MVP Jubo Security Blog : McAfee Security

New: McAfee Online Support Community

jubo — Sat, 07 Nov 2009 21:01:00 GMT

The old McAfee forums have been changed into the Online Support Community. This new community has areas for Enterprise users, home and home office users as well as Security Awarness and Community Help. Discussions, blogs, wikis, profiles and polls.

And best thing... you can now even talk with real McAfee professionals! Come and join us at: McAfee Online Communities

McAfee's spam report for July

jubo — Tue, 07 Jul 2009 00:56:00 GMT

Today McAfee published its spam report for the month of July with the top 15 spam subject lines by domain. For instance for the .COM domain it gives you this:

Hello
Hi
RE: DISCOUNT 80% 0FF on Pfizer !
Replica Watches
Undelivered Mail Returned to Sender

For more information and other Top 15 subject lines for each major domain (.ORG, .UK, .CN, etc.), as well as the rest of McAfee’s July Spam Report, see McAfee's Avert Labs Blog.

McAfee's Security Journal

jubo — Wed, 29 Oct 2008 09:25:52 GMT

Two weeks ago McAfee released their 5th issue of the McAfee Security Journal, formerly known as "Sage". In this issue it's about social engineering techniques. You can download your copy here.

Olympic attachment?

jubo — Fri, 08 Aug 2008 06:36:33 GMT

Not only the Olympic games have started, but also the malware games related to the Olympics. One of the latest is that if you receive an attachment named as: "ioc_guidelines_for_persons_accredited_at_the_xxix_olympiad.pdf" then delete this immediately. If you open it then it could execute a malicious JavaScript that exploits a patched Adobe Reader vulnerability. And it follows to install a backdoor detected as BackDoor-DMG.

McAfee has named this one: "Exploit-PDF.b"; for more detailed information about it check this article: Exploit-PDF.b.

Aliases:

EXPL_PIDIEF.O (TrendMicro)
Trojan.Pidief.C (Symantec)

If you do not have Adobe Reader version 9 installed, then you can download it from the Adobe Download. Unfortunately it comes with Adobe AIR, which you can uninstall through Windows "Add/Remove Programs". Also, during the installation process you might want to uncheck the option to install the Google toolbar.

McAfee's 5300 Scan Engine Released

jubo — Fri, 01 Aug 2008 19:56:44 GMT

Few days ago McAfee released a new version of their VirusScan Scan Engine. So far only for corporate versions like VSE8.0i and/or VSE8.5i.

You can download it from the McAfee Enterprise download site.

Let The (malware) Games Begin...

jubo — Tue, 15 Apr 2008 11:20:34 GMT

Few days ago the McAfee Avert Labs received an email with a executable flash movie. The attachment was called: "RaceForTibet.exe", which eventually seems to be a keylogger program. Even a log file is being send to a provider in China.

Just want to warn you: never open or run a file that you get from (un)known people. Keep your Windows updated and/or check your version at Microsoft Update, keep your antivirus and/or antispyware updated.

For more (technical) details about the above keylogger program see this topic: Is Malware Writing the Next Olympic Event?

McAfee, Inc. Launches Global S.P.A.M. Experiment

jubo — Wed, 02 Apr 2008 06:16:00 GMT

McAfee, Inc. today announced the launch of its global S.P.A.M. (Spammed Persistently All Month) Experiment. For the month of April, participants from around the world - ranging from homemakers, government executives, and students to retirees - will surf the Web, make online purchases and register for promotions. Participants have been provided with a clean laptop without spam protection and a new email address. Beginning today, they will blog about their experiences daily at http://www.mcafee.com/spamexperiment.

With a proven link between spam and cybercrime, the experiment aims to show the devastating effects of spam.

To track the daily progress of the S.P.A.M. Experiment and read reports from the participants, please visit http://www.mcafee.com/spamexperiment.

Source: McAfee.com

Mass Hack Attack

jubo — Fri, 14 Mar 2008 07:31:47 GMT

Really cool video at the McAfee's Avert Labs blog site about the latest mass hack attack at phpBB web sites. See how it looks like from an end user's perspective: Mass Hack Attack.

Source: McAfee Avert Labs Blog.

WinCE/InfoJack - Trojan disables Windows Mobile Application Installation Security

jubo — Wed, 27 Feb 2008 08:46:48 GMT

From: McAfee Avert Labs Blog

"A Window Mobile PocketPC trojan that disables Windows Mobile application installation security has been discovered in China.
WinCE/InfoJack sends the infected device’s serial number, operating system and other information to the author of the trojan. It also leaves the infected mobile device vulnerable by allowing silent installation of malware. The trojan modifies the infected device’s security setting to allow unsigned applications to be installed without a warning."

