IBM shocked delegates at the Australian AusCERT conference in Queensland last week by handing out USB sticks infected with malware.

The company was forced to write to delegates apologising for its error. "At the AusCERT conference this week, you may have collected a complimentary USB key from the IBM booth. Unfortunately we have discovered that some of these USB keys contained malware and we suspect that all USB keys may be affected."

It was actually worse than IBM intimated. To make it doubly embarrassing, according to security company Sophos, the company included two examples of malware: W32/LibHack-A. and W32/Agent-FWF.

Sophos's senior technology consultant, Graham Cluley had a guess how the error occurred. "My guess is that they didn't check the USB sticks before handing them out. Maybe they out-sourced the creation of the USB content to a third party, and they weren't careful enough. After all, if an infected PC was used to create the "image" of the USB drive then it would have been easy for that disk image to be infected and copied onto every USB stick they handed out."

IBM certainly couldn't say that it had been caught up by new malware, Sophos has been detecting W32/Agent-FWF since June 2007.

Cluley said that users should be suspicious of all USB drives – even those handed out at security conferences. "Users should always be cautious about USB sticks, as they are a common carrier of malware. The trick is to disable autorun/autoplay on your computers, and use an up-to-date anti-virus that checks every file accessed in case it contains a virus infection.

"Businesses may also want to put in place technology that controls the use of USB ports (and what can be plugged into them). This not only helps protect against USB-borne malware, but also data loss."