Keith Morrigan on Monday, 16 January, 2012 at 16:20:00 (modified: 20 January, 2012 at 18:19:24)
UPDATE 20/01/12: See follow up story: Rumor Tamed but Damage Done!
Warning! Your computer could be at risk!
If you are using a McAfee security product to protect your computer on the internet you should act now. McAfee software has been hacked, turning the affected computers into “open proxies” and allowing dubious users to hijack their internet connection to access illicit sites and send spam, as if coming from them!
It is believed that thousands of computers have been compromised so far, with more being affected every day. In the absence to date of any formal announcement or solution from McAfee on this critical issue, Kaamar are posting this to help other McAfee users prevent damage to their systems and their online reputation.
UPDATE 19/01/12: McAfee have announced a patch will be released through the normal automatic update process, when testing is finished on 18th or 19th (US - could be 20th in UK).
McAfee Rumor Service Hacked.
McAfee Software can include their Rumor Technology which is part of a system for delivering updates to computers without a direct internet connection. It appears to be installed even when not required, along with firewall rules to allow internet access, and one of the tcp ports it uses is port 6515.
We do not know exactly how, but this Rumor technology has been hacked so that it acts as an Open Proxy on port 6515. This means that your IP address can be used by anyone to bounce messages and spam on to other sites, as if coming from your address.
While there is no indication of any unauthorised access to the files or databases on the affected computers, the massive increase in unwanted traffic can have serious short and long term implications.
How to protect your computer...
Details may vary between operating systems, Windows versions and McAfee products, but for our server the answer was:
1) Disable the Rumor Service
Start > Administrative Tools > Services Press Continue to “Windows needs your permission to continue”. Double click on the service “McAfee Peer Distribution Service” described as “Rumor Network Server”. Press the Stop button to stop the service. Change the Startup type to Disabled using the dropdown list. Press the OK button.
Do not disable other McAfee services as this may leave you unprotected.
2) Use your Firewall to block incoming connections on tcp port 6515
This is a backup solution as the Rumor Service can be restarted by the automatic McAfee updates. If you are using the McAfee firewall we are not sure how to do this: you will need to use an external firewall. Fortunately many broadband routers/modems have some sort of firewall built in, and you can add firewall rules using their administrative menus, please refer to the manual for your router/modem.
If you are using the Windows Firewall:
Start > Administrative Tools > Windows Firewall with Advanced Security Press Continue to “Windows needs your permission to continue”. Click on “Inbound Rules” on the left panel. For Each “Managed Services Agent” rule in the middle panel, select the rule then click “Disable Rule” on the right hand panel. Now click New Rule... in the right hand panel. Select “Port” rule and click Next Leave TCP selected, type 6515 into the Specific local port box, press Next. Select “Block the connection” and press Next. Leave all boxes ticked and press Next. Type a name such as “Block 6515” as the rule name and press Finished.
Some games also use port 6515 so may be blocked. We have shown a rule for blocking all 6515 traffic, but advanced users could equally block just the myAgtSvc.exe program (in the C:/Program Files/McAfee/Managed VirusScan/Agent or C:/Program Files (x86)/McAfee/Managed VirusScan/Agent directories) applied to the “McAfee Peer Distribution Service” service.
Note that these instructions assume you are NOT using the Rumor technology to deliver updates to computers without a direct internet connection.
How to tell if you are already affected...
For a start you may find your internet connection slow or interrupted, get a traffic warning from your ISP or find that your emails are returned because you have been blacklisted.
There are several ways of detecting the open proxy activity, all a bit complex, the simplest is to use the Resource Monitor via the Task Manager:
Either Ctrl-Alt-Delete and select Start Task Manager, or right click on the bottom toolbar and select Task Manager from the popup context menu. Click on the Performance tab, then on the Resource Monitor button. Press Continue to “Windows needs your permission to continue”. Press the down arrow at the right of the Network grey bar to show the list of programs with active connections. If you see lots of myAgtSvc.exe listed, you have been hacked and are acting as an open proxy.
Other methods for checking for mass incoming connections on port 6515 and mass unknown outgoing connections include checking your router logs, download and run tcpview, or running “netstat –noa” in a command window. Some of these will also either identify a process id so you can find the name of the process in Task Manager, or may identify myAgtSvc.exe or the RumorService directly.
How do we know McAfee has been hacked?
Our Windows 2008 server was one of the computers affected. We first realised there was a problem on the 4th January 2012 when an email was returned undelivered with the message: “Our system has detected an unusual rate of unsolicited mail originating from your IP address. To protect our users from spam, mail sent from your IP address has been blocked.”
On checking through our mail logs, we also noticed that an earlier email sent 2nd January had been delayed with a message saying our IP was on the spamhaus/cbl list as being infected with a trojan spambot.
