Intel-McAfee preview new rootkit weapon

Sep 16, 2011 by Nancy Owano report

(PhysOrg.com) -- Letting everyone know that today's computing is no longer about running good anti-virus software, McAfee this week presented a new technology approach in computer protection called DeepSAFE, designed to combat the newer forms of deeply-rooted malware that embed themselves outside the operating system and go undetected. What is special about DeepSAFE is that it goes beyond the operating system to do "kernel-mode rootkit prevention," according to McAfee, making the announcement at this week's Intel Developer Forum in San Francisco.

Unlike installed anti-virus software, the new layer of protection will sit below a PC's operating system, to detect modifications attempted by hidden malware, according to George Kurtz, McAfee's CTO and executive vice-president. In sitting outside the operating system, the new approach uses Intel's "chip-level hooks" to look for the presence of such as rootkits.

According to McAfee Labs, more than 1200 new rootkits are detected every day around the world, or 50 per hour every day. This is a security burden because of their ability to load and embed themselves at the kernel level of the operating system and they are difficult to spot. McAfee spokesmen said DeepSAFE veers from those current approaches that are actually based on "20+ year old techniques."

The technologies are becoming increasingly less effective, and "novel approaches are needed to effectively manage the increase in malware and other attacks."

DeepSAFE is designed to detect and block suspicious behaviors that are characteristic of many of those rootkits in real-time before they have a chance to spread.

The future of is going to have to move beyond the , says a McAfee video presentation, in no uncertain terms, and should not be bound by the same OS rules as today, because rootkits are designed to hide themselves away from the OS.

DeepSAFE is in beta. Products employing DeepSAFE technology are expected later this year. DeepSAFE is designed to work with Windows 7; McAfee anticipates DeepSAFE will work with Windows 8 on its release; McAfee is evaluating bringing the technology to Android mobile devices.

The McAfee preview at this week's represents a significant show as well as to how the two companies will work together following Intel's acquisition of for $7.68 billion in February.

Explore further: Facebook's Internet.org expands in Zambia

More information: www.mcafee.com/us/resources/fa… psafe-technology.pdf
www.mcafee.com/us/solutions/mcafee-deepsafe.aspx

Related Stories

Intel completes McAfee acquisition

Feb 28, 2011

US computer chip giant Intel said Monday that it has completed its $7.68 billion acquisition of computer security firm McAfee.

Grisoft Offers Free Rootkit Removal

Apr 11, 2007

Grisoft, makers of the popular AVG Antivirus, today released a free tool specifically aimed at eliminating malicious software that hides itself using rootkit techniques.

Intel says FTC approves McAfee acquisition

Dec 21, 2010

Intel said Tuesday that US anti-trust regulators have cleared its 7.68-billion-dollar acquisition of computer security firm McAfee but the deal is still being examined in Europe.

Briefs: McAfee unveils HIPS 6.0

Mar 22, 2006

Anti-virus and information-security company McAfee announced Wednesday it would integrate a new system to keep unwanted users out of computer systems.

Recommended for you

Facebook's Internet.org expands in Zambia

10 hours ago

(AP)—Facebook's Internet.org project is taking another step toward its goal of bringing the Internet to people who are not yet online with an app launching Thursday in Zambia.

Body by smartphone

Jul 30, 2014

We love our smartphones. Since they marched out of the corporate world and into the hands of consumers about 10 years ago, we've relied more and more on our iPhone and Android devices to organize our schedules, ...

Breakthrough elastic cloud-to cloud networking

Jul 30, 2014

Scientists from AT&T, IBM and Applied Communication Sciences (ACS) announced a proof-of-concept technology that reduces set up times for cloud-to-cloud connectivity from days to seconds. This advance is a major step forward ...

Security CTO to detail Android Fake ID flaw at Black Hat

Jul 29, 2014

Where have you heard this before: A team of security researchers discover a security flaw in Android devices. This is, however, news. This time, experts are talking about a flaw that involves a widespread ...

User comments : 12

Adjust slider to filter visible comments by rank

Display comments: newest first

AngryMoose
3 / 5 (2) Sep 16, 2011
According to McAfee Labs, more than 1200 new rootkits are made by McAfee every day around the world! :D
default_ex
2.3 / 5 (3) Sep 16, 2011
Don't know if I can really trust McAfee to be running between the OS and hardware. Not that it's bad software, it's just kinda slow compared to the alternatives.

