Focus 2011: McAfee and Intel offer defence depth

LAS VEGAS: A new family of products that could play a key role in combating emerging malware threats that attack below the OS level took centre stage at McAfee's 2011 Focus conference this week.

The products are the first significant fruits of Intel acquisition of McAfee in 2010. The DeepDefender and DeepCommand tools are the first in McAfee's DeepSAFE range. Designed for Intel i3, i5 and i7 processors, the DeepSAFE products sit between the processor and operating system levels.

By integrating directly with the processor, the DeepSAFE products are able to view activity at a lower level and detect possible rootkit activity.

Designed for end-user systems, the DeepDefender platform is slated to arrive in the first quarter of next year. The tool will require an Intel processor and Windows 7 systems.

DeepCommand, meanwhile, will be targeted at IT administrators. Operating as a plug-in for McAfee's ePolicy Orchestrator platform, DeepCommand is a remote management tool that will allow administrators to remotely access systems regardless of their power state.

In doing so, the tool will allow administrators to easily install and deploy patches and updates to end-user systems remotely.

First announced last month in San Francisco at the Intel Developer Conference, the DeepSAFE range will consist of products specifically designed to integrate with Intel processors at a deeper level than conventional security tools, which run on top of the operating system.

McAfee believes that technologies such as DeepSAFE will be critical for protecting against the coming generation of malware attacks that rely on rootkit technology running beneath the operating system and hiding malware installations from security tools.

One such attack was revealed by McAfee on the first day of the conference. Dubbed Duqu, the malware infection was found to be targeting industrial control systems mainly located in the Middle East and Northern Africa regions. Both McAfee and Symantec were notified of the malware by a security consultant working with an infected company.

McAfee researchers noted that the Duqu infection was particularly impressive in its use of signed security certificates. Researchers believe the certificates were either stolen or generated through a compromised system at a certificate authority company.

Also notable about the Duqu infection was its striking resemblance to the infamous Stuxnet malware. Much like Stuxnet, Duqu makes use of multiple encryption keys and rootkits to hide itself from security scans.