HP Admits Selling Infected Flash-Floppy Drives

bergkamp writes "Hewlett-Packard has been selling USB-based hybrid flash-floppy drives that were pre-infected with malware, the company said last week in a security bulletin. Dubbed "HP USB Floppy Drive Key," the device is a combination flash drive and compact floppy drive, and is designed to work with various models of HP's ProLiant Server line. HP sells two versions of the drive, one with 256MB of flash capacity, the other with 1GB of storage space. A security analyst with the SANS Institute's Internet Storm Center (ISC) suspects that the infection originated at the factory, and was meant to target ProLiant servers. "I think it's naive to assume that these are not targeted attacks," said John Bambenek, who is also a researcher at the University of Illinois. Both versions of the flash-floppy drive, confirmed HP in an April 3 advisory, may come with a pair of worms, although the company offered few details. It did not, for instance, say how many of the drives were infected, where in the supply chain the infections occurred or even when they were discovered."

In case anyone wonders

[initialE (758110)]

The main purpose for having floppies in servers is because Windows requires them to install mass storage drivers during installation on hardware such as RAID arrays and SATA drives

Re:

[MBCook (132727)]

That makes sense. But why would I want a flash drive built into it also?

If I want a flash drive, I want it to be smaller than a floppy drive.

If I want a floppy drive, then I'm using floppies and don't need the flash storage.

Re:In case anyone wonders

[Qzukk (229616)]

But why would I want a flash drive built into it also

Because it makes the thing useful when you're not installing windows.

Re:

[Rob the Bold (788862)]

That makes sense. But why would I want a flash drive built into it also?

One less thing to lose. Twice the utility. Half as many things to plug in. I don't think you care too much that a flash drive designed for servers is too large to easily stuff in a pocket, it's just gonna be sitting in a drawer in the server room, right? Besides, I've got a toaster/oven. HP sells scanner/fax/printer/copiers, why not a floppy/flash? Nash Amphicar?

Re:In case anyone wonders

[MBCook (132727)]

OK, I missed something. I don't know if anyone else did because it the summary wasn't clear to me.

This thing is not an actual floppy drive with some flash storage built in, which is what I thought (and a somewhat stupid idea). It's a standard flash drive that is capable of identifying it's self like a floppy drive so that Windows will find it when looking for a floppy drive.

That's actually a very smart idea.

With that detail this this is not a real floppy drive of any kind, this all makes more sense. Question withdrawn.

Re:In case anyone wonders

[utopianfiat (774016)]

Does anyone here have a problem with the fact that HP is clearly not checking the contents of their drives before they leave the factory? Because I think that's pretty important.

Someone's going to reply "blah blah chain of supply blah blah limited liability" but (back in my day) a manufacturer was liable for tainted/poisoned product that originated at the manufacturer. Everyone should be able to demonstrate that a product works before selling it.

Re:

[rickb928 (945187)]

I've had success in the past using HP's USB tools to create floppy-formatted USB keys and install drivers with that. It's worked on several ProLiant servers... Well before this particular gaffe, and not HP-branded keys. The servers passed all their security checks 2 years ago.

You can do it without the HP keys, just use their software to prep the stick.

Re:

[Actually, I do RTFA (1058596)]

I thought you could use any USB drive to install mass storage drivers. It's been a while since I installed XP, but I remember that the installer saw my USB key.

Re:In case anyone wonders

[initialE (758110)]

What you were probably seeing was an emulation layer provided by your motherboard. HP has that even in it's lower end servers now, except that they use it to provide virtual floppies over the network, through their ILO interface. Also handy for doing remote shutdowns and startups. The idea must not have caught on, that's why they're selling these.

Re:In case anyone wonders

[Cheesey (70139)]

When I tried to install XP, I found it could recognise a USB drive. It would even allow me to install Windows onto it! But it wouldn't read the SATA drivers off it. I needed to find a working floppy disk in order to get those drivers onto the machine!

