Big headline, little news
Thursday, July 6, 2017
And here are a few more thoughts from us about news articles with panic-stricken headlines. This one, for example, claims that no anti-virus can detect a certain malware species.
"Neither anti-viruses nor firewalls can detect or block it. This enables the malware to freely harvest data on infected hosts".
Sadly, this text was intended for IT professionals, and no one pointed out that the statement wasn't quite accurate. Let's see what’s wrong here.
Recently Anti-virus Times readers discussed how attackers can exploit Intel AMT (Intel Active Management Technology). In the corresponding issue we indicated that Intel’s technology hypothetically provides great opportunities for criminals, but luckily despite having unclosed vulnerabilities, Intel AMT hadn’t yet been exploited by them.
Less than two months passed and:
Hackers are using Intel AMT to transfer messages between infected PCs
Microsoft warned users that Intel AMT can be abused by attackers.
users that Intel AMT can be abused by attackers?
Intel Management Engine (ME) incorporates Intel Serial-over-LAN (or AMT SOL). Intel ME is part of an Intel chipset and runs its own operating system on an embedded processor independently from the CPU, the operating system, and the installed security software including the anti-virus. While an anti-virus operates with files alongside drivers, Intel ME exists on the hardware level. Moreover, Intel ME can be used by an administrator (as well as by attackers) even when the computer (and the CPU) are shut down, but the PC remains accessible over the network.
The embedded Intel ME processor provides out-of-band (OOB) remote administration capabilities such as remote power cycling and keyboard, video, and mouse control (KVM).
SOL can also facilitate communication over a local network even if no connectivity is available on a host.
According to Microsoft, the Platinum group, which has been operating actively in the South Asian and South Eastern Asian regions for several years, is behind the malware that uses SOL. The cyberespionage group first came into the spotlight in 2009, and since then it has carried out a large number of attacks. In the last year Platinum was said to have installed malware onto targeted hosts by abusing hotpatching—a Microsoft technology that enables updates to be applied without having to restart a system.
Let's sum things up. There is malware that can be installed on ordinary operating systems but uses a specific protocol to communicate over a network.
Indeed, an anti-virus doesn't parse or analyse the AMT SOL protocol. But that’s not really necessary because the protocol is not used to infect a system—it’s only used to help previously installed malware communicate. And this means that to eliminate this threat, one merely needs to prevent malware from getting installed on computers. Restrict user permissions, install an anti-virus…
And one more thing.
To carry out an attack, intruders first need to get administrators to divulge their account information.
The Anti-virus Times recommends
- Blindly believing the media is bad for your health.
- To be able to do something in a system, a malicious file first needs to be launched. To prevent that, install updates, use strong passwords (and don't make them available to others), use an anti-virus, and restrict user permissions.
Tell us what you think
To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.
Comments
Неуёмный Обыватель
04:20:18 2018-07-22
vasvet
10:26:36 2018-07-04