Hewlett-Packard has been selling USB-based hybrid flash-floppy drives that were pre-infected with malware, the company said last week in a security bulletin.
Dubbed “HP USB Floppy Drive Key,” the device is a combination flash drive and compact floppy drive, and is designed to work with various models of HP’s ProLiant Server line. HP sells two versions of the drive, one with 256MB of flash capacity, the other with 1GB of storage space.
A security analyst with the SANS Institute’s Internet Storm Center (ISC) suspects that the infection originated at the factory, and was meant to target ProLiant servers. “I think it’s naive to assume that these are not targeted attacks,” said John Bambenek, who is also a researcher at the University of Illinois.
Both versions of the flash-floppy drive, confirmed HP in an April 3 advisory, may come with a pair of worms, although the company offered few details. It did not, for instance, say how many of the drives were infected, where in the supply chain the infections occurred or even when they were discovered.
If a compromised drive is plugged into a USB port on any machine on the network, the worms may spread “to any mapped drives on the server,” HP’s alert said.
Up-to-date anti-virus software should detect the malware, but HP didn’t specify which of the many available programs would find and then delete the worms. Symantec Corp., for example, has signature definitions in its collection for both pieces of malicious code, which it identifies as “Fakerecy” and “SillyFDC.”
HP’s recommendations included scanning the devices for infection, but the company did not answer questions about the pre-infected drives.