Reminded me of Slackware back in the mid 90s. It's just as well most Windows users get the OS preloaded by the PC manufacturer. If they all had to install it themselves, surely most would give up and install Linux instead. The installer boots from the CD and includes all the drivers? What crazy person thought of that insane idea.

Re:In case anyone wonders

[cyanid3 (998026)]

When I tried to install XP, I found it could recognise a USB drive. It would even allow me to install Windows onto it! But it wouldn't read the SATA drivers off it. I needed to find a working floppy disk in order to get those drivers onto the machine! Reminded me of Slackware back in the mid 90s. It's just as well most Windows users get the OS preloaded by the PC manufacturer. If they all had to install it themselves, surely most would give up and install Linux instead. The installer boots from the CD and includes all the drivers? What crazy person thought of that insane idea.

You can slipstream your storage drivers into your Windows installation media with nLite (www.nliteos.com). Just add them as textmode drivers and the setup will pick up your storage controllers without any fuss. Vista, otoh, allows you to supply drivers via USB drives too.

Re:

[Amouth (879122)]

to be honest if you are installing windows on servers in a data center.. you build the required rivers into the install image.. sure it takes a bit of work to set up .. but it makes life far far far easier in the long run..

if it is 1 machine to install then sure put a floppy in .. if it is 10+ build your own install image

Only on WinPE 1.x

[SEMW (967629)]

The main purpose for having floppies in servers is because Windows requires them to install mass storage drivers during installation on hardware such as RAID arrays and SATA drives

IIRC, Only on Windows installers that use WinPE 1.x. That includes 2003 Server, but not 2008 Server (which uses WinPE 2.1). So hopefully now floppies should actually become a thing of the past.

Not, of course, that that in any way absolves MS -- it's still shocking that floppies were sometimes needed for a server OS released a mere half decade ago! Although at least you could always install remotely over a network using RIS [wikipedia.org] or WDS and avoid the issue entirely, which is I suppose what most enterprises

Re:

[dave420 (699308)]

Most shops use slipstreamed Windows CDs with all necessary drivers pre-installed, not floppy disks.

Security improvements

[headkase (533448)]

Although still in a woeful overall state, Vista has one critical security difference from XP that helps here. By default in XP the device will autorun. By default in Vista it will ask you if you would like to autorun. So in Vista you can plug a new device when it asks you to autorun say No and then format the sucker. This default is something Microsoft should seriously back-port to XP.

Re:

[Raineer (1002750)]

Totally agree, good thoughts. I still don't like their response that it is "obviously a targeted attack", how the hell does an attack start at the FACTORY?

Where's the factory?

[absurdist (758409)]

China?

Perhaps it's a test run.

Re:

[Dr. Cody (554864)]

I've purchased/received three MP3/video players during trips to China, and both of them had viruses on them. China is the next big market for botnets, I suppose.

Re:Security improvements

[Lxy (80823)]

There's an option in Group Policy to disable autorun on all drives.

Start --> Run --> gpedit.msc
Computer Configuration --> System --> Turn of Autoplay
Enable on all drives

You're right, this should be default, but at least there's a fix.

Re:

[140Mandak262Jamuna (970587)]

Thanks. This is precisely the info I was seeking. Would have modded parent +1 informative if I had mod points.

Re:

[creepynut (933825)]

Unfortunately, you can't use the Group Policy Editor on Windows XP Home Edition.

In addition, it's nice to have the autorun. Having a dialog asking permission is a nice balance I find.

Re:Security improvements

[SEMW (967629)]

Unfortunately, you can't use the Group Policy Editor on Windows XP Home Edition.

Who in their right mind would have XP Home edition installed on an HP ProLiant Server?

Re:

[Nimey (114278)]

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"


We're deploying that here to stop Autorun viruses that can start via just opening the drive (or right-clicking on Explore, etc.). Nasty things enabled by a Windows design flaw reminiscent of Outlook Express 4 opening attachments automatically.

