Industry News

Cybersecurity quiz winners rewarded with malware-infected USB sticks

It is a truth universally acknowledged in the infosecurity community, that giving away free USB sticks only leads to trouble.

On countless occasions we’ve seen businesses embarrassed as they hand out thumb drives which are not only stuffed to the brim with marketing material, but are also unwittingly hiding malware.

And yet, companies continue to put the public at risk by giving away cheap USB sticks at trade shows, with often little consideration as to what may also be lurking on the device.

In perhaps the most ironic example of “Danger USB!” yet, we hear that Taiwan’s cybercrime-fighting investigators recently handed out malware-infected USB sticks to… winners of a cybersecurity quiz.

Taiwan’s Criminal Investigation Bureau has apologised after handing out 54 infected flash drives at a data security expo hosted by the government from 11-15 December. An event which had the noble aim of raising awareness of cybercrime. Ho hum!

As local media reports, distribution of the 8GB devices was halted on the afternoon of 12 December after early winners of the quiz warned that their anti-virus software had warned them that the drives contained malware.

The Windows-based malware was designed to steal personal information from infected PCs and send it via an IP address based in Poland to parties unknown.

However, it seems unlikely that Taiwan’s computer crime-busting cops, or the event itself, were deliberately targeted by hackers. Instead, as is often the case, there is a more down-to-earth explanation for what happened – and why only 54 of the 250 giveaway USB drives are believed to contain the malware.

According to the Criminal Investigation Bureau, the infections have been traced back to a single PC at an external contractor. It seems that a random sample of the USB drives were plugged into the infected PC in order to test their storage capacity, and the malware was unwittingly transmitted to 54 of them at that time.

It’s the kind of security goof that is all-too-familiar. Readers with long memories may recall that, in 2010, IBM handed out USB sticks at the AusCERT security conference infected by not one… but two pieces of malware.

Seven years later, IBM found itself in the embarrassing position of having to admit that it had shipped malware-infected USB sticks to enterprise customers.

How can you protect yourself from unsolicited, unwanted USB sticks? Well, there’s one simple fool-proof method that guarantees your computer won’t become infected.

No prizes if you guessed correctly. Simply throw it in the rubbish bin.

About the author


Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.


Click here to post a comment
  • Then there was IBM shipping computers with CIH (!!) installed. And I remember these that zdnet cites:

    IBM ships a batch of new Aptiva PCs with the CIH virus pre-installed during March 1999, one month before the virus detonates its payload.
    Origin Systems website contained an infected file that related to its popular Wing Commander game.
    As many as three European gaming magazines shipped demo CDs that were infected. One company went as far as including a note inside telling users to disinfect their machines after using the CD. A widely distributed version of Activision's game SiN was also infected. It should be noted that the infection did not originate at Activision.
    Yamaha Shipped an infected version of firmware update software for their CD-R400 drives.

    … And I know I'm missing some examples whether CIH or not I don't know. And that was years and years ago. Then there was this:

    In late 2001, Kriz was accidentally released on the Atelier Marie video game for the Sega Dreamcast. The Sircam worm became infected with Kriz, allowing it to piggyback on worm. Sircam also carried the Funlove virus. Kriz was number 5 on Trend Micro's top 10 list in October of 2000.

    And The Road ('list') Goes Ever On…