|
|
Incidents
Possible Mail server compromise ? Feb 04 2008 06:28PM Faas M. Mathiasen (faas m mathiasen googlemail com) (3 replies) Re: Possible Mail server compromise ? Feb 12 2008 11:41PM Faas M. Mathiasen (faas m mathiasen googlemail com) (3 replies) Re: Possible Mail server compromise ? Feb 04 2008 07:05PM Jon R. Kibler (Jon Kibler aset com) (1 replies) Re: Possible Mail server compromise ? Feb 04 2008 09:39PM Tony Maupin (tony themaupins com) (1 replies) Re: Possible Mail server compromise ? Feb 04 2008 09:57PM Faas M. Mathiasen (faas m mathiasen googlemail com) (1 replies) |
|
Privacy Statement |
Since I got a storm of e-mail to my last post, I'd like to summarise
some of them
and have something more structured:
Jon Oberheide send me some impressive statistics with regards of
vulnerabilities within AV Software, interesting enough most of them
are remotely exploitable :O
That said, I'll answer my own questions :
> Is anybody aware if this is common knowledge?
Apparently it is, somebody pointed me to these presentations :
Attacking Anti-Virus - Feng Xue (a.k.a Sowhat), Nevis Labs @Blachkat 2008
Couldn't find any material ?
The Death of Anti-Virus defense in Depth? - Revisiting AV Software by
Sergio Alvarez and Thierry Zoller
@ this years Cansecwest 2008 and last years Hack.lu 2007
http://www.nruns.com/ps/The_Death_of_AV_Defense_in_Depth-Revisiting_Anti
-Virus_Software.pdf
The interesting thing about it is that in one slide they show exactly
what happened !! :O Scary this even works, looks cute and unrealistic
on paper but feels terrible when it bites you in the behind.
Alex Wheeler (ISS) found a lot of these bugs in 2005!
http://www.theregister.co.uk/2005/03/18/mcafee_vuln/
The more I searched the more I found ?
>Who else has seen such
> an attack ?
Apparently they happen, as the guys from n.runs seem to have invented
some sort of solution for this problem, rendering attacks on AV
impossible (??) they call it aps-AV :
"Protects your company from malware threats (Worms, Virus, Trojans..),
aps-AV reuses your existing Anti-Virus software and supports multiple
Anti-Virus engines. aps-AV increases the malware detection rate
through the diversity and heuristics of these multiple engines.
However unlike the competition, aps-AV does not increase the remotely
exploitable attack surface."
http://www.nruns.com/_en/aps/
http://www.nruns.com/_downloads/aps-AV-Solution-Paper-EN.pdf
Is anybody using that system ?
>Are you monitoring your mail servers for such compromises
> regularly? The name of the Anti-Virus scanner will not be told,
> exploit might be available up on request, as soon as we analyzed it
> for content that might reveal specifics
> about us.
>
> Regards,
> Faas M. Mathiasen
> CISSP Denmark
>
> [1]
>
> > Dear List,
> > "We" have noticed a odd traffic pattern emerging from our mail
> > servers, an important amount of data left our network over the mail
> > server. Please understand "we" would like
> > to remain anonymous at this point. We monitored our mail servers for
> > availability and the patch level is as to latest specifications,
> > additionally we have anti-virus software
> > installed on all E-mail servers.
> >
> > Is anybody aware of an unpatched exploit against Exchange Server 2007 ?
> > Is there any other threat we have not taken into consideration ?
> >
> > Do you have recommendations as to how to proceed ? Obviously our mail
> > server hold important information and we can't simply turn them off,
> > though we have procedures on how to respond to incidents we don't have
> > a procedure for this particular case, as our mail server is inside our
> > company, maintained and updated regularly we had no important reason
> > to believe it could be compromised.
> >
> > We are currently investigating and took it off line for a few hours,
> > while installing a new clean server.
> >
> > Regards,
> > Faas M. Mathiasen
> > CISSP Denmark
> >
>
[ reply ]