Kaamar Blog

Rumor Tamed but Damage Done!

Keith & Annabel Morrigan on Friday, 20 January, 2012 at 18:19:25 (modified: 23 January, 2012 at 13:00:00)

Our first blog entry becomes Worldwide news!

We are stunned by the response to our first blog post Rumor turns Rogue - McAfee Software Hacked! on our McAfee problems and guidance for other affected users. Power to the internet!!

Thank you to all those reporters, with special thanks to Elinor Mills for her CNET article and to Leo Kelion for his BBC article.

Other than one small blog post, the global threat intelligence systems run by McAfee report all the other security threats, but not their own! "Sorry" seems to be the hardest word!

The McAfee problem in summary

In our post Rumor turns Rogue - McAfee Software Hacked! we explained that the McAfee SaaS Total Protection service, intended to protect computers from internet hazards, was itself allowing others to send spam (amongst other things) from our server by acting as an "open proxy".

Many others were also believed to be affected, with more seen every day, so we advised that the Rumor Service (part of the McAfee software) should be disabled, and firewall rules changed to block incoming tcp traffic on port 6515, until a McAfee patch was issued.

Affected users could have internet connection problems, problems with their ISP due to the huge traffic caused and long term issues with blacklisting and returned emails.

McAfee have issued a patch

A McAfee patch has been issued through the automatic update procedure. According to David Marcus, Director of Security Research for McAfee Labs on his blog, "We have mitigating factors already in place that reduce risk" and "all affected customers will automatically receive the patch when it is released" which "will close this relay capability" (as well as fix an ActiveX issue).

Sure enough, this morning we found that one Vista PC (not suffering from the open proxy issue) had been automatically updated. Unfortunately our server, which had been affected, had not been updated.

From the number of port 6515 open proxies still being listed/found on Hinky Dink's Proxy Obsession as of today, clearly there are still other affected users without the patch yet.

Our experience with the patch upgrade

We disabled our Rumor service and installed 6515 port blocking firewall rules on 5th January, but highlighted that the Rumor service could be restarted as part of an automatic upgrade.

With these rules in place, and with monitoring of the Rumor service to switch it off again if it restarted, automatic updates continued as normal until 13th January, since when no successful updates have occurred.

We are assuming that prevention of upgrades, with the corresponding risk of restarting the Rumor service, was one of the "mitigating factors" mentioned on the McAfee blog.

We had to restart the updating service and carry out a manual upgrade to install the patch, so have included instructions below for any others with the same problem.

Ensuring you have the latest patch

Either double click on the McAfee shield symbol in the System Tray (normally bottom right corner of the screen), or right click on it and select Open Console from the context menu.
On the Action Menu dropdown list, select Product Details.
In the Security Center Communication section it should say Product version : 5.2.3 Patch 4

If it shows Product version : 5.2.3 Patch 3 you are not patched yet.

Manual Update

To start a manual update, right click on the McAfee shield symbol in the System Tray and select Update Now from the context menu. This should open a dialog box showing the update progress.

For us this did not work. Initially no dialog box opened - on a later attempt, the dialog box did open but froze with a message about checking our internet connection.

Our first thought was that our recommended firewall rules were blocking the update, which caused some concern as we did not want to be responsible for providing duff advice!

Through trial and error we determined that the firewall rules were not blocking the update, but that the update process just wasn't working (perhaps the "mitigating factors" had tied it up in knots).

So, if your update doesn't work try this:
Close the McAfee console window, if it is still open.
Start > Administrative Tools > Services
Press Continue to “Windows needs your permission to continue” (if it comes up)
Click on the service “McAfee Virus and Spyware Protection Service” described as “Controls scanning and updating activities at the desktop for Virus and Spyware Protection Services.”.
Look at the top of the empty border to the left of the list of services where it should show the McAfee service name with Stop/Restart the service links and press the Restart link.

You should see a Service Control dialog box showing progress of the service being stopped/started before disappearing.

Even after restarting the service, our system failed to carry out an automatic update and a manual update was required.

Start a manual update by right clicking on the McAfee shield symbol in the System Tray and select Update Now from the context menu. This should open a dialog box showing the update progress.

Once the update is complete, check again that you have the right version. We have found the automatic update to be working since our manual update.

Does the patch work

In a word, YES!

Although reluctant to cause further spamming, we did a test for a short period by restoring the original firewall rules with the Rumor service enabled and carefully monitored our router.

Even two weeks after blocking incoming 6515 connections, we are still getting up to 10 connection requests a second on port 6515 (it was more like a hundred at peak), so it was easy to see if any would be passed on.

We were pleased to see despite hundreds on incoming connections we had no outgoing connections (except for netbios-ns calls where windows is trying to identify the callers).

Now what?

Because we were affected, still have numerous incoming 6515 calls and need to minimise the traffic these can cause, we will continue to keep the firewall rules in place, and will disable the Rumor Service whenever it pops to life again.

Our ISP indicated that our traffic had returned largely to normal when Rumor was off and not answering incoming calls - we are not sure what counts as traffic! If Rumor is on and listening but 6515 is blocked on our firewall, then the firewall logs quickly fill with DROP messages - does this count as traffic? Again, if Rumor is on and listening with no firewall blocks, does this count as traffic? Or the resulting netbios-ns calls (which we will block)?