Re:Security improvements

[Actually, I do RTFA (1058596)]

Computer Configuration --> Administrative Templates --> System --> Turn of Autoplay

Re:

[TheGratefulNet (143330)]

with xp-pro its easy to find the group policy GUI tool and click on autoplay and autorun and DISABLE THAT CRAP.

I agree it should come disabled! but then, bill was trying to play catchup with the mac. remember, the mac had been polling floppies so that the user could just insert the floppy and not have to click an 'open' box (oh, so much work for poor mac users!).

that must be the reason why MS thought 'auto media detect' was a good idea.

but its the dumbest idea from a security POV. just another illustrati

Re:

[nicklott (533496)]

Great, but who puts either Vista or XP on a proliant server?

Strange (as insider activity?)

[nweaver (113078)]

The speculation that it was deliberate activity does strike me a little strange:

If you are going to get your malcode onto this, why do something old and crufty when you could do something new.

IIRC, this is used for BIOS updating as well as windows driver schlepping. So why use old-n-crufty known malcode when you could get a clean rootkit (no existing signature) and install it that way.

Re:

[Thelasko (1196535)]

So why use old-n-crufty known malcode when you could get a clean rootkit (no existing signature) and install it that way.

How do you know they haven't?

Software on these drives? Use Linux to format.

[deragon (112986)]

I do not understand it. Do these USB drives are meant to come with software? I believe they are just formated. If such is the case, then they should use some non Windows machines such as Linux to format them with Windows filesystems. I fail to grasp how on a factory floor where drives only need to be formated, worms have an actual chance to jump on the drives. This can only happen if they are using web connected and unsecured Windows machines to format them.

Re:

[anss123 (985305)]

The malware has not necessary infected the factory. The flash disks probably comes with some software tools, and it might be these tools which got infected.

Could also have been a disgruntled worker.

So where's the recall?

[Animats (122034)]

Here's the HP HP security notice. [hp.com] This was discovered in January/February, according to HP, but not announced by them until April.

Where's the recall notice? HP should be recalling these items. Failure to do so immediately is willful negligence.

Here are the part numbers:

• Part # 442084-B21 HP 256MB USB 2.0 Floppy Drive Key
• Part # 442085-B21 HP 1GB USB 2.0 Floppy Drive Key

They're still for sale on Amazon [amazon.com], for example.

In a situation like this, HP should recall the product and reissue a replacement product with a new part number to distinguish old product from new product.

Because...

[by Anonymous Coward]

HP's recall supply chain will dump the recalled product to shady asset recovery firms and it will just end up on Ebay and not destroyed.

(Where do you think recalled Dell batteries went?)

Anonymous for a reason.

Dear Smart People,

[publicopinion5 (1262126)]

I'm one of those people who doesn't really belong on slashdot due to my outrageously inadequate computer skills. I just appreciate the actually intelligent discussion devoid of complete morons that I couldn't find anywhere else. But question for the people who do belong here: how is deliberately infecting your own products even close to a good idea? I can't imagine this is going to get half the press it deserves, but if this somehow got out past computernerdland (no offense meant), wouldn't that turn millio

Re:

[Silver Sloth (770927)]

intelligent discussion devoid of complete morons

Sorry, this is /. you're talking about, isn't it. Ah, you must be from Bizarro world.

Re:Dear Smart People,

[SEMW (967629)]

No-one's suggesting that this was a deliberate policy decision by HP; the suggestion is that it was a disgruntled worker or somesuch that did it deliberately for some unknown ends.

Corporate Response Missing

[CambodiaSam (1153015)]

Neither articles indicate that HP is planning on making changes at the factory floor level to prevent further infection. If their only response is to scan and clean it myself, then I might be motivated as a consumer to purchase my flash drives with a big "Gauranteed Fully Formatted" on the box. Plus, this seems REALLY sloppy to me. If HP is allowing this type of software to slip into flash drives, what other types of defects, errors, and all around laziness is going on with other products?

Let me guess

[Malevolent Tester (1201209)]

Made in China?

Proliant diag. CDs don't recognize other drives...

