McAfee Labs Goes After Evil Maid
Monday October 26, 2009 at 4:11 am CST
Posted by Aditya Kapoor, Rachit Mathur
In her recent blog Joanna Rutkowska describes a proof-of-concept code to attack Truecrypt system disk encryption. The blog also mentions “the concept behind the Evil Maid Attack is neither new, nor l33t in any way.” However, because the POC is now published, we expect script kiddies to jump on this opportunity and tweak this code to their advantage.
As always, to protect our customers we looked into a possible AV detection mechanism to alert users in case the system is compromised. Obviously an AV cannot prevent an Evil Maid attack, but alerting a user on the first reboot after such an infection can go a long way in preventing data loss.
We now detect this proof-of-concept code as Trojan PWS-EvilMaid!demo, due to its password-stealing capabilities. We will watch for any future variants that follow this trend. Here is the screenshot of McAfee alerting the user once the machine is infected. We recommend you reinstall Truecrypt if you see this detection.
Protect what you value!
October 26th, 2009 at 04:42
So if this attack is “neither new, nor l33t in any way”, why did it take the public publishing of POC code for McAfee to take any action to mitigate the affect, instead of sitting on their hands?
October 26th, 2009 at 20:22
[...] McAfee Labs goes after EvilMaid! [...]
November 17th, 2009 at 08:50
[...] moment may be simply to detect the presence of the Maid on boot, for example with something like McAfee AV which already has rules to detect Evil Maid, and [...]