Security Market Segment LS
Wednesday, 24 October 2012 06:05

Shamoon destroys evidence: McAfee


Recently appointed McAfee global CTO Mike Fey told the company's Focus 12 conference the Shamoon malware was really about destroying any evidence of intrusions: "all it does is wreck the device," he said, likening it to the scene in a movie where the bad guy pours petrol over the scene of a crime, walks away and flicks a match over his shoulder.

McAfee's proof-of-concept re-creation of Shamoon installs a control application and a kernel level driver that is effectively invisible to the operating system and anti-virus software, and is able to write directly to storage in order to corrupt files and the Master Boot Record (MBR).

Since the OS has been bypassed, the timestamps on corrupted files don't change, and a clobbered MBR means the computer can't boot. Recovering from this situation normally means attending to each computer individually, which is a very time consuming procedure.

But McAfee's ePO Deep Command takes advantage of Intel's vPro hardware features to remotely instruct an affected system to boot from another location, which can be a copy of the MBR or an ISO disc image.

The situation on a Mac is "very similar," Fey said, except that a piece of malware needs to destroy the Boot.efi file in both the main and recovery partitions.

Privilege escalations are commonplace on Android, so it is not difficult to deliver malware that gains more rights than the privileges it claims and then tampers with the boot sequence so the device locks up, eventually reboots itself only to run the malware code again which causes another lock up, and the cycle repeats.

For Windows, protection can be provided with McAfee's Deep Defender, which works in conjunction with Intel hardware features, to protect MBR, Fey said.

The hardware assistance means that even though the attempted alteration is invisible to the operating system and conventional security software, it can be blocked at hardware level.

Disclosure: The writer travelled to Las Vegas as the guest of McAfee.


Recently iTWire remodelled and relaunched how we approach "Sponsored Content" and this is now referred to as "Promotional News and Content”.

This repositioning of our promotional stories has come about due to customer focus groups and their feedback from PR firms, bloggers and advertising firms.

Your Promotional story will be prominently displayed on the Home Page.

We will also provide you with a second post that will be displayed on every page on the right hand side for at least 6 weeks and also it will appear for 4 weeks in the newsletter every day that goes to 75,000 readers twice daily.



Some of the most important records are paper-based documents that are slow to issue, easy to fake and expensive to verify.

Digital licenses and certificates, identity documents and private citizen immunity passports can help you deliver security and mobility for citizens’ information.

Join our webinar: Thursday 4th June 12 midday East Australian time


Stephen Withers

joomla visitors

Stephen Withers is one of Australia¹s most experienced IT journalists, having begun his career in the days of 8-bit 'microcomputers'. He covers the gamut from gadgets to enterprise systems. In previous lives he has been an academic, a systems programmer, an IT support manager, and an online services manager. Stephen holds an honours degree in Management Sciences and a PhD in Industrial and Business Studies.



Recent Comments