cancel
Showing results for 
Search instead for 
Did you mean: 

Whether McAfee tested the thumbnail drive virus from Mar a largo

Jump to solution

President Trump's Mar a Lago winter White House had a woman invade it.  As reported in the media, the Secret Service found a virus on Chinese woman's thumbnail drive  Apr2,2019.  I wish to know 3 things:

  1. Question 1; Whether McAfee read the newspaper article on this virus in the wild?
  2. Questions 2 : name of virus, and
  3. Question 3: whether McAfee tested it.

For ease of discussion, what is the name of the type of malware (e.g. "self-activating virus" is my term) for a virus that allows the thumbnail drive to start infecting as soon as it's attached. And then 3A) has McAfee tested such "self-activating viruses" on other thumbnails.

This was problem SR#2638521471 that I reported on Mon, May 13, 2019.  And I posted this as a question on StackOverflow  

What is really bad about the virus is that as soon as it's plugged in, it immediately starts writing to the laptop.

I think it is reasonable to expect an anti-virus company to handle an "in the wild" virus that is being used over 60 days ago.  According to standards, a company should fix reported problems within 90 days.

1 Solution

Accepted Solutions
Moderator Madhan
Moderator
Report Inappropriate Content
Message 5 of 5

Re: Whether McAfee tested the thumbnail drive virus from Mar a largo

Jump to solution

Hello Peter,

Firstly, to answer to your questions in specific:

Question 1; Whether McAfee read the newspaper article on this virus in the wild?

Yes we were aware of the case

Questions 2 : name of virus, and

There were never any samples shared by the FBI, probably because they are classified. We cannot add detection for the actual USB exploit (if that was what was used) but we can detect the payload copied to the machine, but we need samples to confirm

Question 3: whether McAfee tested it.

No, we never received any sample or infected device to test

 
This infection seems to be related to a USB firmware infection, which exploits a vulnerability in the USB hardware implementation and allow a malicious device to run malicious code on the device without interference from the operating system.

The only way to test the attack is by getting the actual physical device that was infected, since even a file copy would not get the malicious code from the device firmware.

What we can do however is detect the malicious binaries copied to the system once the exploit happens. In this case, we would need the actual sample to confirm whether or not we have detection, but since no sample was ever shared publicly, we cannot comment on it. If you have information about what was copied to the machine, please submit us the information.

To answer in specific to the question in StackOverflow, there are two methods to run applications automatically from USB.

  1. One is using the Autorun feature, and that can be disabled by the OS and blocked by the AV.
  2. The other is via an exploit (BadUSB) which is a hardware vulnerability and out of scope for an AV. The best protection in this case is to never connect unknown USB devices to mission critical machines.

Regards,
Madhan  M

4 Replies
Highlighted
Moderator Madhan
Moderator
Report Inappropriate Content
Message 2 of 5

Re: Whether McAfee tested the thumbnail drive virus from Mar a largo

Jump to solution

Hello Peter,

I've sent you private message. Please check.

 

Re: Whether McAfee tested the thumbnail drive virus from Mar a largo

Jump to solution
 

To:  Madhan (the Moderator)

Thanks for your private message.  I'm not sure why it is private, when public would do.

Basically, you're saying: yes we test for viruses.  I know that, and

that's why I bought your package McAfee Antivirus.

However, you did not test the specific virus from Mar-a-Lago, and you don't even have a name for it yet.

Or know its name!

So, basically, I think you should say that publicly, and commit to fixing this virus within 90 days of the event 

of it being discovered "in the wild."

Peter

Re: Whether McAfee tested the thumbnail drive virus from Mar a largo

Jump to solution

PS:  Since the Mar-a-Lago thumbnail self-activated virus was discovered May 13, 2019, you should have a fix for it in 90 days, which is Sun, Aug 11, 2019 (or the next business day: Mon, Aug 12, 2019).

Please publicly commit to a solution by that date of Mon Aug 12, 2019.

Moderator Madhan
Moderator
Report Inappropriate Content
Message 5 of 5

Re: Whether McAfee tested the thumbnail drive virus from Mar a largo

Jump to solution

Hello Peter,

Firstly, to answer to your questions in specific:

Question 1; Whether McAfee read the newspaper article on this virus in the wild?

Yes we were aware of the case

Questions 2 : name of virus, and

There were never any samples shared by the FBI, probably because they are classified. We cannot add detection for the actual USB exploit (if that was what was used) but we can detect the payload copied to the machine, but we need samples to confirm

Question 3: whether McAfee tested it.

No, we never received any sample or infected device to test

 
This infection seems to be related to a USB firmware infection, which exploits a vulnerability in the USB hardware implementation and allow a malicious device to run malicious code on the device without interference from the operating system.

The only way to test the attack is by getting the actual physical device that was infected, since even a file copy would not get the malicious code from the device firmware.

What we can do however is detect the malicious binaries copied to the system once the exploit happens. In this case, we would need the actual sample to confirm whether or not we have detection, but since no sample was ever shared publicly, we cannot comment on it. If you have information about what was copied to the machine, please submit us the information.

To answer in specific to the question in StackOverflow, there are two methods to run applications automatically from USB.

  1. One is using the Autorun feature, and that can be disabled by the OS and blocked by the AV.
  2. The other is via an exploit (BadUSB) which is a hardware vulnerability and out of scope for an AV. The best protection in this case is to never connect unknown USB devices to mission critical machines.

Regards,
Madhan  M

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community