January 19, 2012
McAfee Bug Hijacks Your Computer To Send Spam
Computer security firm McAfee is looking into an issue with one of its software programs that appears to allow hackers to gain access to PCs, the company said this week.
“We are aware of the issue and have both threat analytics and development teams diligently analyzing the problem and possible solutions,” McAfee told CNET in a statement. “We will have more information on the issue shortly.”
Thousands of computers could have been compromised so far, and will continue to be affected, until the problem is fixed.
McAfee's David Marcus said in a Wednesday blog post that although this issue can allow the relaying of spam, it does not give access to the data on an affected machine. The forthcoming patch will close this relay capability.
A public relations representative for McAfee contacted by CNET said she was trying to get more info on the issue and would give details when the firm knew more. The problem was first reported by McAfee customers on the Web who complained that their emails were being blocked by email providers and their IP addresses were being blacklisted for sending spam.
Kaamar.com first detected the issue on January 4 when an email was returned with a message saying “Our system has detected an unusual rate of unsolicited mail originating from your IP address.” The email further said in order to “protect our users from spam, mail sent from your IP address has been blocked”
“On checking through our mail logs, we also noticed that an earlier email sent 2nd January had been delayed with a message saying our IP was on the spamhaus/cbl list as being infected with a Trojan spambot,” Kaamar.com said in a blog post.
Kaamar was able to stop the traffic on January 5 but received a data limit warning from the ISP that the site was nearing its monthly limit for traffic. The problem, which appeared to start on December 31, 2010, caused Kaamar to get the equivalent of ten months of traffic in just one day, according to their post.
The problem appears to be in the RumorServer Service myAgtSvc.exe, McAfee Peer Distribution Service, which is part of McAfee´s SaaS Endpoint Protection Suite, according to Kaamar. That service is used for delivering updates to computers without a direct Internet connection. It serves as an Open Proxy on Port 6515, which opens the computer up to attack by spammers.
There is no indication that the problem has given unauthorized access to files or databases on affected computers, however, the issue is still significant and can have serious short and long term implications for affected PCs and their owners.
Mr.HinkyDink´s UT Blog also reported that nearly 1,900 IP addresses serving as open proxies running the McAfee software since December 1, 2011, reports CNET's Elinor Mills.
Kaamar.com has instructions for checking to see if a computer is affected by the software glitch and, if so, has information on its blog on how to protect computers until McAfee can resolve the problem.
One way to ensure your PC is safe from spam hackers is to disable the RumorServer Service. Another would be to use your firewall to block incoming connections of TCP Port 6515, Kaamar said on its blog post.
On the Net: