Does your company use IMB Storwize?
If you’re not sure what that is, then you probably don’t. It’s the company’s Big Data storage system, and when you purchase it, you get USB flash drives with initialization tools and installation files.
Unfortunately, IBM has recently discovered that some of the flash drives they’ve been shipping out are infected with malware. Below, you’ll find the Storwize version numbers and flash drive model numbers that have been impacted:
• Storewize V3500 – 2071 Models 02A and 10A
• Storewise V3700 – 2072 Models 12C, 24C, and 2DC
• Storewize V5000 – 2077 Models 12C and 24C
• And Storewize V5000 – 2078 Models 12C and 24C
The infected flash drives all bear the same part number, which is 01AC585.
If you use this IBM solution, you should check the flash drives you got to see if you have one bearing the part number referenced above.
There is some good news here. According to IBM Engineers, while the malware copies to your server along with the installation files, it does not execute, and the Encryption Key Management software that ships with the equipment is not impacted.
The MD5 hash of the malicious file is 0178a69c43d401bf9596299ea57, and IBM reports that most antivirus programs already detect for it.
The company recommends the following course of action for any impacted, or potentially impacted users:
1) Use your antivirus software to scan the server you copied the files to. This should remove the malware.
2) Reformat the flash drive, then scan to be sure the threat has been eliminated at the source.
3) Download a fresh copy of the Storwize Initialization Tool onto the flash drive for reinstallation onto your server.
Although the malicious code is never executed, and analysis of it reveals it to be a fairly basic malware downloader, it’s definitely not something you want to leave lurking on your system.