Tag Archives: McAfee Inc.

McAfee Comes Late To Rev. Bayes’ Party

McAfee seems to have come somewhat late to the spam party: Network Associates, Inc. , ‘the leader in intrusion prevention solutions’, today announced that it has incorporated “powerful new Bayesian filtering into the latest McAfee SpamAssassin engine”. What, only now?

Bayesian filtering is a pretty powerful weapon in the war against spam. I use POPFile and K9 and would recommend either, not least because they’re free. But why has it taken so long for McAfee to get around to including it in their SpamAssassin product?

To be fair, the McAfee Bayesian filter is “fully automated in its learning abilities, whereas other competitive solutions require manual training by users or systems administrators”. That is an improvement, but I wonder how well it works.

SpamKiller/Assassin also includes some other features, including Integrity Analysis, which applies algorithms to determine if the email is spam, Heuristic Detection, Content Filtering, Black and White Lists and DNS-Blocklist Support.

New Variation Of Bagle Spreading Fast

More virus trouble afoot. This time it’s a variation of Bagle.

MessageLabs reports that it’s intercepted more than 10,000 copies in an hour as of this morning. Most seem to be from the UK and the U.S, although the first copy it received was from Poland.

It appears to be a mass-mailing worm, installing a backdoor Trojan on infected machines much like its predecessor. It looks like this:

Subject: ID <random>… thanks
Text:  Unknown
Attachment: <Random>.exe
Size: 11264 bytes

EWeek says it also includes a component that notifies the author each time a new machine is infected. The attachment will mail the virus to all of the names found on the user’s hard drive, with the exception, for some reason, of addresses in the Hotmail, MSN, Microsoft and AVP domains.

Bagle.B also opens port 8866 and begins listening for remote connections, according to an analysis done by Network Associates Inc.’s McAfee AVERT team. The virus also sends an HTTP notification, presumably to the author, notifying him that the machine is infected.

Update: Blaster Graph

 Network Associates say that over 1.2 million systems have been affected from the Lovsan/Blaster threat, also know as W32/Lovsan.worm which is continuing to spread at a steady rate and is infecting over 30,000 systems per hour during peak times. A detailed graph of the worm’s progress can be found in http://www.hackerwatch.org/checkup/graph.asp.