Kaamar.com
Sign inGo
Forgot?
New User
Latest Mosaic Designs
Hercules - Mosaic Art
Hercules

892mm x 1244mm
10mm vitreous glass tiles
9,153 tiles in 17 colours

The Remarkables NZ - Mosaic Art
The Remarkables NZ

3631mm x 2300mm
10mm vitreous glass tiles
68,970 tiles in 40 colours

Latest User Mosaics
blah - Mosaic Art
blah

396mm x 396mm
20mm vitreous glass tiles
324 tiles in 10 colours

test - Mosaic Art
test

659mm x 659mm
20mm vitreous glass tiles
900 tiles in 2 colours

Quick FindGo

Enter search keywords
for matching products
Advanced Search
Skip Navigation LinksHome > Blog > Rumor turns Rogue - McAfee Software Hacked! RSS Feed Icon Blog RSS Feed
KaamarBlog

Kaamar Blog

This is the Kaamar Blog, where we will show some of the ideas we are working on, showcase our latest mosaics and new features, tell you more about us, document our programming trials and tribulations, or just write articles on any topic we feel like!

Rumor turns Rogue - McAfee Software Hacked!

Keith Morrigan on Monday, 16 January, 2012 at 16:20:00 (modified: 20 January, 2012 at 18:19:24)

UPDATE 20/01/12: See follow up story: Rumor Tamed but Damage Done!

Warning! Your computer could be at risk!

If you are using a McAfee security product to protect your computer on the internet you should act now. McAfee software has been hacked, turning the affected computers into “open proxies” and allowing dubious users to hijack their internet connection to access illicit sites and send spam, as if coming from them!

It is believed that thousands of computers have been compromised so far, with more being affected every day. In the absence to date of any formal announcement or solution from McAfee on this critical issue, Kaamar are posting this to help other McAfee users prevent damage to their systems and their online reputation.

UPDATE 19/01/12: McAfee have announced a patch will be released through the normal automatic update process, when testing is finished on 18th or 19th (US - could be 20th in UK).

McAfee Rumor Service Hacked.

McAfee Software can include their Rumor Technology which is part of a system for delivering updates to computers without a direct internet connection. It appears to be installed even when not required, along with firewall rules to allow internet access, and one of the tcp ports it uses is port 6515.

We do not know exactly how, but this Rumor technology has been hacked so that it acts as an Open Proxy on port 6515. This means that your IP address can be used by anyone to bounce messages and spam on to other sites, as if coming from your address.

While there is no indication of any unauthorised access to the files or databases on the affected computers, the massive increase in unwanted traffic can have serious short and long term implications.

How to protect your computer...

Details may vary between operating systems, Windows versions and McAfee products, but for our server the answer was:

1) Disable the Rumor Service

Start > Administrative Tools > Services
Press Continue to “Windows needs your permission to continue”.
Double click on the service “McAfee Peer Distribution Service” described as “Rumor Network Server”.
Press the Stop button to stop the service.
Change the Startup type to Disabled using the dropdown list.
Press the OK button.

Do not disable other McAfee services as this may leave you unprotected.

2) Use your Firewall to block incoming connections on tcp port 6515

This is a backup solution as the Rumor Service can be restarted by the automatic McAfee updates. If you are using the McAfee firewall we are not sure how to do this: you will need to use an external firewall. Fortunately many broadband routers/modems have some sort of firewall built in, and you can add firewall rules using their administrative menus, please refer to the manual for your router/modem.

If you are using the Windows Firewall:

Start > Administrative Tools > Windows Firewall with Advanced Security
Press Continue to “Windows needs your permission to continue”.
Click on “Inbound Rules” on the left panel.
For Each “Managed Services Agent” rule in the middle panel, select the rule then click “Disable Rule” on the right hand panel.
Now click New Rule... in the right hand panel.
Select “Port” rule and click Next
Leave TCP selected, type 6515 into the Specific local port box, press Next.
Select “Block the connection” and press Next.
Leave all boxes ticked and press Next.
Type a name such as “Block 6515” as the rule name and press Finished.

Some games also use port 6515 so may be blocked. We have shown a rule for blocking all 6515 traffic, but advanced users could equally block just the myAgtSvc.exe program (in the C:/Program Files/McAfee/Managed VirusScan/Agent or C:/Program Files (x86)/McAfee/Managed VirusScan/Agent directories) applied to the “McAfee Peer Distribution Service” service.

Note that these instructions assume you are NOT using the Rumor technology to deliver updates to computers without a direct internet connection.

