Friday, May 21, 2010
21. IBM spreading malware, google celebrates pac-man in style
i'm sure some of you have had to attend some sort of conference for work or school before. generally these are pretty dry and full of boring booths and seminars. but your consolation is usually a bag full of free (mostly useless) stuff and booth giveaways - that's right, the delicious conference swag. granted, the swag you get isn't nearly as cool as it would be at, say, E3, but there's generally some fun knick knacks in there nonetheless. living in the digital age, a lot of companies give out USB flash drives as their trick-or-treat offerings. makes sense right? small, useful, and most of all, imprintable with your company's logo so they'll never forget who gave it to them.
turns out that last part is a double edged sword.
enter the ausCERT conference, held in australia's gold coast last week. IBM's giveaways were, as anyone who read the first paragraph can guess, USB flash drives. these weren't ordinary flash drives though - with these there was a slight twist - they came pre-infected with malware. here's the real kicker - the whole ausCERT production? it's a damn computer security expo. collected in the RACV royal pines resort for this conference was a veritable who's who from the realm of network security - representatives from many antivirus/antimalware companies, the guy who co-invented public key cryptography, up to and including the the chief security officer for cisco. IBM's message to ausCERT delegates:
"at the ausCERT conference this week, you may have collected a complimentary USB key from the IBM booth. unfortunately we have discovered that some of these USB keys contained malware and we suspect that all USB keys may be affected."
ouch. the rest of the note went on to explain that any current antivirus/antimalware software would catch and quarantine it, but still, ouch. i wouldn't exactly consider W32/LibHack-A a value-add software to bundle with a piece of hardware. when i first saw this i thought it was a marketing ploy, maybe something like an IBM security solution demo on the drive. until i saw the rest of the note IBM sent out. after letting the delegates know that they may have infected them, they asked for anyone that had one to (1) not use them and (2) send them back to ibm.
now this isn't new - there have been other companies that have passed out infected memory sticks before, including IBM themselves in 2002. but still it has to be embarrassing to be a bigshot like them, at a conference that IT professionals go to to hear lectures on the latest and greatest security techniques. i just don't see how they didn't have some tighter QC, given the situation and their audience.