Zero-Day versus Tried-n-True Methods

IBM shipped malware-laden USB sticks to unsuspecting customers by Chris Bing.

From the post:

Malware-laden USB sticks were accidentally sent by IBM to a series of enterprise customers that had purchased storage systems developed by the computing giant, according to a company advisory published last week.

An unidentified number of these drives were mailed as an installation tool for users setting up IBM Storewize V3700 and V5000 Gen 1 storage systems. IBM says that all of the infected USBs carried the same serial number: 01AC585.

An IBM spokesperson did not respond to CyberScoop’s inquiry. It remains unclear how the malware originally found its way onto the drives.

One upside of this story is you now know what a USB for the IBM Storewize V3700 and V5000 Gen 1 storage systems looks like.

Not that you would go out and create fake USBs for IBM Storewize V3700 and V5000 Gen 1 storage systems. Heaven forbid!

Another upside is the story acts as a reminder that you can purchase or sweat over find a new zero-day, versus taking the simpler route of getting a victim to infect themselves.

Professional DVD duplication is cheap and widespread. Recipients are unlikely to question the receipt of a “prize” DVD.

Selecting best DVD for a recipient is the real question. Pleading “responsible disclosure,” I have to omit details on ways to make that selection.


The DVD route requires more preparation than phishing but unlike emails, due to sharing, malware DVDs are gifts that keep on giving.

Comments are closed.