How to tell if you are already affected...

For a start you may find your internet connection slow or interrupted, get a traffic warning from your ISP or find that your emails are returned because you have been blacklisted.

There are several ways of detecting the open proxy activity, all a bit complex, the simplest is to use the Resource Monitor via the Task Manager:

Either Ctrl-Alt-Delete and select Start Task Manager, or right click on the bottom toolbar and select Task Manager from the popup context menu.
Click on the Performance tab, then on the Resource Monitor button.
Press Continue to “Windows needs your permission to continue”.
Press the down arrow at the right of the Network grey bar to show the list of programs with active connections.
If you see lots of myAgtSvc.exe listed, you have been hacked and are acting as an open proxy.

Other methods for checking for mass incoming connections on port 6515 and mass unknown outgoing connections include checking your router logs, download and run tcpview, or running “netstat –noa” in a command window. Some of these will also either identify a process id so you can find the name of the process in Task Manager, or may identify myAgtSvc.exe or the RumorService directly.

How do we know McAfee has been hacked?

Our Windows 2008 server was one of the computers affected. We first realised there was a problem on the 4th January 2012 when an email was returned undelivered with the message: “Our system has detected an unusual rate of unsolicited mail originating from your IP address. To protect our users from spam, mail sent from your IP address has been blocked.”

On checking through our mail logs, we also noticed that an earlier email sent 2nd January had been delayed with a message saying our IP was on the spamhaus/cbl list as being infected with a trojan spambot.

This came as some surprise, as we rarely do anything manual on this server and have tight firewall/antivirus security, but sure enough I did detect rampant hidden connection activity going on in the background and spent several days trying to establish/clean the problem. We tried several updated malware and rootkit removal scans, and manually looked for anything dodgy in filesystem and registry, without results.

We did however find, through investigation of router logs/netstat/tcpview, that the apparent culprit was the RumorServer Service myAgtSvc.exe (McAfee Peer Distribution Service) which is part of our McAfee Total Protection Security!

myAgtSvc.exe and associated dlls appear to be valid and digitally signed, but this service was receiving many hundreds of incoming connections on port 6515, and responded by making hundreds of outgoing connections to web servers, including to email servers on port 25 (i.e. we were sending spam!).

Disable the service and the outgoing connections stop (It may however restart on automatic upgrade). Disabling the Windows Firewall incoming rules for Managed Services Agent, and adding incoming rules to block program myAgtSvc.exe on service RumorServer on all ports/protocols stopped the 6515 traffic getting in, which stopped the outgoing traffic (an outgoing rule did not work on its own).

On 5th January we finally managed to halt the traffic, but received a traffic data limit warning from our ISP that we were approaching our whole month’s traffic in only a few days. Later communication with our ISP indicated that it started 31/12/11 and peaked over a couple of days, but is now back to normal.

At peak we had the equivalent of 10 months of our normal traffic in one day!

Further research revealed that other users were affected in a similar fashion, that our IP addresses were listed on dozens of sites as being Anonymous “Open Proxy” servers on port 6515 during this time period, that from the start of December many other IP addresses were also being listed as open proxies on port 6515, that new open proxies on port 6515 were being discovered daily, and that many messages were detected with HTTP_VIA headers showing they were forwarded by a “McAfee Relay Server” in various versions.

We advised McAfee on 5th January of our concern that the Rumor Service had been hacked, have continually updated them of our findings confirming the problem, and have fully cooperated in their investigations so they can solve this issue.

Affected McAfee software.

To date, the only version we know for sure to be affected is the McAfee SaaS Endpoint Protection Suite (previously known as the Total Protection Service), however we believe the same Rumor technology is used in other products. Please let us know if your product has been affected so we can add it to the list.

UPDATE 19/01/12: McAfee have indicated that only the SaaS Total Protection service is affected.

What damage does this cause...

Damage effects may be many and varied according to your setup. For a start, your ISP is not likely to be happy with you.

You may face additional charges for excess traffic, be imposed with future traffic limiting or even disconnection.

If you send email, especially if you use your own server, as we do, you may be blacklisted, and unable to send email to many people. We found our IP addresses (217.40.97.81 to 217.40.97.85) on several public blacklists that had detected the spamming activity passing through our open proxy during the few days it was open.

Some of these (with a Yes/No policy) have already removed us once they detected that spamming has stopped, however other systems use a complex rating system to monitor for spam over time: once given black marks for spamming on these systems your reputation is damaged for the foreseeable future and your emails may not be delivered.

