Security Alert
Jonathan Crowe
May 2017

Alert: Malware-Infected USB Drives Shipped to IBM Customers

Key Details

  • What happened: IBM has detected malware on an unspecified number of USB drives shipped with its Storwize storage systems
  • Which products are affected: IBM Storwize V3500, V3700, and V5000 Gen 1 systems
  • Type of malware: A variant of the Reconyc trojan
  • What to do: IBM is recommending customers delete temporary directories created when the installer on the drive is run, and that they destroy the USB drive to prevent further use
  • Barkly customers: You are protected from this threat with Barkly's runtime malware defense
  • empty
  • empty
  • empty

IBM is recommending customers destroy USB flash drives shipped with specific Storewize storage systems after detecting malware installed on an unspecified number of them.

How many types of ransomware can you currently stop? Find out now with our ransomware risk assessment.
Know your risk

In a security alert posted on its support site, IBM is warning customers who purchased IBM Storwize storage products that the USB drives containing the initialization tool for the systems may be infected with malicious code.

The malware has been identified as a variant of the Reconyc (aka Pondre) malware family, a trojan primarily designed to download additional malicious payloads.

Launching the installation tool from infected USB drives creates a copy of both the tool and the malware in a temporary folder on the customer's hard drive. The folder is named %TMP%\initTool on Windows systems and /tmp/initTool on Linux and Mac systems.

IBM stresses that the malware does not execute during that process, so the good news is infection isn't automatic.

As long as the malware is on the device, however, the potential of infection is there. For that reason, IBM recommends deleting the temporary folder and either reformatting or securely destroying the USB flash drive so it can't be reused.

Affected Devices

According to IBM, USB drives shipped with the following Storwize models may have the malware installed:

  • IBM Storwize V3500 - 2071 models 02A and 10A
  • IBM Storwize V3700 - 2072 models 12C, 24C and 2DC
  • IBM Storwize V5000 - 2077 models 12C and 24C
  • IBM Storwize V5000 - 2078 models 12C and 24C

Lenovo also issued a similar alert for the following models branded as "IBM Storwize for Lenovo":

  • IBM Storwize for Lenovo V3500 - 6096 models 02A and 10A
  • IBM Storwize for Lenovo V3700 - 6099 models 12C, 24C and 2DC
  • IBM Storwize for Lenovo V5000 - 6194 models 12C and 24C

The USB drives have the part number 01AC585 (pictured below).

IBM_infected_USB_drive2.jpeg IBM_infected_USB_drive.jpeg

The initialization USB flash drive shipped with IBM Storwize products. / IBM

How did this happen?

IBM has yet to shed any light on how the malware ended up on the USB drives. For Lenovo, it's the second time in two months a product was shipped to customers with malware installed. In March, news broke that 38 Android smartphones from Lenovo, Samsung, and others had been infected with malicious code at some point during the supply chain and manufacturing process.

Why USB drives are a particularly dangerous attack vector (and how malware deployed via USB drives can be stopped)

Even for those who aren't Storwize customers, this serves as a reminder that organizations need to be prepared for attacks that originate via flash drives.

While the vast majority of malware arrives on systems via email attachments or web-based attacks, USB drives still offer attackers a devestatingly direct delivery vehicle for infecting victims.

What makes infected USB drives so dangerous — aside from people's amazingly stuborn willingness to plug even random ones they find in a parking lot into their computers — is that they present a delivery path for malware that bypasses gateway network security such as firewalls and email filtering.

That puts the pressure of recognizing and stopping the malware directly on the shoulders of endpoint security, and with malware authors continuing to outpace and evade antivirus detection, that means organizations need another layer of defense.

Because Barkly's runtime malware defense (RMD) recognizes and blocks malicious activity in real-time, it protects organizations from malware no matter how it is delivered — via phishing, an exploit kit, or even a USB.

In this case, that means even if the Reconyc trojan pre-packaged on these USB drives is executed, Barkly customers are protected.

Find out more about how RMD works in our Complete Guide to Runtime Malware Defense.

Jonathan Crowe

Jonathan Crowe

Jonathan covers the latest threats and cybersecurity trends from a practical perspective.


Close the gaps in your security

Stop paying for AV, get the strongest protection instead. See how Barkly blocks attacks that are getting past AV.

See a demo


Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends stright to your inbox.