Latest antivirus test results

jubo — Wed, 23 Jan 2008 10:07:00 GMT

McAfee not doing so well, Microsoft doing okay. Check out Alex Eckelberry, from Sunbelt, blog with the latest results from Andreas Marx of Av-Test.org. Links to PDF files with the results in the article.

McAfee Trojan Redirect Issue

jubo — Fri, 28 Dec 2007 09:37:39 GMT

Some McAfee customers are redirected to a non-McAfee website or receive an error or blank page when attempting to download or update McAfee software

Summary: on 12/27/07, McAfee learned that a new variant of the DNSChanger Trojan has been released and is infecting computers. This Trojan, which has yet to be named, is affecting a number of security and Internet companies, including McAfee. McAfee has already identified a solution.

Description:

If your system is infected with this Trojan, you may find that your Web browser and other applications which use the Internet are unable to access the intended site, and are instead redirected to unwanted websites or receive a page cannot be displayed error. These errors occur when you attempt to update or install McAfee consumer products or access McAfee websites. The affected McAfee consumer products include McAfee Total Protection, McAfee Internet Security Suite, and McAfee VirusScan Plus.
If you are a new customer and are trying to install McAfee software, the unwanted site may be displayed within the McAfee Download Manager window.
Existing customers may find that product updates fail, and will be unable to receive the latest Virus Definition (DAT) files.

If you are unsure if you are infected, please follow the steps below to verify:

Click on Start, Run, and type cmd.exe.
In the command prompt window, type:

ipconfig /all
If your DNS Servers address displays 85.255.116.189 or 85.255.113.44 your computer has been infected and you should continue to the steps below.

If your DNS Servers do not display 85.255.116.189 or 85.255.113.44, then your computer has not been affected by this Trojan, and you do not need to continue.

Windows Vista computers:

Click Start, Search, type cmd.exe, and press ENTER.
In the Search Results window, right-click cmd.exe and select Run As Administrator.
In the command prompt window, type:

ipconfig /all
Press ENTER.
If your DNS Servers address displays 85.255.116.189 or 85.255.113.44 your computer has been infected and you should continue to the steps below.

If your DNS Servers do not display 85.255.116.189 or 85.255.113.44, then your computer has not been affected by this Trojan, and you do not need to continue.

Solution:

IMPORTANT: You must follow all of the steps below to receive the DAT update which will clean this infection upon the execution of a scan.

Step 1 - Clear the IP Stack

Click Start, Run, type cmd, and press ENTER.
In the command prompt window, type:
netsh int ip reset reset.log
Press ENTER.
Close the command prompt window.

For Windows Vista computers:

Click Start, Search, type cmd.exe, and press ENTER.
In the Search Results window, right-click cmd.exe and select Run As Administrator.
In the command prompt window, type:
netsh int ip reset reset.log
Press ENTER.
Close the command prompt window.

If you are unable to access the Internet or update your McAfee products after performing these steps, see Manually clearing the IP Stack under Additional Information.

Step 2 - Update and scan your system

Right-click the M icon in your taskbar.
Select Updates.
After the update completes, right-click the M icon in your taskbar and select Scan.

Your McAfee consumer product will detect and remove the Trojan.

Source: McAfee FAQs DocumentID: 307223

Remembering Judi/Tigg

jubo — Fri, 28 Dec 2007 07:26:37 GMT

Yesterday I received an email telling that Judi, aka "Tigg" passed away at 10:30AM EDT. Judi was a wonderful person, a very good moderator at the McAfee Support Forums, always trying to help the McAfee customers and the McAfee technicians. And sometimes, when we, the moderators, needed it, give us a smack on our heads.

Judi, you'll always be missed. Rest well in heaven...

McAfee Scan Engine 5200

jubo — Sat, 04 Aug 2007 16:35:00 GMT

A new McAfee Scan Engine is available for elective download at McAfee's Security Updates web site. The McAfee update site will be updated to the 5200 Engine on September 5, 2007.

New kid on the blo(g)ck...

jubo — Fri, 06 Apr 2007 05:58:00 GMT

McAfee's new CEO, David DeWalt, in his first blog, The New Guy, at McAfee's Security Insights Blog. Hope to see more of him there and maybe he'll find some time to visit the McAfee Support Forums one day...

McAfee's PodCast: AudiParasitics

jubo — Sun, 04 Mar 2007 19:37:00 GMT

A new service from McAfee Avert Labs as they launched their official PodCast site - AudioParasitics hosted by David Marcus and Jim Walter. One day they might talk about disclosure, the other day about zero-day trends or about new rootkit functionality. AudioParasitics will be there to beat that issue into submission with its two opinionated hosts and a variety of the security industry’s finest minds.

