Re: Michael C
"I may be missing something but how does the malware get on the USB device in the first place?"
I imagine you reverse engineer a vendor tool that updates the firmware, so you can see the magic packets needed to put the device into program mode. You then either read the firmware off the chip (if poss) or download a firmware update and work out what the raw binary is.
From there, you work out how the chip works internally: where registers are and so forth. You add in your new code, hook it up so it runs, and then upload that modified firmware to the controller in program mode.
Now you're all set. After that, make sure the PC malware you install has the capability of automating the above. And now you're cooking on gas.
IMHO it's the reverse engineering of the firmware and the firmware programming that's impressive. You shouldn't trust USB sticks anyway on machines that are sensitive. If you genuinely care about information security, you'd compartmentalize your data and systems so that plugging a random USB thing into your gaming PC doesn't screw over your machine with your PGP keys.
C.