This came as some surprise, as we rarely do anything manual on this server and have tight firewall/antivirus security, but sure enough I did detect rampant hidden connection activity going on in the background and spent several days trying to establish/clean the problem. We tried several updated malware and rootkit removal scans, and manually looked for anything dodgy in filesystem and registry, without results.
We did however find, through investigation of router logs/netstat/tcpview, that the apparent culprit was the RumorServer Service myAgtSvc.exe (McAfee Peer Distribution Service) which is part of our McAfee Total Protection Security!
myAgtSvc.exe and associated dlls appear to be valid and digitally signed, but this service was receiving many hundreds of incoming connections on port 6515, and responded by making hundreds of outgoing connections to web servers, including to email servers on port 25 (i.e. we were sending spam!).
Disable the service and the outgoing connections stop (It may however restart on automatic upgrade). Disabling the Windows Firewall incoming rules for Managed Services Agent, and adding incoming rules to block program myAgtSvc.exe on service RumorServer on all ports/protocols stopped the 6515 traffic getting in, which stopped the outgoing traffic (an outgoing rule did not work on its own).
On 5th January we finally managed to halt the traffic, but received a traffic data limit warning from our ISP that we were approaching our whole month’s traffic in only a few days. Later communication with our ISP indicated that it started 31/12/11 and peaked over a couple of days, but is now back to normal.
At peak we had the equivalent of 10 months of our normal traffic in one day!
Further research revealed that other users were affected in a similar fashion, that our IP addresses were listed on dozens of sites as being Anonymous “Open Proxy” servers on port 6515 during this time period, that from the start of December many other IP addresses were also being listed as open proxies on port 6515, that new open proxies on port 6515 were being discovered daily, and that many messages were detected with HTTP_VIA headers showing they were forwarded by a “McAfee Relay Server” in various versions.
We advised McAfee on 5th January of our concern that the Rumor Service had been hacked, have continually updated them of our findings confirming the problem, and have fully cooperated in their investigations so they can solve this issue.
Affected McAfee software.
To date, the only version we know for sure to be affected is the McAfee SaaS Endpoint Protection Suite (previously known as the Total Protection Service), however we believe the same Rumor technology is used in other products. Please let us know if your product has been affected so we can add it to the list.
UPDATE 19/01/12: McAfee have indicated that only the SaaS Total Protection service is affected.
What damage does this cause...
Damage effects may be many and varied according to your setup. For a start, your ISP is not likely to be happy with you.
You may face additional charges for excess traffic, be imposed with future traffic limiting or even disconnection.
If you send email, especially if you use your own server, as we do, you may be blacklisted, and unable to send email to many people. We found our IP addresses (217.40.97.81 to 217.40.97.85) on several public blacklists that had detected the spamming activity passing through our open proxy during the few days it was open.
Some of these (with a Yes/No policy) have already removed us once they detected that spamming has stopped, however other systems use a complex rating system to monitor for spam over time: once given black marks for spamming on these systems your reputation is damaged for the foreseeable future and your emails may not be delivered.
We don’t spam or even send many emails, but we need them to get through! Unfortunately there are numerous blacklisting services, and many of the big online email services use complex internal rating systems – we have very little chance of getting our rating adjusted.
As an ultimate insult, even McAfee, whose software is at the root of our problems, now rate our email IP as High Risk: we can't email them as they have blacklisted us!
There can be further and more significant implications for businesses with online servers, especially web servers with ecommerce. Apart from direct loss of sales while your internet connection is affected, damage to the online reputation of your IP addresses and domains may lose you visitors/customers and limit your ability to trade in the future - how will you send membership details, order acknowledgements and receipts for your site if all your emails are blocked? How much time, effort and money have you spent developing and protecting your online presence, only to find your reputation trashed?
One other example: for ecommerce sites such as our shop that have their products listed on Google Shopping, if your internet connection is playing up and your website is unavailable even for a short time, this can lead to account suspension and the permanent removal of your products from Google Shopping. We already have a couple of warnings on our record due to this issue.
Have you been affected?
While we are waiting for McAfee to fix this issue, we are avoiding sending emails through our own addresses, have stopped our online advertising, disabled our product listings in Google Shopping and spent a lot of time and effort identifying the problem and on damage limitation. Once we know that the issue is fixed and we are fully secure again, we can restart normal activity and try to restore our reputation on blacklists etc. However, we are only a small company with minimal online clout so this will be tricky.
We call upon McAfee, whose security software is at the root of our problems, to assist us in this regard. They have the resources, expertise, influence and contacts to support their affected users in restoring their reputations (or even enhancing their status, as after all they are security conscious users using leading McAfee security).
If you have also been affected please let us know what damage it has caused, your affected IP addresses/domains/emails, what you did to fix it for your operating system/firewall as well as which McAfee product you were using, so we can update our guidance accordingly and gather information to help McAfee fix this for us all once the dust has settled.
With many thanks for their contributions to @mrhinkydink as well as to TechNet users marky9074 and paulo2323
|