HP Admits Selling Infected Flash-Floppy Drives

bergkamp writes "Hewlett-Packard has been selling USB-based hybrid flash-floppy drives that were pre-infected with malware, the company said last week in a security bulletin. Dubbed "HP USB Floppy Drive Key," the device is a combination flash drive and compact floppy drive, and is designed to work with various models of HP's ProLiant Server line. HP sells two versions of the drive, one with 256MB of flash capacity, the other with 1GB of storage space. A security analyst with the SANS Institute's Internet Storm Center (ISC) suspects that the infection originated at the factory, and was meant to target ProLiant servers. "I think it's naive to assume that these are not targeted attacks," said John Bambenek, who is also a researcher at the University of Illinois. Both versions of the flash-floppy drive, confirmed HP in an April 3 advisory, may come with a pair of worms, although the company offered few details. It did not, for instance, say how many of the drives were infected, where in the supply chain the infections occurred or even when they were discovered."

In case anyone wonders

The main purpose for having floppies in servers is because Windows requires them to install mass storage drivers during installation on hardware such as RAID arrays and SATA drives

Re:In case anyone wonders

But why would I want a flash drive built into it also

Because it makes the thing useful when you're not installing windows.

Re:In case anyone wonders

OK, I missed something. I don't know if anyone else did because it the summary wasn't clear to me.

This thing is not an actual floppy drive with some flash storage built in, which is what I thought (and a somewhat stupid idea). It's a standard flash drive that is capable of identifying it's self like a floppy drive so that Windows will find it when looking for a floppy drive.

That's actually a very smart idea.

With that detail this this is not a real floppy drive of any kind, this all makes more sense. Question withdrawn.

Re:In case anyone wonders

Does anyone here have a problem with the fact that HP is clearly not checking the contents of their drives before they leave the factory? Because I think that's pretty important.

Someone's going to reply "blah blah chain of supply blah blah limited liability" but (back in my day) a manufacturer was liable for tainted/poisoned product that originated at the manufacturer. Everyone should be able to demonstrate that a product works before selling it.

Re:In case anyone wonders

What you were probably seeing was an emulation layer provided by your motherboard. HP has that even in it's lower end servers now, except that they use it to provide virtual floppies over the network, through their ILO interface. Also handy for doing remote shutdowns and startups. The idea must not have caught on, that's why they're selling these.

Re:In case anyone wonders

When I tried to install XP, I found it could recognise a USB drive. It would even allow me to install Windows onto it! But it wouldn't read the SATA drivers off it. I needed to find a working floppy disk in order to get those drivers onto the machine!

Reminded me of Slackware back in the mid 90s. It's just as well most Windows users get the OS preloaded by the PC manufacturer. If they all had to install it themselves, surely most would give up and install Linux instead. The installer boots from the CD and includes all the drivers? What crazy person thought of that insane idea.

Re:In case anyone wonders

When I tried to install XP, I found it could recognise a USB drive. It would even allow me to install Windows onto it! But it wouldn't read the SATA drivers off it. I needed to find a working floppy disk in order to get those drivers onto the machine! Reminded me of Slackware back in the mid 90s. It's just as well most Windows users get the OS preloaded by the PC manufacturer. If they all had to install it themselves, surely most would give up and install Linux instead. The installer boots from the CD and includes all the drivers? What crazy person thought of that insane idea.

You can slipstream your storage drivers into your Windows installation media with nLite (www.nliteos.com). Just add them as textmode drivers and the setup will pick up your storage controllers without any fuss. Vista, otoh, allows you to supply drivers via USB drives too.

Security improvements

Although still in a woeful overall state, Vista has one critical security difference from XP that helps here. By default in XP the device will autorun. By default in Vista it will ask you if you would like to autorun. So in Vista you can plug a new device when it asks you to autorun say No and then format the sucker. This default is something Microsoft should seriously back-port to XP.

Re:

Totally agree, good thoughts. I still don't like their response that it is "obviously a targeted attack", how the hell does an attack start at the FACTORY?

Re:Security improvements

There's an option in Group Policy to disable autorun on all drives.

Start --> Run --> gpedit.msc
Computer Configuration --> System --> Turn of Autoplay
Enable on all drives

You're right, this should be default, but at least there's a fix.

Re:

Thanks. This is precisely the info I was seeking. Would have modded parent +1 informative if I had mod points.

Re:Security improvements

Computer Configuration --> Administrative Templates --> System --> Turn of Autoplay

Re:Security improvements

Unfortunately, you can't use the Group Policy Editor on Windows XP Home Edition.

Who in their right mind would have XP Home edition installed on an HP ProLiant Server?

Strange (as insider activity?)

The speculation that it was deliberate activity does strike me a little strange:

If you are going to get your malcode onto this, why do something old and crufty when you could do something new.

IIRC, this is used for BIOS updating as well as windows driver schlepping. So why use old-n-crufty known malcode when you could get a clean rootkit (no existing signature) and install it that way.

Software on these drives? Use Linux to format.

I do not understand it. Do these USB drives are meant to come with software? I believe they are just formated. If such is the case, then they should use some non Windows machines such as Linux to format them with Windows filesystems. I fail to grasp how on a factory floor where drives only need to be formated, worms have an actual chance to jump on the drives. This can only happen if they are using web connected and unsecured Windows machines to format them.

So where's the recall?

Here's the HP HP security notice. [hp.com] This was discovered in January/February, according to HP, but not announced by them until April.

Where's the recall notice? HP should be recalling these items. Failure to do so immediately is willful negligence.

