[Full-Disclosure] More stupid little Mcafee tricks

• Previous message: Roelof Temmingh: "Re: [Full-Disclosure] Mydoom: perfect storm averted or just ahead?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "Disclosure Full" <full-disclosure@lists.netsys.com>
Date: Thu, 29 Jan 2004 19:59:09 +1100

...or possibly "How to bring a Mcafee user down".

Find yourself a user who has Mcafee Virusscan either the ONLINE version or
as it is now known, Version 8. Also ensure they have Mcafee Spamkiller
version 5 installed.

Now you have that, send them a lot of MyDoom in email, 1 attachment per
email.

As their Spamkiller 5 attempts to contact their ISP's server to download and
filter email, it is also watched by the Virusscan Online (or 8). When MyDoom
is recognised, VSO deletes it as it should. Spamkiller 5 becomes slightly
confused about this and shows the user an email in Spamkiller 5's Inbox in
either Blocked or Accepted areas saying that some other program deleted the
contents of the incoming email. The user, seeing an email with no
attachment, no header information and no body to it just deletes it, in a
normal situation. Then, they run their OE to get the email now filtered,
from Spamkiller 5.

What happens next is that the deleted email which appears nowhere in
Spamkiller's accepted or blocked areas turns up in OE anyway, again just
something without headers thus appears in OE as an unread email with no
from, subject, date etc. It appears odd so the user clicks on it, sees
nothing and deletes it (note that this sort of received email leaves yet
other unexplored options open for exploits that they may find useful and
this is after it has been filtered and virus checked!) and you would think
that is the end of it. Sending one such email to the user will be unlikely
to provoke anything of note. Send 6 or more, though.

Spamkiller 5 goes into meltdown right now. The user's computer becomes
slower and slower and slower. The user MAY choose to reboot at this point
which is fairly standard practice so if there was a way to exploit that
stripped email in OE so that it lines something up on next startup, there is
the prompt for it! Upon reboot, the computer acts normally until Mcafee
Security Centre loads which then starts Spamkiller and the virus scan
program. Spamkiller goes straight back in to meltdown mode and slows the
machine down enormously.

Now here comes the REALLY fun part as if the above wasn't bad enough. I told
the user to run a full system scan as I couldn't get there for a couple of
hours, right? The user did this and by the time I got there, the scan had
finished (Virus scan) and found nothing. At this point I was beginning to
suspect system file damage etc ad infinitum. Then, the user tells me what
Spamkiller 5 did and I changed my mind. Even though their fully UP TO DATE
Virusscan Online found nothing, I decided to run the latest Stinger (virus
removal tool) from Mcafee anyway, being a pedantic type as I am. It FOUND
and DELETED no less than SIX MyDoom in the Spamkiller 5 area installed,
under XP, in ALL USERS rather than the user name it was installed under
(fairly standard) in a Spamkiller controlled area that had the folder name
"back" which made me think it meant backup. I asked the user if they had
used the Spamkiller 5 backup function. Yes, about 2 weeks ago they said so
that wasn't it. Anyway, the machine picked up about 25% of it's speed from
there but still was not back to normal. Giving up at that point as they
needed it *NOW* I uninstalled Spamkiller 5 and rebooted to find the machine
as good as it is SUPPOSED to be.

So, that's how you can grind any Spamkiller and Virusscan user using at
least XP to a halt on Internet.

I went back today and found they had no email worth a pinch as they had
reinstalled Spamkiller 5 themselves. I checked it out and sure enough not a
blot was showing. To cut a long and sorry story short, if you EVER have to
reinstall Spamkiller from Mcafee, please note you have to uninstall EVERY
DAMNED MCAFEE PRODUCT that is related to Security Centre as well as Security
Centre itself and install them ALL again from scratch. Once you do that, it
all works OK. If you don't do that, you get various errors from within
Spamkiller 5 such as disappearing email, the BLOCK function not blocking
etc. In short, a great waste of time.

I hope you have enjoyed this little jaunt into the world of Mcafee. I did
report all this to them and their response was to delete your email accounts
from within Spamkiller 5 and reinstall them. I did this prior to reporting
and it leads to some of the errors I mentioned. So, don't waste your time
trying to get sense out of their help email area.

Greg.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

• Previous message: Roelof Temmingh: "Re: [Full-Disclosure] Mydoom: perfect storm averted or just ahead?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]