 'corporation' did it, which can blame any # of people internally. Thus, no jail time for IBM. It will probably be handled in a private manner(ie nothing).

    1. Re:Good thing a corporation did it by Anonymous Coward · · Score: 1, Funny

      But but but ... the Free Market (TM) ... it will fix itself!

    2. Re:Good thing a corporation did it by bendodge · · Score: 1

      That's stupid. I've never heard of individuals getting in trouble for accidentally distributing viruses. Also, your post is worded in a very sarcastic manner to suggest that all corporations are bad, the capitalists are evil, banking is a sin, etc. Unfortunately, you did not cite anything (except your own strawman) to back up anything, it was all postulation.

      As a side note, IANAL, so please do not reply by saying that I do not cite a lack of a law against accidentally giving out dirty flash drives. That's almost as hard as proving a universal negative.

      --
      The government can't save you.
    3. Re:Good thing a corporation did it by Anonymous Coward · · Score: 0

      Capitalists would gnaw into the pus filled nutsack of a dead diseased dog, if there were any money in it.

    4. Re:Good thing a corporation did it by Transaction7 · · Score: 1

      Amen. I'm a retired lawyer who came late to the computer revolution in the eighties and none of my computerliterate friends will teach me to hack into things, write viruses and torgans, etc. and the textbook at the local university is wirtten in type too small for me to read and copy the code, but I have watched as the law got more and more to the point that, to even get exemplary damages against a corportion orLLC, etc., , now prctically always limited to three times your "economic" damages not including many very real elements of injury, loss and damage, you pretty well have to prove that the Board of Directors voted to do it at a duly called board meeting and included this in the minutes, which, of course, never happens, and getting a criminal convictin agianst a corportion is tougher yet and the fines are rounding errors in the financial statements of big corproations like IBM. You never do find out which individuals within these large entities, corporte or government, actually decided to do and did things, so as to even begin to prosecute them, even when it is part of something that cashes not just Wall Street but the real economy and hurts a lot of people. Nobody is really likely to invest the money and manpoer to track this malware exploit to its source and take real action agianst the people and corporation culpable. Another reuslt is that anything that calls itself a business corproation can rip off a million people for several hundred dollars apiece secure in the knowledge that nobody victimized can afford to get thelegla sysetem to call them to account much less put a real dent in their wallet so as to discourage future such behavior. As for our two political parties doing anything about this, both are in bed with the private-sector crooks for money and my nationally known law school dean liked to quote Will Rogers: "Whenever Congress tells a joke, it's a law, and whenever they pass a law, it's a joke." What I can't figure out about these people who write and sprad a lto of malware that doesn't capture data, etc., is what motivates and who pays them to do it?

  7. It's takes 12-24 months for IBM IT to ok updates by Joe+The+Dragon · · Score: 4, Funny

    It's takes 12-24 months for IBM IT to ok updates

  8. IBM needs a new supplier... by sir+lox+elroy · · Score: 1

    Evidently IBM bought up the unused Telestra Flash drives. Or, they have really bad luck.

    --
    Kosh: "Understanding is a 3 edged sword, your side, their side, the Truth."
  9. Opportunity to be had by istartedi · · Score: 3, Insightful

    So many USB sticks come with pre-loaded crapware/malware. In the office we would stick them in Linux machines and format them from there. If you stuck it in a Windows machine without formatting it, you spent the rest of the day auditing your machine and puzzling over what might be left on it.

    The OPPORTUNITY is for a company to brand itself based on NOT HAVING CRAP on their sticks. I'm thinking Pure USB would be a nice name for such a product. I know I'd chose that over anything else if they were comparably priced. Don't get greedy and charge a premium for that. Just outsell the competition. I can't believe the kickbacks from crapware authors are that valuable.

    --
    For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
    1. Re:Opportunity to be had by DrBoumBoum · · Score: 3, Informative

      Why not simply disable autorun?

    2. Re:Opportunity to be had by couchslug · · Score: 1

      Why give nasties ANY chance to spread?

      When I get new or unknown drives I nuke 'em all out of habit. View on safe machine, nuke and pave, done.

      --
      "This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
    3. Re:Opportunity to be had by Anonymous Coward · · Score: 0

      Is it really that hard to find USB sticks that don't come preloaded with anything? Granted I typically buy the generic ones from microcenter as they're fairly cheap, but I've bought a couple of brand name ones and they've always arrived blank. I'm just not convinced your market isn't already saturated.

    4. Re:Opportunity to be had by istartedi · · Score: 1

      Somebody or some thing (including Windows update) is bound to re-set your settings at some point, and re-enable autorun. Yes, locking your door is a good thing. Moving to a nicer neighborhood *and* locking your door is even better.

