McAfee and PathDefender Shouldn’t be Making It Easier For Hackers To Disguise Malicious Code

When it comes to companies involved with the security of websites, we don’t get a sense that many of them either know much about security or care about it. The latest case in point comes from something we noticed while cleaning up a hacked website recently.

The .htaccess file in the root of the website included the following code:

### Start McAfeeSECURE Code DO NOT EDIT ###
<IfModule mod_substitute.c>
AddOutputFilterByType SUBSTITUTE text/html
Substitute "s|</body>|<!-- Start McAfeeSecure Code --><script type=\"text/javascript\" src=\"//cdn.ywxi.net/js/1.js\" async=\"true\"></script><!-- End McAfeeSecure Code --></BODY>|ni"
</IfModule>
### End McAfeeSECURE Code DO NOT EDIT ###

That code causes JavaScript code from the domain ywxi.net to be loaded on the pages of the website. Upon seeing that are first thought was that this was likely something added by a hacker. While it was labeled as being code for McAfee SECURE, hackers often disguise there code in a similar fashion. What made us the most suspicious was that strange domain, which just seems to be a random assortment of letters and doesn’t seem to have any connection with McAfee. When we checked the WHOIS for the domain it listed it as belonging to PathDefender, which if you do Google search on you won’t find much information on, but they do seem to be the actual people behind McAfee SECURE.

What makes this so head scratching is that it would be quite easy for them to use a subdomain of mcafeesecure.com (e.g. trustmark.mcafeesecure.com) for the service instead of the odd address, cdn.ywxi.net. From actually dealing with hacked websites often, if we were involved with this service it would be a major issue. If legitimate code is accessing JavaScript code from a domain that is an odd assortment of letters then people are less likely to notice if a hacker were to add code referencing another random domain. Whereas McAfee probably monitors for registration of domains similar to theirs and would get one made to seem similar to mcafeesecure.com shut down before it could be much use in such a situation.

We do have a pretty good idea why McAfee Secure and PathDefender don’t seem to have had the same concern. If you view the list of employees at PathDefender you can see that almost none of them actually seem to have a technical role at the company. It seems to be mostly a sales organization. This isn’t surprising since products like McAfee SECURE seem to be mostly focused on promoting that websites are secure then actually making sure they are secure. That can be seen pretty clearly on the homepage of the McAfee SECURE website which repeatedly promotes the service increasing customer sales:

mcafee-secure-homepage-1

mcafee-secure-homepage-2

 

mcafee-secure-homepage-3

It only gets to actually security in the fourth section of the page and even then it is only mentioned as one of six features:

mcafee-secure-homepage-4

As we mentioned in the beginning of the post, this was something that was on hacked website, so the service didn’t keep a website secure when it was under attack in at least one instance and based on our experience with cleaning up hacked websites using similar services in the past that probably isn’t an outlier.