It was, literally and otherwise, more stick than carrot for some winners of a recent data-security contest in Taiwan, who must have been stuck for words after their prizes turned out to be malware-riddled USB sticks.
The country’s Criminal Investigation Bureau (CIB) handed out 250 USB thumb drives to members of the public who had passed a quiz testing their cybersecurity knowledge, which was held as part of an information security event hosted by Taiwan’s Presidential Office between December 11 and 15 of last year. Little did all those involved know that 54 of the eight-gigabyte units contained malware.
The distribution of the USB sticks was halted on December 12 after some of the quiz’s successful entrants reported that their rewards had been flagged by their security software as containing malware. Twenty units had been returned while apparently the rest remain in circulation.
The malware, called XtbSeDuA.exe, is designed to steal personal information from 32-bit computers. If successful, it attempts to relay the data to a Poland-based IP address, which forwards it to unidentified servers, according to CIB. The malicious program is known to have been used by a cyber-fraud ring uncovered by Europol in 2015.
The CIB said that the infestation originated from a workstation used by an employee of a local contractor “to transfer an operating system to the drives and test their storage capacity”. Some of the drives were produced in China, but the police have dismissed suggestions of espionage, citing an accidental compromise instead.
Security events are no strangers to similarly inadvertent distribution of compromised USB drives. The Australian telecom company Telstra handed out malware-infested thumb drives at the AusCERT security conference in Australia in 2008, before IBM unwittingly did the same thing and at the same event two years later.
Back in 2002, IBM had a USB drive that had a rare boot sector virus on it. The company was guilty of another mishap involving flash drives last year, this time shipping Trojan-infested USB drives together with the company’s Storewize storage systems.
Meanwhile, a survey in 2016 found that curiosity tends to get the better of people when they come across stray USB drives. Nearly one-half of 300 university students in the study didn’t shy away from plugging in and clicking on files in memory sticks dropped on the campus moments earlier.
Another issue with USB drives is that they often get misplaced, as evidenced in the United Kingdom two years ago. More recently, an unencrypted memory stick containing sensitive information about London’s Heathrow airport was found in West London.
The prime example of just how much havoc a piece of malware lurking on a USB drive can wreak was provided by Stuxnet. That worm resulted in major damage to centrifuges at Iran’s Natanz nuclear facility in 2008 and is believed to have been introduced in the facility via a USB drive. In 2013, two unnamed power generation plants in the United States were found to harbor malware infestations courtesy of tainted USB drives. While in 2016, a computer and 18 USB sticks used by a German nuclear power plant were also found to be home to malware.
Author Tomáš Foltýn, ESET