ITWire

Home Business IT Security Shamoon destroys evidence: McAfee

Shamoon destroys evidence: McAfee

Get all your tech news delivered to your mail box five days a week
iTWire UPDATE - it's FREE!


Recently appointed McAfee global CTO Mike Fey told the company's Focus 12 conference the Shamoon malware was really about destroying any evidence of intrusions: "all it does is wreck the device," he said, likening it to the scene in a movie where the bad guy pours petrol over the scene of a crime, walks away and flicks a match over his shoulder.

McAfee's proof-of-concept re-creation of Shamoon installs a control application and a kernel level driver that is effectively invisible to the operating system and anti-virus software, and is able to write directly to storage in order to corrupt files and the Master Boot Record (MBR).

Since the OS has been bypassed, the timestamps on corrupted files don't change, and a clobbered MBR means the computer can't boot. Recovering from this situation normally means attending to each computer individually, which is a very time consuming procedure.

But McAfee's ePO Deep Command takes advantage of Intel's vPro hardware features to remotely instruct an affected system to boot from another location, which can be a copy of the MBR or an ISO disc image.

The situation on a Mac is "very similar," Fey said, except that a piece of malware needs to destroy the Boot.efi file in both the main and recovery partitions.
Privilege escalations are commonplace on Android, so it is not difficult to deliver malware that gains more rights than the privileges it claims and then tampers with the boot sequence so the device locks up, eventually reboots itself only to run the malware code again which causes another lock up, and the cycle repeats.

For Windows, protection can be provided with McAfee's Deep Defender, which works in conjunction with Intel hardware features, to protect MBR, Fey said.

The hardware assistance means that even though the attempted alteration is invisible to the operating system and conventional security software, it can be blocked at hardware level.

Disclosure: The writer travelled to Las Vegas as the guest of McAfee.

RECRUITMENT & RETENTION REPORT 2013

HIRE OR FIRE? BUY OR BUILD

2013 is well underway and Australian companies need to know whether they should invest in IT skills training or pay a premium for the people they need.

If you want to know which choices are being made in your sector, what skills are hard to find, which sectors intend to hire or fire and where the IT spend is going, this free report is must have.

GET YOUR REPORT NOW

Stephen Withers

joomla visitors

Stephen Withers is one of Australia¹s most experienced IT journalists, having begun his career in the days of 8-bit 'microcomputers'. He covers the gamut from gadgets to enterprise systems. In previous lives he has been an academic, a systems programmer, an IT support manager, and an online services manager. Stephen holds an honours degree in Management Sciences, a PhD in Industrial and Business Studies, and is a senior member of the Australian Computer Society.

More in this category: « Generation XBox - the UK needs you for cyber-security Security risks from unmanaged BYOD »
back to top


Services

Company

Community

Connect

http://bs.serving-sys.com/BurstingPipe/adServer.bs?cn=tf&c=19&mc=imp&pli=5460041&PluID=0&ord=[2000]&rtu=-1