Category Archives: Configuring McAfee

IoT Devices: The Gift that Keeps on Giving… to Hackers

Tags : , Install McAfee , McAfee Internet Security , McAfee Total Protection , McAfee Antivirus , McAfee Smart Phone Security and McAfee Identity Protection.

McAfee Advanced Threat Research on Most Hackable Gifts

You’ve probably noticed the recent increase in Internet connected drones, digital assistants, toys, appliances and other devices hitting the market and maybe even showing up in your own home. The sale of these “Internet-of-Things” (IoT) devices is expected to reach 600 million units this year and, unfortunately, security has sometimes become a casualty of the race among manufacturers to be the first to sell these smart gadgets into millions of homes. This has provided potentially millions of opportunities for hackers to see what devices they can compromise and possible even control. In the past year hackers and security researchers were able to bypass the security of a range of these IoT devices.


It was discovered early this year the Cayla doll could allow hackers to take control of the toy and record video and audio without the user’s consent. A demonstration by the National Cyber Security Centre in London also shows the doll could be used to unlock smart locks allowing criminals to compromise your home through the front door. The flaw is so serious Germany’s Federal Network Agency required retailers to pull the dolls off shelves, banning them throughout the country. In the United States, the Federal Bureau of Investigation (FBI) also released a public service announcement alerting the public to the potential risk Internet connected toys pose. The defect in the Cayla doll lies in the insecure Bluetooth connection, allowing anyone to listen and converse through the doll using an ordinary mobile phone.

Similar security flaws were recently found in multiple children’s watches being sold across Europe and the UK. Security experts commissioned by the Norwegian Consumer Council found the smart watches could allow outsiders to track the child through the GPS signal, access personal data on the device, disable the emergency SOS function, and remotely listen to the youngster without the knowledge of a parent or guardian. On a positive note, the manufacturers behind the watches have responded responsibly and either have or are in the process of correcting the defects.


Internet connected cameras and baby monitors have been around for a few years, but manufactures are still shipping insecure devices. A quick search on the IoT search engine Shodan for the word “IPCamera” shows more than 39,000 in total. This year saw multiple stories surface involving hackers able to remotely control cameras, record video and audio, and even speak to children. We often see consumers configure cameras with remote access, but fail to put in place the correct security controls. Failure to change default passwords or use of weak passwords is a common offense among users. In other instances, the manufacturer of the device uses outdated third party software or leaves ports open by default.


Controlling your smart devices with digital assistants from Apple, Amazon, Google, and others are a neat way to control lights, appliances, and the home’s A/C unit. Researchers from Zheijiang University in China released a report in August showing it’s possible to interact with the assistant using inaudible ultrasound commands. The scientists dubbed their findings the “DolphinAttack” and could issue commands to the device at a very high frequency that is too high for humans to hear but was still understood by a range of assistants, including Siri, Google Now, Cortana, and Alexa. The researchers demonstrated it’s possible for someone to issue a range of commands from a distance without anyone near the device realizing the assistant was being controlled remotely. Although no real-world hacks are known at this time it’s safe to say hackers are well aware of the vulnerability.


Drones will most certainly be at the top of many a Christmas list this year. The market has exploded and the sale of drones for personal use are expected to be over $2 billion globally in 2017. With that many drones in the sky, and ample evidence that the devices can be hijacked, the security world has taken serious notice.  Security researcher Jonathan Andersson demonstrated how he was able take control of a drone mid-flight, resulting in the owner losing complete control. The flaw lies in the wireless transmission control protocol DSMx, which is used in the communication between radio controllers and many remote-control devices, including drones. The researcher created a hardware device which takes advantage of the DSMx protocol flaw, and allows him to make the hijacked drone perform a range of movements, including stopping, starting, and steering. The good news is the hacking device was not made public, but that won’t stop hackers from attempting to make their own similar gadget to take control of drones from unsuspecting users.

It’s not uncommon for hackers to prey on the latest popular Internet connected devices. Millions of IoT devices will be purchased this holiday season, and consumers will be well-served to do their homework. You don’t need to become an expert, but reading the user’s manual before connecting a device to the Internet is a good practice to make sure the gadget is setup properly. Make sure to also keep the device’s firmware up to date, downloading any manufacturer updates to safely fix any newly discovered vulnerability flaws. If you’re purchasing an IoT device as a gift, make sure to research it first for known vulnerabilities to make sure you don’t get caught giving a gift that could turn out to be security risk. It only takes one hacked device that is connected to your home’s Wifi to allow personal data to be stolen, devices to be hijacked, or your connected gadgets themselves becoming part of a botnet of infected systems that hackers use to launch attacks on other home and business systems.

