McAfee Patches Spam Relay Flaw in SaaS Total Protection Service
McAfee has fixed issues in its Total Protection service that allowed attackers to take over computers to send out spam.
A bug in McAfee's hosted anti-malware service was being exploited by spammers to turn computers into a spam proxy to send out large volumes of spam, David Marcus, director of security research at McAfee Labs, wrote in a blog post Jan. 18. Another flaw allowed remote attackers to abuse an ActiveX control to execute code.
McAfee's SaaS Total Protection is a suite of software-as-a-service offerings that includes Web filtering, antivirus and anti-spam capabilities. The spam flaw was in the "Rumor" technology used within the suite. McAfee patched SaaS Total Protection on Jan. 20 to close both vulnerabilities, according to the blog post.
"Because this is a managed product, all affected customers will automatically receive the patch when it is released," Marcus said.
The Rumor feature allows agents installed on the computers to share antivirus, anti-spyware and firewall updates across the network instead of having to download them from McAfee servers individually. Downloading the security updates once and distributing them to all computers on a network mean organizations can save bandwidth and management time.
Spammers exploited the vulnerability in Rumor to accept incoming connections on port 6515 and to respond by opening hundreds of outgoing connections with other servers, according to a blog post by Keith and Annabel Morrigan of British art company Kaamar. Spammers bounced spam messages off computers running the Rumor service agent to make it seem as if the messages were being sent by those machines.
The Rumor Server Service agent is automatically installed on computers being protected by McAfee's SaaS Total Protection Security, according to the Morrigans, who was finally able to stop the relay activity by configuring firewall rules to block the program's traffic coming through port 6515. Just creating an outgoing rule did not fix the problem, according to the post.
Since the spam relay happens in the background, most organizations are unaware of what is happening. For many SaaS Total Protection customers, the first indicator that something is wrong may come when the ISP blocks the IP address after detecting an increase in outbound spam, the Morrigans said.
"You may find your Internet connection slow or interrupted, get a traffic warning from your ISP or find that your emails are returned because you have been blacklisted," they wrote in their warning post.
With this exploit, instead of saving on bandwidth costs, organizations could wind up with costly bills racked up by the spammers. The Morrigans claimed that spammers managed to use almost the entire month's worth of Kamaar's traffic in less than a week. "At peak we had the equivalent of 10 months of our normal traffic in one day," they claimed.
Although the issue in Rumor allows spammers to use the machine as a spam relay, "it does not give access to the data on an affected machine," Marcus said.
The ActiveX control issue was similar to another flaw that was patched in August, according to Marcus. The previous patch blocked the exploitation path for the new bug, so there was almost no risk to customer data, Marcus said.
Because Total Protection Suite is delivered as a software as a service ensures the problem is addressed for all customers immediately, highlighting one of the security benefits of the SaaS model. It is much more effective to fix flaws in a hosted product rather than waiting for each customer to download and install the fix.