[ramirez (51663)]

An intersesting things about this is that HP ships diagnostics CDs with their Proliants (PSP "Proliant Support Pack"). The offline hardware diagnostics CD can provide a lot of data, which needs to be provided to HP to get support (sometimes). The diagnostics software has the option to write the data to a USB device. I've tried 3 different types of USB drives and none of them were recognized by the software... I was told by HP support that the USB floppy drive that they provide would work.

Fortunately, we

Advisory's recommendion is braindead

[vic-traill (1038742)]

From the advisory:

If the optional HP USB Floppy Drive Key has been used in an environment without current (up-to-date) anti-virus software then the W32.Fakerecy or W32.SillyFDC virus may have spread to any mapped drives on the server. In this case HP recommends that the server and mapped drives are scanned with current (up-to-date) anti-virus software.

Does HP actually think that a potentially worm-infected server should be a/v scanned and (possibly) cleaned, and that's the end of it? That's beyond dumb; any production server so exposed requires a bare-metal rebuild. In the absence of a tripwire-esque delta, you have no understanding of the state of the server installation after undergoing an infect/clean cycle, and there's no way that box should be left in production in that state.

Doesn't suprise me

[Bryansix (761547)]

This doesn't surprise me. HP is also partnered with a company called Presto that says in a radio ad that computers are "Expensive (and) hard to use".

This is an ugly situation

[erroneus (253617)]

But it is not without precedent. I have heard of device driver floppies and CDs shipping with viruses and the like in the past... as long ago as 10 or more years in fact. The sad thing isn't that it happens. The sad thing is how telling it is of their product QA standards.

They should have clean and isolated systems in place for development and manufacture that isn't connected to the public internet in any way. Furthermore, anything that reaches the public should first be inspected through tight QA standards. The public expects that of high profile manufacturers... worse, the public presumes high QA standards.

This takes me back to a point I was attempting to make in another discussion about the differences that often exist between public expectations and what a company actually delivers. Often times the public never notices the difference, but some times, those differences slap people in the face rather rudely at inopportune times.

I'm not sure when it started to become more common practice to move away from fulfilling public consumer expectations occurred. But the public consumer isn't aware that this shift has occurred yet. But evidence of the quiet shift has been placed in every EULA as far back as anyone can remember that contains disclaimers that their product is suitable for any purpose at all. The laws of some countries and states of the U.S. do not permit the enforcement of some of these disclaimers, but it never stops them from trying to put it past the consumer just the same. But the ugly reality is that 'legal standards' trump quality standards every day that appears on the calendar.

How does it happen?

[KingPrad (518495)]

How did they not catch this? Surely every 1000 of these, they pull one off the line and plug it into a computer to check that it actually works, right? Or every 10,000? Don't manufacturers do any kind of continuous QA of the actual product?

Wouldn't an alert from a virus scanner make someone think "that's not right..."?

So basically they didn't bother sparing 5 minutes once a day or week to check one of these things? Nice.

Who made them? What country? What are HP QCs?

[dickmc (979955)]

What is notably left out is: Who made them and in what country? What are normal HP quality controls? What is HP planning on changing to prevent this in the future?

china...

[hesaigo999ca (786966)]

Its simple , the infection happened when they outsourced to China to build the flash drives, and do not have a quality control set in the middle as it arrives into our country without delivering directly to store warehouses...problem and i speak from experience with the textiles importing industry based out of china, is that when you have no quality control in place to review this stuff, such as a drive verificator that you would plug all drives into before sending out, and letting that be in the hands of the Chinese, who are at the root of the cyber attack problem against the states right now, is that they could be putting anything on those drives and we don't check...

Coincidence?

[rickb928 (945187)]

I see a story about Hannaford Bros (supermarket chain in the Northeast U.S.) servers being pwned, sending credit card numbers all over. And they passed PCI, seeming to be secure enough for the card industry. Darn, pwnage is so sucky, especially when your SERVERS are compromised.

Now I see this story about HP accidentally selling branded keys with worms pre-installed. Darn, selling malware is so sucky, especially when you sell it to your favorite customers, for example server customers.

