McAfee researchers are warning travelers and Olympic fans about a new type of Malware that his being spread across various Internet cafes and bars across China. The Malware, named MachineDog, is designed to penetrate the hard disk and circumvent most security measures in place at many such online establishments.
McAfee researchers discover new Malware in Internet Cafe\'s and Bars. (IMG:SXC)
"The driver does the most important work. It does the infection which was implemented earlier in the application part. Its infection method is quite special and interesting, which can bypass and penetrate many hard disk protection software, and some security software," explains researcher Xing Su. "First it reads the atapi.sys driver file from the hard disk then searches dispatch routine addresses in that driver’s body, to bypass any existing dispatch routine that have inline hooks."
According to Su, atapi.sys is targeted because "the device created in atapi.sys is the last device in all the device stacks that the IRP passes through, and it’s the end of this IRP. Sending IRPs to this device can avoid all filter devices and inline hooks in any upper devices which are used by some security software or protection software. Then the malware sends IRPs to the partition device dispatch routines in atatpi driver to read and write data directly into hard disk."
Once executed, MachineDog drops and installs a device driver named 'pcihdd.sys' from the '%system%/drivers' directory.
“Once the driver is installed the 'pcihdd.sys' file is deleted from the disk and only resident in memory," outlines a related McAfee information file. "The user mode application communicates with the device driver to infect the 'userinit.exe' file on disk. The infected file is detected as 'MachineDog!inf'."
Su goes on to say that most Internet gathering points (bars and cafes) use hard disk protection software excessively, under the assumption that this will replace standard layered security. “Once their machines are infected, the administrator just restores from backups made by the protection software. This malware takes advantage of this contrived neglect," Su concludes.
Mitigation to this type of threat for most travelers will come in the form of current AV signatures and updates. It is wise not to trust any network that is public, like the ones mentioned in the McAfee report.
There are currently no comments for this article. Be the first to comment! (no registration required)
Advertising
There are currently no comments for this article. Be the first to comment! (no registration required)