What's sad is the billions they spent to develop this software could have been better spent educating users on identification of potentially dangerous websites and software. But then that'd lower the need for their product.
kevinrtrs
1 / 5 (1) Sep 16, 2011
Seems to me that Kaspersky has already jumped them on this because they literally take over the machine and run everything else in a virtual environment, at least that's the impression I'm getting looking at what their latest version has done to my machine.
kevinrtrs
1 / 5 (1) Sep 16, 2011
Furthermore it simply means that the pirates only has to break the McAfee Deepsafe to have total control of the machine. From what is visible in some places I frequent, this seems to be the case that McAfee has been subverted and has become totally useless at identifying intrusions. So much for "protection".
krundoloss
3 / 5 (2) Sep 16, 2011
All Antivirus methods, with the exception of Antivirus Gateway products, are easily defeated. Why? Simply because highly trained experts try and try until they find a way around the AV, then they deploy thier malware. AV companies slowly gather information and release definitions that may finally stop that one piece of malware. Then the cycle repeats. My Point is that the Malware Creators always have the upper hand, and will continue to have the upper hand because the AV companies are REACTIVE.
Ethelred
3 / 5 (2) Sep 16, 2011
Antivirus Gateway products
Gateways can only stop KNOWN viruses that are not polymorphic. They can do nothing if they change AFTER they are started beyond the gateway.

Most AV products are not limited to signatures.

Ethelred
shadowruni
not rated yet Sep 16, 2011
sigh.
[start rant]
Ok first off. AV is really just a heuristics engine connected to a [GASP] benign (hopefully!) rootkit. They do some other stuff like bounds checking and watching for hooks into things but for the most part they're looking for things like NOP sleds and things messing with lookup tables and the like. Those are typical hallmarks of exploits and rootkits. It *IS* an arms race and always will be. An example: MS has about 200K employees and contractors (infomred industry estimates) and less than half (if even that many) are techies, and an even MUCH smaller number than that are devs and an *EVEN* smaller number are security/kernel/driver types (the ones who do the actual hardening of stuff as it's not magic). These guys/gals don't grow on trees. Compare that to the MILLIONS OF PEOPLE actively attacking (or accidentally finding stuff like Fydor does) and the attackers will always have the initative. AV companies just have to deal with it... you do too.
[end rant]
tigger
5 / 5 (1) Sep 16, 2011
AVAST! > McAfee
Ethelred
3.7 / 5 (3) Sep 17, 2011
AV is really just a heuristics engine connected to a [GASP] benign (hopefully!) rootkit.
They are not limited to that. They started out as signature checkers.

It *IS* an arms race and always will be.
To a large extent yes. Someone might figure out a way to avoid that.

These guys/gals don't grow on trees.
No they grow in bedrooms and basements and eat a LOT of pizza and colas.

Compare that to the MILLIONS OF PEOPLE actively attacking
Without benefit of the source code of the OS or the protection software. And it isn't millions. A very small percentage of those that THINK they are hackers actually have the skill, knowledge and will to trace code, find weaknesses and figure out how to exploit them. Most of the rest are little more than script kiddies that think they more than they do or know full well that they can't do much of it themselves. That low skill level stuff is more subject to signatures.>>
Ethelred
3 / 5 (2) Sep 17, 2011
The offense vs defense is not nearly as one sided as you portrayed.

nd the attackers will always have the initative.
Initiative has it's limits. I don't see any sign of the wankers beating reputation checks yet.

And it isn't like the defense is limited to working from malware that is in the wild. Honey pots often catch the stuff early and it really isn't all that hard to listen go underground when it is all done online.

Ethelred
frajo
1 / 5 (1) Sep 17, 2011
In theory, my main OS is as vulnerable as anything.
But in 20 years of practice I didn't experience a single malware event. Without using any AV software. And as nobody else is going to use this OS anyhow, it's going to stay malware-free.
[Written from eCS aka OS/2, like all my comments.]
FieroGT42
not rated yet Sep 17, 2011
Almost all virii (plural of virus) are contracted by the user's actions allowing a harmful application when they should know better. I don't even run an antivirus on one of my computers because it doesn't need it - nobody is doing anything stupid with it.

Also, McAfee is almost as useless as Norton has been for the last 10 years. I don't expect this to be any better than the low-level root kits that both have already been using for years.

I'll stick with Comodo or AVG for free, or a NOD32 subscription that can't be beat, depending on my clients' needs.