Any chance not just Hannaford, but other HP customers are nailed by this?

The takeaway from this episode, for those of you who aren't quite getting this:

- When you buy a USB key, be sure your machine(s) have functional antivirus and antispyware running,and it's updated.

- Look around for instructions on keeping stuff like USB keys from autorunning. Make it so.

- Format that rascal USB key immediately. Immediately. IMMEDIATELY.

- Don't buy USB keys cause they have cool software preloaded. Pointless to CHOOSE to risk infection. make the manufacturers pay for this by avoiding/refusing this crap. Just sell me a simple key, ok? Sheesh...

And trust no one and no thing.

Amazing, is all I can say. And yes, I wonder if these were manufactured and loaded in China. Bet they are.

We are in so much trouble. Mark my words, soon, 'Made in China' will really mean 'Pwned by China'. If ti doesn't already.

Re:

[rickb928 (945187)]

Easy for you to spew.

Surprisingly, much of the software Hannaford settled on using is jut plain Windows. They did use some Sun for certain things, but the store servers were almost all Windows.

I'm unaware of any settlement software available for *nix. There must be some, but I haven't look so hard for it. And Hannaford isn't unique in the industry for using Windows.

It wasn't long ago that Blockbuster used Alpha-based servers at the stores, running customized SCO SysV. nasty, but it worked really well.

It wasn't me...it was the one armed HP server!

[insanemime (985459)]

See Honey, it's HP's fault that porn was on our computer! All 3 terrabytes of it...nasty bugs. *whistles innocently*

HP software is malware *anyway*

[joe_n_bloe (244407)]

Anyone who has ever installed an HP scanner or All-in-one knows that the consumerware/bloatware that HP deliberately installs is truly awful. The print monitor behaves strangely, faceless apps hang and get respawned without the existing processes being killed, all kinds of crap is installed that is difficult to remove, and et cetera. If you don't seek out and install the thin "enterprise driver," and find alternative helper apps, you wind up with all this junk.

So I don't see what the big deal with shipping some more malware is. It's HP. *shrug*

While we're talking naïvety

[xouumalperxe (815707)]

From the summary:

"I think it's naive to assume that these are not targeted attacks," said John Bambenek, who is also a researcher at the University of Illinois

I think it's also pretty naïve to assume that it is a targeted attack, as such an assumption shifts the blame enormously. While a targeted attack is arguably more dangerous and more worrisome for a certain group of people, such an attack could happen at any number of stages of fabrication, so the fabrication process itself isn't to blame. Reversely, if a random infection makes it to a device sold as a server accessory, that puts both fabrication and quality assurance at fault, the former allowing the infection, the latter for not detecting it. If that's what happens to enterprise products, one has to wonder how much crud gets through in consumer stuff.

I've seen this kind of thing before

[Whuffo (1043790)]

Products shipping with unplanned "additions" has been going on for years. I remember well when a software company I worked at had something like this come up - the install floppy in our shrink-wrapped packages had a boot sector virus on it.

After digging into what happened it was found that the duplication house where our disks were being duplicated had a QC station where each one was tested to verify a good recording. The operator of that station faced a brain-numbing job; insert disk, hit enter, remove disk, repeat. Of course, that job was filled by the production manager's son - who filled in his free minutes by playing a "free" copy of a game that he got from "someone" on the QC machine.

We had to recall all the packages and ship free disinfecting software to everyone who had bought one; fun times. The duplication house (grudgingly) paid the cost of cleaning up the mess, then we found a different duplication house to use in the future. This time we checked their procedures out a little more closely before signing up.

Something like this is probably what happened to HP. The factory where those drives were made had some worms / viruses loose on their network and when the new drives were plugged in for testing / formatting the malware automatically copied itself over. This would happen after the format / test was complete; the operator wouldn't even know it happened.

Sloppy security practices at the factory was most likely the "source" of the problem. They weren't evil, just stupid. But for HP to know about this and wait for 3 months before letting their customers know - that's criminal. At least it should be...