Here are the part numbers:

• Part # 442084-B21 HP 256MB USB 2.0 Floppy Drive Key
• Part # 442085-B21 HP 1GB USB 2.0 Floppy Drive Key

They're still for sale on Amazon [amazon.com], for example.

In a situation like this, HP should recall the product and reissue a replacement product with a new part number to distinguish old product from new product.

Because...

HP's recall supply chain will dump the recalled product to shady asset recovery firms and it will just end up on Ebay and not destroyed.

(Where do you think recalled Dell batteries went?)

Anonymous for a reason.

Corporate Response Missing

Neither articles indicate that HP is planning on making changes at the factory floor level to prevent further infection. If their only response is to scan and clean it myself, then I might be motivated as a consumer to purchase my flash drives with a big "Gauranteed Fully Formatted" on the box. Plus, this seems REALLY sloppy to me. If HP is allowing this type of software to slip into flash drives, what other types of defects, errors, and all around laziness is going on with other products?

Advisory's recommendion is braindead

From the advisory:

If the optional HP USB Floppy Drive Key has been used in an environment without current (up-to-date) anti-virus software then the W32.Fakerecy or W32.SillyFDC virus may have spread to any mapped drives on the server. In this case HP recommends that the server and mapped drives are scanned with current (up-to-date) anti-virus software.

Does HP actually think that a potentially worm-infected server should be a/v scanned and (possibly) cleaned, and that's the end of it? That's beyond dumb; any production server so exposed requires a bare-metal rebuild. In the absence of a tripwire-esque delta, you have no understanding of the state of the server installation after undergoing an infect/clean cycle, and there's no way that box should be left in production in that state.

This is an ugly situation

But it is not without precedent. I have heard of device driver floppies and CDs shipping with viruses and the like in the past... as long ago as 10 or more years in fact. The sad thing isn't that it happens. The sad thing is how telling it is of their product QA standards.

They should have clean and isolated systems in place for development and manufacture that isn't connected to the public internet in any way. Furthermore, anything that reaches the public should first be inspected through tight QA standards. The public expects that of high profile manufacturers... worse, the public presumes high QA standards.

This takes me back to a point I was attempting to make in another discussion about the differences that often exist between public expectations and what a company actually delivers. Often times the public never notices the difference, but some times, those differences slap people in the face rather rudely at inopportune times.

I'm not sure when it started to become more common practice to move away from fulfilling public consumer expectations occurred. But the public consumer isn't aware that this shift has occurred yet. But evidence of the quiet shift has been placed in every EULA as far back as anyone can remember that contains disclaimers that their product is suitable for any purpose at all. The laws of some countries and states of the U.S. do not permit the enforcement of some of these disclaimers, but it never stops them from trying to put it past the consumer just the same. But the ugly reality is that 'legal standards' trump quality standards every day that appears on the calendar.

Who made them? What country? What are HP QCs?

What is notably left out is: Who made them and in what country? What are normal HP quality controls? What is HP planning on changing to prevent this in the future?

Coincidence?

I see a story about Hannaford Bros (supermarket chain in the Northeast U.S.) servers being pwned, sending credit card numbers all over. And they passed PCI, seeming to be secure enough for the card industry. Darn, pwnage is so sucky, especially when your SERVERS are compromised.

Now I see this story about HP accidentally selling branded keys with worms pre-installed. Darn, selling malware is so sucky, especially when you sell it to your favorite customers, for example server customers.

Any chance not just Hannaford, but other HP customers are nailed by this?

The takeaway from this episode, for those of you who aren't quite getting this:

- When you buy a USB key, be sure your machine(s) have functional antivirus and antispyware running,and it's updated.

- Look around for instructions on keeping stuff like USB keys from autorunning. Make it so.

- Format that rascal USB key immediately. Immediately. IMMEDIATELY.

- Don't buy USB keys cause they have cool software preloaded. Pointless to CHOOSE to risk infection. make the manufacturers pay for this by avoiding/refusing this crap. Just sell me a simple key, ok? Sheesh...

And trust no one and no thing.

Amazing, is all I can say. And yes, I wonder if these were manufactured and loaded in China. Bet they are.

We are in so much trouble. Mark my words, soon, 'Made in China' will really mean 'Pwned by China'. If ti doesn't already.

HP software is malware *anyway*

Anyone who has ever installed an HP scanner or All-in-one knows that the consumerware/bloatware that HP deliberately installs is truly awful. The print monitor behaves strangely, faceless apps hang and get respawned without the existing processes being killed, all kinds of crap is installed that is difficult to remove, and et cetera. If you don't seek out and install the thin "enterprise driver," and find alternative helper apps, you wind up with all this junk.

So I don't see what the big deal with shipping some more malware is. It's HP. *shrug*

While we're talking naïvety

From the summary:

"I think it's naive to assume that these are not targeted attacks," said John Bambenek, who is also a researcher at the University of Illinois

I think it's also pretty naïve to assume that it is a targeted attack, as such an assumption shifts the blame enormously. While a targeted attack is arguably more dangerous and more worrisome for a certain group of people, such an attack could happen at any number of stages of fabrication, so the fabrication process itself isn't to blame. Reversely, if a random infection makes it to a device sold as a server accessory, that puts both fabrication and quality assurance at fault, the former allowing the infection, the latter for not detecting it. If that's what happens to enterprise products, one has to wonder how much crud gets through in consumer stuff.

Re:Dear Smart People,

No-one's suggesting that this was a deliberate policy decision by HP; the suggestion is that it was a disgruntled worker or somesuch that did it deliberately for some unknown ends.