McAfee Update Causing System Problems

McAfee’s Anti-Virus update for today (5958 DAT April 21, 2010) is causing systems to be stuck in an infinite reboot cycle. If your systems have not updated yet, it is highly recommended to prevent them from doing so, disable automatic updates and any pending update tasks.

The issue comes from the update detecting a false positive on systems. It appears that only Windows XP SP3 systems are effected. McAfee detects this false positive in the file C:/WINDOWS/system32/svchost.exe and thinks it contains the W32/Wecorl.a Virus. The machine then enters a reboot cycle.

McAfee has released a temporary fix to suppress the false positive. To use the fix with VirusScan Enterprise Console 8.5i or higher, Access Protection must be first disabled by following this knowledge base article here. (Alternate Google cache page, site is very busy here.)

To correct a machine with this issue, follow these steps:

1. Download the EXTRA.DAT file here. (Or from the KB article)
2. Start the effected machine in Safe Mode
3. Copy the EXTRA.DAT file to the following location:
\Program Files\Common Files\McAfee\Engine
4. Remove svchost.exe from the quarantine.

If You’re Still Using IE6, Read This!

We still see an alarming number of users visiting our sites using Internet Explorer 6 (IE6). Although for the first time, IE8 and IE7 both had a slightly higher share than IE6.

We urge users who continue to use IE6 to update to IE7 or IE8, or switch to an alternative as soon as possible. There are numerous reasons for this. IE6 has been shown many times to be insecure, lacking privacy options, has no protection from XSS or phishing attacks, and it’s not compliant with common web standards. It’s also much slower than modern browsers, particuarly with javascript.

Upgrading your browser can have many benefits. The most important being enhanced security and privacy. Other benefits include a better browsing experience through better compliance and faster rendering. So please, upgrade your browsers!

Malware Attacks Through Ads On The Rise

Traditionally, we thought malware spreading ads were relegated to the sketchy dark corners of the Internet. Lately though, malware spreading ads have increasingly popped up on sites such as,, and  How is this happening?

In this case, it’s not a vulnerability on the sites in question. The attackers have turned their attention to the ad networks themselves. In some cases, attackers are submitting ads to the ad networks and having them served.  In some other cases, it seems that the ad networks are suffering from vulnerabilties that are being exploited, allowing the attackers to insert malicous code into otherwise legitmate ads.

The malicious ads are doing a variety of different things to attack the end user. The most recent one makes a popup that looks very much like the real Windows Security Center, detailing that your system is infected with some large number of trojans and viruses. The ad claims that it can ‘fix’ your system by installing a tool. Ads have also been seen that were sending a PDF that contains exploits for the recent Adobe Acrobat vulnerabilties.

The best defenses against these attacks are following the tried and true measures. Make sure your OS, browser, and all software is as up to date as possible. Using anti-virus software, as well as regular anti-malware/spyware scans will also help. Consider using a tool such as Secunia PSI, to help make sure 3rd party aps are up to date. Always use safe browsing sensibility, don’t click on anything suspicious, even if it’s from a website you would normally trust. Remember, there are no safe websites.

Holiday Reminder

Just a little Holiday reminder. As we get nearer to popular Holiday’s we normally see an increase in malware attacks. Remember not to open any “e-cards” or other assorted potentially malicious email from random addresses, and closely examine any that appear to come from a trusted source, such as a co-worker.

Spam Bots

We are continuing to see more and more spam bots. Spammers are not letting up and are still actively researching and breaking “captchas”. We have seen several of them broken within the past few weeks. It seems it’s about time to adopt a new system of anti-bot measures for registration forms, or increase the complexity of the captcha (while also increasing user frustration).

That reminds me of a study I was reading about spam though. The researchers in this study found that only about 1 in 12.5 million spams result in a sale of whatever was being spammed about. However, even with this atrocious rate, the spammers are estimated to be generating around $7,000 a day!