More information at: McAfee AudioParasitics
Source: McAfee Avert Labs Blog

Do McAfee Consumer Products Support Vista? Yes and No!

jubo — Fri, 16 Feb 2007 17:36:00 GMT

Even though McAfee says it's Vista ready it's actually not ready too. If you look at the "System Requirements" for their 3 in 1 Protection suite then it only says:

Microsoft® Windows 2000 Service Pack 4, Windows XP, Windows VISTA

There are customers who have been able to install previous versions of VS10 and lower, on server OS software but that was not really supported either. VirusScan version 11 will not even install on server software. With W2K they only mean the W2K Professional version.

Worse is even for the XP and Vista users because it only supports the 32-bit version and not the 64-bit Operating System.

At the McAfee Support Forum there have been many complaints about this, but after talking with McAfee people you come to the conclusion that it is easier to change the US Constitution than adding a few characters to the McAfee web site.

So, where to find the correct information? So far I have been able to find one document, very well hidden, at the Technical Support site: Is McAfee compatible with Windows Vista? which says: "Yes, McAfee is compatible with all 32-bit versions of Microsoft Windows Vista."

This information should be up front at the McAfee Consumer site and not in one of the technical articles well hidden with all the others.

Conclusion: if you have, or get a x64 OS then have a look at other antivirus vendors like TrendMicro, NOD32, Panda or Windows Live OneCare. However, the x64-based version of XP and Vista are not yet supported by OneCare either. See: Installation requirements. But at least they tell you what you should know before installing any product.

McAfee SiteAdvisor Technology Honored at RSA2007

jubo — Tue, 13 Feb 2007 21:53:45 GMT

At RSA2007 McAfee was honered for their SiteAdvisor technology by the U.S. Department of Commerce with its “Recognition of Excellence in Innovation” honor.

The award was presented by the Honorable Robert Cresanti, U.S. Under Secretary of Commerce for Technology, for the technology’s innovative approach to making the Internet a safer place to search and surf for consumers.

See: McAfee Avert Labs Blog and Huliq.

Ask for t-shirts with McAfee logo

jubo — Wed, 07 Feb 2007 12:29:00 GMT

This marks the first year that Avert Labs has a direct presense at RSA. We will be running some very cool demos at the McAfee booth and answering questions about our research happenings. Some of the demos include password-stealing trojans, a botnet in action, and the coolest drive-by rootkit installation ever!!! Make sure you stop by booth 1730 and say “Sup Dawgs!”

We also know how hard it can be to try and catch a cab around the Moscone Center, so on Tuesday and Wednesday we will be offering free rides from RSA to any nearby location in San Francisco. Just look for the black Mini Coopers displaying the McAfee logo!

Source: McAfee Avert Labs at RSA.

And if you don't see these lightning black Mini Coopers then I would just ask for a McAfee t-shirt (black) with a red logo!

Island-Hopping Spammers

jubo — Mon, 06 Nov 2006 12:05:00 GMT

McAfee announced that its anti-spam researchers have been tracking a new trend nicknamed "spam island-hopping," in which island-hopping spammers use the domain names of small islands as Web site links in spam campaigns to disguise themselves from spam filters that traditionally catch more well-known domains. McAfee traced spam activity from the Isle of Man to the tiny tropical island of Tokelau in the South Pacific.

Traditionally, spammers have used well-known top level domains (TLDs) such as .com, .biz or .info. By using top level domains from small island countries, such as .im from the Isle of Man, spammers attempt to avoid detection by using domains previously unknown to spam filters. Using a lesser- known top level domain makes it harder to distinguish spam from legitimate e- mail by examining the links in the e-mails.

Read their press release and/or download the anti_spam.pdf.

McAfee fixes ePolicy Orchestrator and ProtectionPilot

jubo — Wed, 04 Oct 2006 19:29:26 GMT

McAfee released two updates for ePolicy Orchestrator and ProtectionPilot. The software affected are:

McAfee ePolicy Orchestrator 3.5.0 Patch 5 and earlier
McAfee ProtectionPilot 1.1.1 Patch 2 and earlier

An attacker would be able to remotely execute arbitrary code on the machine running the indicated software. It's recommended to install the latest patches:

ePolicy Orchestrator (ePO) 3.5 Patch 6
ProtectionPilot (PrP) 1.1.1 Patch 3

Detailed steps for installation of the patches and to obtain the patch binaries, see McAfee's Security Bulletin.