Now to try and get back to normal!

Now we know we are secure again, we can try to get back to normal, gradually restoring various functions that we had to suspend, such as our Google Shopping listings and our advertising.

We have been tied up with this, in one way or another, since the beginning of the year. Hopefully we can even get back to our mosaics!

Some aspects will be difficult for us to fix, such as the rating downgrading/blacklisting of emails and reputation damage on security listings all over the world. For some time we are likely to never know who we can email without it being returned, or marked as Junk Mail.

We are still hoping that McAfee will help to restore our reputation, which they have damaged - we will have to wait and see!

Rumor turns Rogue - McAfee Software Hacked!

Keith & Annabel Morrigan on Monday, 16 January, 2012 at 16:20:00 (modified: 20 January, 2012 at 18:19:24)

Warning! Your computer could be at risk!

If you are using a McAfee security product to protect your computer on the internet you should act now. McAfee software has been hacked, turning the affected computers into “open proxies” and allowing dubious users to hijack their internet connection to access illicit sites and send spam, as if coming from them!

It is believed that thousands of computers have been compromised so far, with more being affected every day. In the absence to date of any formal announcement or solution from McAfee on this critical issue, Kaamar are posting this to help other McAfee users prevent damage to their systems and their online reputation.

McAfee Rumor Service Hacked.

McAfee Software can include their Rumor Technology which is part of a system for delivering updates to computers without a direct internet connection. It appears to be installed even when not required, along with firewall rules to allow internet access, and one of the tcp ports it uses is port 6515.

We do not know exactly how, but this Rumor technology has been hacked so that it acts as an Open Proxy on port 6515. This means that your IP address can be used by anyone to bounce messages and spam on to other sites, as if coming from your address.

While there is no indication of any unauthorised access to the files or databases on the affected computers, the massive increase in unwanted traffic can have serious short and long term implications.

How to protect your computer...

Details may vary between operating systems, Windows versions and McAfee products, but for our server the answer was:

1) Disable the Rumor Service

Start > Administrative Tools > Services
Press Continue to “Windows needs your permission to continue”.
Double click on the service “McAfee Peer Distribution Service” described as “Rumor Network Server”.
Press the Stop button to stop the service.
Change the Startup type to Disabled using the dropdown list.
Press the OK button.

Do not disable other McAfee services as this may leave you unprotected.

2) Use your Firewall to block incoming connections on tcp port 6515

This is a backup solution as the Rumor Service can be restarted by the automatic McAfee updates. If you are using the McAfee firewall we are not sure how to do this: you will need to use an external firewall. Fortunately many broadband routers/modems have some sort of firewall built in, and you can add firewall rules using their administrative menus, please refer to the manual for your router/modem.

If you are using the Windows Firewall:

Start > Administrative Tools > Windows Firewall with Advanced Security
Press Continue to “Windows needs your permission to continue”.
Click on “Inbound Rules” on the left panel.
For Each “Managed Services Agent” rule in the middle panel, select the rule then click “Disable Rule” on the right hand panel.
Now click New Rule... in the right hand panel.
Select “Port” rule and click Next
Leave TCP selected, type 6515 into the Specific local port box, press Next.
Select “Block the connection” and press Next.
Leave all boxes ticked and press Next.
Type a name such as “Block 6515” as the rule name and press Finished.

Some games also use port 6515 so may be blocked. We have shown a rule for blocking all 6515 traffic, but advanced users could equally block just the myAgtSvc.exe program (in the C:/Program Files/McAfee/Managed VirusScan/Agent or C:/Program Files (x86)/McAfee/Managed VirusScan/Agent directories) applied to the “McAfee Peer Distribution Service” service.

Note that these instructions assume you are NOT using the Rumor technology to deliver updates to computers without a direct internet connection.

How to tell if you are already affected...

For a start you may find your internet connection slow or interrupted, get a traffic warning from your ISP or find that your emails are returned because you have been blacklisted.

There are several ways of detecting the open proxy activity, all a bit complex, the simplest is to use the Resource Monitor via the Task Manager:

Either Ctrl-Alt-Delete and select Start Task Manager, or right click on the bottom toolbar and select Task Manager from the popup context menu.
Click on the Performance tab, then on the Resource Monitor button.
Press Continue to “Windows needs your permission to continue”.
Press the down arrow at the right of the Network grey bar to show the list of programs with active connections.
If you see lots of myAgtSvc.exe listed, you have been hacked and are acting as an open proxy.

Other methods for checking for mass incoming connections on port 6515 and mass unknown outgoing connections include checking your router logs, download and run tcpview, or running “netstat –noa” in a command window. Some of these will also either identify a process id so you can find the name of the process in Task Manager, or may identify myAgtSvc.exe or the RumorService directly.

How do we know McAfee has been hacked?

Our Windows 2008 server was one of the computers affected. We first realised there was a problem on the 4th January 2012 when an email was returned undelivered with the message: “Our system has detected an unusual rate of unsolicited mail originating from your IP address. To protect our users from spam, mail sent from your IP address has been blocked.”

On checking through our mail logs, we also noticed that an earlier email sent 2nd January had been delayed with a message saying our IP was on the spamhaus/cbl list as being infected with a trojan spambot.

This came as some surprise, as we rarely do anything manual on this server and have tight firewall/antivirus security, but sure enough I did detect rampant hidden connection activity going on in the background and spent several days trying to establish/clean the problem. We tried several updated malware and rootkit removal scans, and manually looked for anything dodgy in filesystem and registry, without results.

We did however find, through investigation of router logs/netstat/tcpview, that the apparent culprit was the RumorServer Service myAgtSvc.exe (McAfee Peer Distribution Service) which is part of our McAfee Total Protection Security!

myAgtSvc.exe and associated dlls appear to be valid and digitally signed, but this service was receiving many hundreds of incoming connections on port 6515, and responded by making hundreds of outgoing connections to web servers, including to email servers on port 25 (i.e. we were sending spam!).

Disable the service and the outgoing connections stop (It may however restart on automatic upgrade). Disabling the Windows Firewall incoming rules for Managed Services Agent, and adding incoming rules to block program myAgtSvc.exe on service RumorServer on all ports/protocols stopped the 6515 traffic getting in, which stopped the outgoing traffic (an outgoing rule did not work on its own).

On 5th January we finally managed to halt the traffic, but received a traffic data limit warning from our ISP that we were approaching our whole month’s traffic in only a few days. Later communication with our ISP indicated that it started 31/12/11 and peaked over a couple of days, but is now back to normal.

At peak we had the equivalent of 10 months of our normal traffic in one day!

Further research revealed that other users were affected in a similar fashion, that our IP addresses were listed on dozens of sites as being Anonymous “Open Proxy” servers on port 6515 during this time period, that from the start of December many other IP addresses were also being listed as open proxies on port 6515, that new open proxies on port 6515 were being discovered daily, and that many messages were detected with HTTP_VIA headers showing they were forwarded by a “McAfee Relay Server” in various versions.

We advised McAfee on 5th January of our concern that the Rumor Service had been hacked, have continually updated them of our findings confirming the problem, and have fully cooperated in their investigations so they can solve this issue.

Affected McAfee software.

To date, the only version we know for sure to be affected is the McAfee SaaS Endpoint Protection Suite (previously known as the Total Protection Service), however we believe the same Rumor technology is used in other products. Please let us know if your product has been affected so we can add it to the list.

What damage does this cause...

Damage effects may be many and varied according to your setup. For a start, your ISP is not likely to be happy with you.

You may face additional charges for excess traffic, be imposed with future traffic limiting or even disconnection.

If you send email, especially if you use your own server, as we do, you may be blacklisted, and unable to send email to many people. We found our IP addresses (217.40.97.81 to 217.40.97.85) on several public blacklists that had detected the spamming activity passing through our open proxy during the few days it was open.

Some of these (with a Yes/No policy) have already removed us once they detected that spamming has stopped, however other systems use a complex rating system to monitor for spam over time: once given black marks for spamming on these systems your reputation is damaged for the foreseeable future and your emails may not be delivered.

We don’t spam or even send many emails, but we need them to get through! Unfortunately there are numerous blacklisting services, and many of the big online email services use complex internal rating systems – we have very little chance of getting our rating adjusted.

As an ultimate insult, even McAfee, whose software is at the root of our problems, now rate our email IP as High Risk: we can't email them as they have blacklisted us!

There can be further and more significant implications for businesses with online servers, especially web servers with ecommerce. Apart from direct loss of sales while your internet connection is affected, damage to the online reputation of your IP addresses and domains may lose you visitors/customers and limit your ability to trade in the future - how will you send membership details, order acknowledgements and receipts for your site if all your emails are blocked? How much time, effort and money have you spent developing and protecting your online presence, only to find your reputation trashed?

One other example: for ecommerce sites such as our shop that have their products listed on Google Shopping, if your internet connection is playing up and your website is unavailable even for a short time, this can lead to account suspension and the permanent removal of your products from Google Shopping. We already have a couple of warnings on our record due to this issue.

Have you been affected?

While we are waiting for McAfee to fix this issue, we are avoiding sending emails through our own addresses, have stopped our online advertising, disabled our product listings in Google Shopping and spent a lot of time and effort identifying the problem and on damage limitation. Once we know that the issue is fixed and we are fully secure again, we can restart normal activity and try to restore our reputation on blacklists etc. However, we are only a small company with minimal online clout so this will be tricky.

We call upon McAfee, whose security software is at the root of our problems, to assist us in this regard. They have the resources, expertise, influence and contacts to support their affected users in restoring their reputations (or even enhancing their status, as after all they are security conscious users using leading McAfee security).

If you have also been affected please let us know what damage it has caused, your affected IP addresses/domains/emails, what you did to fix it for your operating system/firewall as well as which McAfee product you were using, so we can update our guidance accordingly and gather information to help McAfee fix this for us all once the dust has settled.

With many thanks for their contributions to @mrhinkydink as well as to TechNet users marky9074 and paulo2323