MS08-067 Gone To Worm

A worm has been spotted in the wild that is exploiting the MS08-067 vulnerability for which Microsoft released an out-of-band update for yesterday. We urge you to update as soon as possible as there is now working code in the wild. All servers should be patched, especially external ones. If for some reason you have RPC exposed to the world, a very close look should be given to those systems as they may have already been compromised. Internal systems should be patched as soon as possible since this is now a worm, a worm that could be brought in through laptops or other means of access.
A little info on the worm itself, it has been dubbed Gimmiv.A. When the worm executes it will drop three files, winbase.dll, basesvc.dll and syicon.dll into the %System%\Wbem\basesvc.dll. It will then install a service named BaseSvc which will then force svchost.exe to load the trojan dlls. The trojan will collect data from the machine, including passwords, and send them to a remote machine.

Critical Windows Update

Today Microsoft is rolling out an unscheduled update. This vulnerability is critical and there are reports that it has been exploited by malware for the last few weeks. The most vulnerable systems are Windows 2000, Windows XP and Windows 2003. On these systems it is possible exploit the system without authentication. On Windows Vista and Windows Server 2008, the exploit requires authentiation to run, it would likely also lead to a Denial of Service condition due to the use of DEP and ASLR in these versions of Windows.

This is the first vulnerability that can be easily wormable in the past few years. It is very important that this update be tested and rolled out by your organization as soon as possible to prevent exploitation. The Security Bulletin can be found here.


I’d like to go over some of the tools that we mention on the blog. The first one I’d like to take a look at is OSSEC. You may have heard of us talking about it before, we mentioned it a few days ago. That was in relation to HoneyPoints and using OSSEC as another layer of your “defense in depth” strategy. I’ll explain what it does, and how it can help you.

First of all, what is OSSEC? OSSEC is an acronym for “Open Source Host-based Intrusion Detection System”. From the name you can see it’s a Host-based Intrusion Detection System (HIDS). As a HIDS it has the capability to do log analysis, integrity checking, Windows registry monitoring (and event log), rootkit detection, real-time alerting and active response against malicious hosts. It can be run locally, or as a centralized system with agents running on hosts.

So how does OSSEC relate to HoneyPoint? Well they both watch different things, and complement each other. While HoneyPoints are psuedo services and capture traffic from them, OSSEC watches real services for probes and compromises. It does this largely by a system of log analysis. I won’t go into it deeply, but the log analysis rules are very configurable, chainable, and fairly easy to write for anyone that knows regex and has a familiarity of basic scripting language.

With OSSEC’s active monitoring, it’s possible for the host to dynamically write firewall rules to block that host. Similar to HoneyPoints Plugin interface, with which you could also use to write a plugin to do that. You could even use OSSEC to watch your HoneyPoint Console syslogs and integrate HoneyPoint Console triggers with its own active response rules, to centralize blocking of hosts between HPSS and OSSEC.

As you can see, OSSEC can work quite nicely with HoneyPoint Security Server as part of a “defense in depth” strategy. There’s no single tool to “rule them all”, so to speak, so it’s important to watch from multiple perspectives! If you want to check out OSSEC, you can visit

WordPress Exploit

An exploit to hijack the administrator account has been released for WordPress. The exploit takes advantage of some flaws in both MySQL and the web application, and this vulnerability most likely affects other web applications. More information on the MySQL vulnerability can be found here. As such, we have disabled registration temporarily for this site, until WordPress has mitigated the vulnerability. We recommend that you do the same, for WordPress or anyother web application affected by this issue.

CERT Warns of SSH Attacks

Earlier this week US-CERT warned of attacks using stolen SSH keys. After access is gained to the machine, a rootkit (Phalanx2), is installed on the system. Once installed, the rootkit steals other keys from the system and sends them back to the attacker, allowing them to compromise other machines. The rootkit seems to create a directory, existance of the directory /etc/khubd.p2/ indicates a compromise. However, it should not be assumed because it’s not there that the machine is not compromised. It’s believed at least some of these machines were compromised by the Debian SSL Key bug from the summer.

US-CERT has provided some mitigation strategies to ensure that machines do not get compromised by this exploit. First, identify and examine systems where SSH keys are used as part of automated process. Any instance where keys are used without passphrases, a  passphrase should be used to reduce the risk of a compromise. Finally, ensure that internet facing systems are fully patched.