      --
      For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
    5. Re:Opportunity to be had by TerranFury · · Score: 1

      I'm not positive about this, but I think the risk may be larger than just autorun. Isn't there also the "installing drivers" bit that Windows does for some hardware? I get the impression that USB devices are to some extent able to contain their own drivers that Windows will install. IIRC, users are asked for confirmation by a tooltip-bubble from the system tray, but this may not be under all versions of Windows (yes under Vista, no under XP?). I do not know how this is implemented; I'm hoping that someone who has looked more closely at this will respond...

    6. Re:Opportunity to be had by Anonymous Coward · · Score: 1, Informative

      No, I've disabled autorun on Windows machines since 2000, and it's never been reenabled on any of them.

    7. Re:Opportunity to be had by Nizumzen · · Score: 1

      Haha, your signature made me laugh. The phrase is "for all intents and purposes".

    8. Re:Opportunity to be had by ZERO1ZERO · · Score: 1

      Whooooosh!

    9. Re:Opportunity to be had by randyleepublic · · Score: 0

      Microsoft finally admitted that autorun is a vulnerability. Does that mean it is gone from XP SP3? Nope. They want XP to look bad now, so that vista/7 don't look like the crap that they are.

      --
      Social Credit would solve everything...
  10. Re:It's takes 12-24 months for IBM IT to ok update by EvilIdler · · Score: 3, Insightful

    The parent post is modded funny, but I'm sure Joe's breaking an NDA! :P

  11. Get used to IBM sucking by Anonymous Coward · · Score: 0
    Expect more and more screw ups from IBM and far less innovation. Sam Palmisano has turned out to be one of the most short sighted CEO's in history. Even in the horrible economy we have had for the last several years he hasn't modified his $10 EPS goal. Now how he can not modify this goal? It isn't because IBM is doing really well while every other company is doing poorly. No Sam has moved every possible service offshore and mostly hired new college grads.

    It is really quite amazing how countries like India get cost savings over the US. One thing India is notorious for doing is not obtaining conference numbers to hold meetings, instead they ask their US counterparts to either schedule the calls or just to use the US number. So the charge goes to the US and not to the team really using it. Now what is going to happen when the US based supports drops below a critical level and India is required to fully account for their expenses? Well it is obvious that their costs are going to shoot up.

    Another thing is the huge amount of pay cuts that contractors have taken and most only work 32 hours now.

    I could go on and on at how intelligent and experienced people are being forced out, but it should be obvious to anyone.

    1. Re:Get used to IBM sucking by yuhong · · Score: 1

      What is even worse about it is that quarterly EPS game is fundamentally flawed: http://blogs.hbr.org/hbr/restoring-american-competitiveness/2009/10/can-we-break-the-tyranny-of-qu.html

  12. go go CISSP's by Anonymous Coward · · Score: 0

    Dont they have those commercials saying they have like 15 million cissp security professionals at the front line of the cyberwar? :: rolls eyes ::

  13. Strike up the band! by Chris+Tucker · · Score: 1

    "Botnets, worldwide botnets,
    what kind of boxes are on botnets.'

    "Compaq, HP, Dell and Sony? True!
    Gateway, Packard Bell, maybe even ASUS, too!"

    "Are boxes, found on botnets!
    All running Windows, FOO!"

    --
    Guaranteed! This comment 100% Anthrax free!
  14. Username fail by Anonymous Coward · · Score: 0

    Um...I wonder if the poster knows what a bennyboy was when he created his username bennyboy64.

  15. so by SnarfQuest · · Score: 1

    So, is there a better place to distribute malware than a security confrence?

    --
    Who would win this election: Andrew Weiner vs Andrew Weiner's weiner.
  16. That isn't the only thing... by Dogbertius · · Score: 1

    That's "wide" about the 2012 Olympics...
    http://boingboing.net/2007/06/04/london-2012-olympic-.html

  17. It could be worse... by Rui+Lopes · · Score: 1

    ... if they had distributed Melware.

    --
    var sig = function() { sig(); }
  18. Blame Microsoft for their poorly-designed AUTORUN by CuteSteveJobs · · Score: 1

    Who is really to blame in this is Microsoft. Some fool of a Microsoftie decided that, by default, whenever media (CDs, USBs) was inserted into a removable drive it should run AUTORUN on that drive. It can be disabled with TweakUI (link below) but you need to be a geek to think to do it and must do it on all your machines (and possibly all accounts on your machines) and if you forget, like I did, once, whamo! You're infected. A virus scanner can help, but they won't catch the latest viruses/horses (which is exactly why cybercrooks keep writing new ones) if you set them to scan all removable drives and you plug in your 1Gb USB HDD you will be in for a long wait. Like the massive security hole that ActiveX became, Microsoft has no foresight. http://www.microsoft.com/windowsxp/downloads/powertoys/xppowertoys.mspx

  19. Old virus - new release. by ananthap · · Score: 1

    It seems that IBM is not maintaining malware defintions upto date on the server from which the infected (old) malware was distributed. It is not clear from the writeup "http://www.itnews.com.au/News/175451,ibm-unleashes-virus-on-auscert-delegates.aspx" whether IBM finally reminds the users to re-enable the system restore feature. OK