Source : : Blog

Configuring McAfee ENS and VSE to Prevent Macroless Code Execution in Office Apps

Tags : , Install McAfee , McAfee Internet Security , McAfee Total Protection , McAfee Antivirus , McAfee Smart Phone Security and McAfee Identity Protection.

Microsoft Office macros are a popular method of distributing malware. Users can defend themselves against macro attacks by disabling macros. McAfee Labs has now seen a new attack technique using a feature of Office applications that help create dynamic reports. In this post we will explain this technique and offer a method to prevent the execution of malicious tools related to it.

This new technique takes advantage of Microsoft’s Dynamic Data Exchange protocol to execute command(s). DDE “sends messages between applications that share data and uses shared memory to exchange data between applications. Applications can use the DDE protocol for one-time data transfers and for continuous exchanges in which applications send updates to one another as new data becomes available,” according to MSDN. (Microsoft advises that you disable DDE.)

During the course of our research into some interesting COM and OLE objects specifically related to Office malware, we found a SensePost blog that describes how this new technique could be used in both innocent and malicious ways. The author noted that the COM methods DDEInitialize, and DDEExecute were present in Excel and Word and that DDE gives us the option to execute commands.

The DDE Protocol

The DDE protocol was created to exchange data among Office applications. It is not inherently malicious. This feature is useful for some companies and businesses to create dynamic reports and documents. For example, we can create a Word file that can grab data from Excel spreadsheets using this feature.

The problem is that this protocol also provides the option to run applications such as cmd.exe, which can run other executables on the system, for example, PowerShell.exe.

As explained in the SensePost blog, we can use this feature in Word to run cmd.exe, and from cmd.exe run any executable we want. For example, if the developer put in the formula field the following instruction:

{DDEAUTO c:\\windows\\system32\\cmd.exe “/k calc.exe”}

This instruction will open cmd.exe and then calc.exe, as in Figure 1:

Figure 1.


Malicious Method

During our research we obtained a sample that uses this technique. The file runs PowerShell to execute a command that tries to download a file from an external source. (During our analysis this control server was down.)

When the user opens this file, they see the following message:

Figure 2.

A Yes click leads to this:

Figure 3.

At this point Word asks if the user want to open cmd.exe. A Yes response runs cmd.exe and the code in the formula is executed (Figures 4a and 4b):

Figures 4a and 4b.

Now the PowerShell code runs and the download starts:

Figure 5.

The malicious command is obfuscated in an XML object (document.xml) within the Word file:

Figure 6.

The source of the download is offline so PowerShell could not reach the control server to transfer the suspicious file. And we cannot be certain what this file would do. Nonetheless, this feature can be used in a malicious way and put systems in danger. Can McAfee help control this technique? Yes, and here’s how to do that.

Setting Restrictions to Prevent this Technique

To set up our defense we need to create some rules to prevent the execution of applications from Word and Excel without our permission.

Follow these steps in McAfee Endpoint Security.

Open Threat Prevention:

Figure 7.

Click Show Advanced:

Figure 8.

Go to Rules and click Add:

Figure 9.

In Add Rule, click Executables/Add:

Figure 10.

Select the option Block and Report. Then click on Executables/Add, and add Word and Excel like this:

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

Under Subrules click Add:

Figure 11.

And then:

  • C:\Windows\SysWOW64\cmd.exe
  • C:\Windows\System32\cmd.exe

As well as:

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  • C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe


Follow these steps in VirusScan Enterprise.

Open the VirusScan Console in Administrator Mode:

Figure 12.

Click on Access Protection, User-Defined Rules, New:

Figure 13.

Select New Rule Type and click OK:

Figure 14.

Add the exception to block cmd.exe:

Figure 15.

In VSE you must create rules for Word and Excel:

  • winword.exe
  • excel.exe

In File or Folder to Block add:

  • C:\Windows\SysWOW64\cmd.exe
  • C:\Windows\System32\cmd.exe

As well as:

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  • C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe


Microsoft’s Dynamic Data Exchange protocol can be useful for creating dynamic reports in Office. But it is exploitable. Following this procedure in McAfee ENS and VSE will ensure that DDE does not open the door to potential malicious behavior.

Source : : Blog