Commonwealth Security and Risk Management staff have been reviewing multiple reports of newly purchased Universal Serial Bus (USB) storage devices containing malicious software. Our recommendations are included below as some of the vulnerabilities may have significant impact for the Commonwealth Information Security community.

Vulnerability Description: USB storage devices containing malicious software

Pertinent Details: USB storage devices are being contaminated with malicious software prior to delivery to the customer (i.e.. Somewhere during the time period of manufacturing through distribution). The types of USB storage devices containing malicious software include USB flash/thumb drives, USB portable hard drives, USB digital photo frames, USB flash based MP3 players, and USB memory cards. The malicious software installed on the USB storage device could be virus or Trojan applications that may allow a malicious individual to steal information from the computer or expose the computer to additional malicious software. Please be particularly careful during this holiday season due to the high volume of USB storage devices purchased during this time.

Recommended Action: Prior to attaching a new USB storage device to a computer system, temporarily disable the ‘Autorun’ feature on the computer system. Ensure that the anti-virus software on the computer system is up-to-date. Run a virus scan on all partitions of the USB storage device prior to utilizing the USB storage device. If malicious software is found on the device, either allow the anti-virus software to remove the malicious software or return the USB device to the seller.