With the latest patch, spammers exploiting the flaw in McAfee's SaaS Total Protection Suite will no longer be able to commandeer computers to send out spam.
McAfee
has fixed issues in its Total Protection service that allowed attackers to take
over computers to send out spam.
A
bug in McAfee's hosted anti-malware service was being exploited by spammers to
turn computers into a spam proxy to send out large volumes of spam, David
Marcus, director of security research at McAfee
Labs, wrote in a blog post Jan. 18. Another flaw allowed remote attackers
to abuse an ActiveX control to execute code.
McAfee's
SaaS Total Protection is a suite of software-as-a-service offerings that
includes Web filtering, antivirus and anti-spam capabilities. The spam flaw was
in the "Rumor" technology used within the suite. McAfee patched SaaS
Total Protection on Jan. 20 to close both vulnerabilities, according to the
blog post.
"Because
this is a managed product, all affected customers will automatically receive
the patch when it is released," Marcus said.
The
Rumor feature allows agents installed on the computers to share antivirus,
anti-spyware and firewall updates across the network instead of having to
download them from McAfee servers individually. Downloading the security
updates once and distributing them to all computers on a network mean
organizations can save bandwidth and management time.
Spammers
exploited the vulnerability in Rumor to accept incoming connections on port
6515 and to respond by opening hundreds of outgoing connections with other
servers, according to a blog post by Keith and Annabel Morrigan of British
art company Kaamar. Spammers bounced spam messages off computers running
the Rumor service agent to make it seem as if the messages were being sent by
those machines.
The
Rumor Server Service agent is automatically installed on computers being
protected by McAfee's SaaS Total Protection Security, according to the Morrigans,
who was finally able to stop the relay activity by configuring firewall rules
to block the program's traffic coming through port 6515. Just creating an
outgoing rule did not fix the problem, according to the post.
Since
the spam relay happens in the background, most organizations are unaware of
what is happening. For many SaaS Total Protection customers, the first
indicator that something is wrong may come when the ISP blocks the IP address
after detecting an increase in outbound spam, the Morrigans said.
"You
may find your Internet connection slow or interrupted, get a traffic warning
from your ISP or find that your emails are returned because you have been
blacklisted," they wrote in their warning post.
With
this exploit, instead of saving on bandwidth costs, organizations could wind up
with costly bills racked up by the spammers. The Morrigans claimed that
spammers managed to use almost the entire month's worth of Kamaar's traffic in
less than a week. "At peak we had the equivalent of 10 months of our
normal traffic in one day," they claimed.
Although
the issue in Rumor allows spammers to use the machine as a spam relay, "it
does not give access to the data on an affected machine," Marcus said.
The
ActiveX control issue was similar to another flaw that was patched in August,
according to Marcus. The previous patch blocked the exploitation path for the
new bug, so there was almost no risk to customer data, Marcus said.
Because
Total Protection Suite is delivered as a software as a service ensures the
problem is addressed for all customers immediately, highlighting one of the
security benefits of the SaaS model. It is much more effective to fix flaws in
a hosted product rather than waiting for each customer to download and install
the fix.
Email
Print