We don’t spam or even send many emails, but we need them to get through! Unfortunately there are numerous blacklisting services, and many of the big online email services use complex internal rating systems – we have very little chance of getting our rating adjusted.

As an ultimate insult, even McAfee, whose software is at the root of our problems, now rate our email IP as High Risk: we can't email them as they have blacklisted us!

There can be further and more significant implications for businesses with online servers, especially web servers with ecommerce. Apart from direct loss of sales while your internet connection is affected, damage to the online reputation of your IP addresses and domains may lose you visitors/customers and limit your ability to trade in the future - how will you send membership details, order acknowledgements and receipts for your site if all your emails are blocked? How much time, effort and money have you spent developing and protecting your online presence, only to find your reputation trashed?

One other example: for ecommerce sites such as our shop that have their products listed on Google Shopping, if your internet connection is playing up and your website is unavailable even for a short time, this can lead to account suspension and the permanent removal of your products from Google Shopping. We already have a couple of warnings on our record due to this issue.

Have you been affected?

While we are waiting for McAfee to fix this issue, we are avoiding sending emails through our own addresses, have stopped our online advertising, disabled our product listings in Google Shopping and spent a lot of time and effort identifying the problem and on damage limitation. Once we know that the issue is fixed and we are fully secure again, we can restart normal activity and try to restore our reputation on blacklists etc. However, we are only a small company with minimal online clout so this will be tricky.

We call upon McAfee, whose security software is at the root of our problems, to assist us in this regard. They have the resources, expertise, influence and contacts to support their affected users in restoring their reputations (or even enhancing their status, as after all they are security conscious users using leading McAfee security).

If you have also been affected please let us know what damage it has caused, your affected IP addresses/domains/emails, what you did to fix it for your operating system/firewall as well as which McAfee product you were using, so we can update our guidance accordingly and gather information to help McAfee fix this for us all once the dust has settled.

With many thanks for their contributions to @mrhinkydink as well as to TechNet users marky9074 and paulo2323

Ray Carlson wrote the comment:
# Thursday, 19 January, 2012 at 19:04:49


I just about sure one or more of my computers has been hacked. Shortly after I installed (around 12/25/2011) Mcafee on one of my computers I began receiving a large number of returned emails (like 200 to 700 per day).

I have 6 computers some running XP home and some running XP professional. It appears your fix refers to some other operating systems. Any suggestions how to fix my XP systems?
Keith Morrigan replied:
# Thursday, 19 January, 2012 at 20:10:56


We don't have an XP PC with McAfee so we can't be too specific.
To see if your McAfee PC is affected type cmd into the Start > Run box and hit enter to open a command window.
In this window, type netstat -noa then hit enter. You will get a list of tcp connections which can be quite long.
If the Local Address column has loads of numbers ending in :6515 (the list may also scroll on for minutes) then you are probably affected.
The PID column for all the :6515 entries will be the same, the same PID will also be on many other connections where the Foreign Address ends in :80 or :25 or others.
The PID can be looked up on Task Manager to verify the name of the process making the connections.
Try typing your IP address into a search engine - some results will just list your IP's details but if there are several with the word proxy in the title then you are probably affected.
With a patch imminent, and assuming the XP version has the same Rumor Service, it may be safest just to disable it until the patch arrives.
To disable a XP service such as the Rumor service, follow the instructions in our post, but you may not get a “Windows needs your permission to continue“ message to OK. The rest is the same.
Lastly, you should check the returned messages and logs for clues as to why your emails are returned. It may be due to some other problem/infection.
Ray Carlson replied:
# Thursday, 19 January, 2012 at 21:49:13


Just got off a chat session with Mcafee, sounded like an Indian name. They said basically said it was my email that was causing the problem and I should use another email program (Outlet) to check my email. They would not say anything about a Mcafee fix. Assume they don't want people to find out.

I have several "free after rebate" Norton licenses, so my just put Norton on the computer that I think is the problem.


Like Rumor turns Rogue - McAfee Software Hacked! (Kaamar Blog)? Please Share:

Shopping BasketGo
0 items

£0.00
Featured Mosaic Designs
Mandrill Baboon Face - Mosaic Art
Mandrill Baboon Face

1200mm x 1200mm
10mm vitreous glass tiles
11,881 tiles in 40 colours

Derwentwater Boats (Lake District) - Mosaic Art
Derwentwater Boats (Lake District)

2300mm x 1805mm
10mm vitreous glass tiles
34,276 tiles in 44 colours

Featured User Mosaics
Secure Payments