Last week Dell notified customers that certain Dell PowerEdge Server replacement motherboards had been infected with malware. The W32.Spybot worm (originally discovered in 2003) was found in flash storage (NOT firmware) on the motherboard during Dell testing.
This issue does not affect systems as shipped from Dell and is limited to replacement motherboards in four servers – Dell PowerEdge R310, PowerEdge R410, PowerEdge R510 and PowerEdge T410.
While discovering malware embedded in servers shipped from major manufacturers is alarming, this incident in particular should have minimal impact.
According to a Dell representative in response to an inquiry from SecurityWeek, a very specific sequence of events would need to occur for customers to be affected:
• The systems would have to ship w/o an iDRAC Express or iDRAC Enterprise card, which is minority of Dell systems
• The customer would have to be running a non-patched version of Windows 2008 or an earlier version of the OS
• Not running current anti-virus software, which would flag the malware.
• The servers would have to run a specific series of commands.
Dell quality control identified the problem and the company says it is not aware of any customers that have been compromised.
Dell has removed the impacted motherboards from its supply chain and the total universe of potentially affected customers is less than 1% of these server models. The virus infected the motherboards as a result of the software used to test them being infected due to human error.
Additional information and updates can be found at the Dell Support Forum.