lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: chows at ozemail.com.au (Gregh) Subject: More stupid little Mcafee tricks ...or possibly "How to bring a Mcafee user down". Find yourself a user who has Mcafee Virusscan either the ONLINE version or as it is now known, Version 8. Also ensure they have Mcafee Spamkiller version 5 installed. Now you have that, send them a lot of MyDoom in email, 1 attachment per email. As their Spamkiller 5 attempts to contact their ISP's server to download and filter email, it is also watched by the Virusscan Online (or 8). When MyDoom is recognised, VSO deletes it as it should. Spamkiller 5 becomes slightly confused about this and shows the user an email in Spamkiller 5's Inbox in either Blocked or Accepted areas saying that some other program deleted the contents of the incoming email. The user, seeing an email with no attachment, no header information and no body to it just deletes it, in a normal situation. Then, they run their OE to get the email now filtered, from Spamkiller 5. What happens next is that the deleted email which appears nowhere in Spamkiller's accepted or blocked areas turns up in OE anyway, again just something without headers thus appears in OE as an unread email with no from, subject, date etc. It appears odd so the user clicks on it, sees nothing and deletes it (note that this sort of received email leaves yet other unexplored options open for exploits that they may find useful and this is after it has been filtered and virus checked!) and you would think that is the end of it. Sending one such email to the user will be unlikely to provoke anything of note. Send 6 or more, though. Spamkiller 5 goes into meltdown right now. The user's computer becomes slower and slower and slower. The user MAY choose to reboot at this point which is fairly standard practice so if there was a way to exploit that stripped email in OE so that it lines something up on next startup, there is the prompt for it! Upon reboot, the computer acts normally until Mcafee Security Centre loads which then starts Spamkiller and the virus scan program. Spamkiller goes straight back in to meltdown mode and slows the machine down enormously. Now here comes the REALLY fun part as if the above wasn't bad enough. I told the user to run a full system scan as I couldn't get there for a couple of hours, right? The user did this and by the time I got there, the scan had finished (Virus scan) and found nothing. At this point I was beginning to suspect system file damage etc ad infinitum. Then, the user tells me what Spamkiller 5 did and I changed my mind. Even though their fully UP TO DATE Virusscan Online found nothing, I decided to run the latest Stinger (virus removal tool) from Mcafee anyway, being a pedantic type as I am. It FOUND and DELETED no less than SIX MyDoom in the Spamkiller 5 area installed, under XP, in ALL USERS rather than the user name it was installed under (fairly standard) in a Spamkiller controlled area that had the folder name "back" which made me think it meant backup. I asked the user if they had used the Spamkiller 5 backup function. Yes, about 2 weeks ago they said so that wasn't it. Anyway, the machine picked up about 25% of it's speed from there but still was not back to normal. Giving up at that point as they needed it *NOW* I uninstalled Spamkiller 5 and rebooted to find the machine as good as it is SUPPOSED to be. So, that's how you can grind any Spamkiller and Virusscan user using at least XP to a halt on Internet. I went back today and found they had no email worth a pinch as they had reinstalled Spamkiller 5 themselves. I checked it out and sure enough not a blot was showing. To cut a long and sorry story short, if you EVER have to reinstall Spamkiller from Mcafee, please note you have to uninstall EVERY DAMNED MCAFEE PRODUCT that is related to Security Centre as well as Security Centre itself and install them ALL again from scratch. Once you do that, it all works OK. If you don't do that, you get various errors from within Spamkiller 5 such as disappearing email, the BLOCK function not blocking etc. In short, a great waste of time. I hope you have enjoyed this little jaunt into the world of Mcafee. I did report all this to them and their response was to delete your email accounts from within Spamkiller 5 and reinstall them. I did this prior to reporting and it leads to some of the errors I mentioned. So, don't waste your time trying to get sense out of their help email area. Greg.
Powered by blists - more mailing lists