Incidents
Possible Mail server compromise ? Feb 04 2008 06:28PM
Faas M. Mathiasen (faas m mathiasen googlemail com) (3 replies)
Re: Possible Mail server compromise ? Feb 12 2008 11:41PM
Faas M. Mathiasen (faas m mathiasen googlemail com) (3 replies)
Re: Possible Mail server compromise ? Feb 18 2008 07:19PM
Faas M. Mathiasen (faas m mathiasen googlemail com) (2 replies)
Dear All,
Since I got a storm of e-mail to my last post, I'd like to summarise
some of them
and have something more structured:

Jon Oberheide send me some impressive statistics with regards of
vulnerabilities within AV Software, interesting enough most of them
are remotely exploitable :O

That said, I'll answer my own questions :
> Is anybody aware if this is common knowledge?
Apparently it is, somebody pointed me to these presentations :

Attacking Anti-Virus - Feng Xue (a.k.a Sowhat), Nevis Labs @Blachkat 2008
Couldn't find any material ?

The Death of Anti-Virus defense in Depth? - Revisiting AV Software by
Sergio Alvarez and Thierry Zoller
@ this years Cansecwest 2008 and last years Hack.lu 2007
http://www.nruns.com/ps/The_Death_of_AV_Defense_in_Depth-Revisiting_Anti
-Virus_Software.pdf

The interesting thing about it is that in one slide they show exactly
what happened !! :O Scary this even works, looks cute and unrealistic
on paper but feels terrible when it bites you in the behind.

Alex Wheeler (ISS) found a lot of these bugs in 2005!
http://www.theregister.co.uk/2005/03/18/mcafee_vuln/

The more I searched the more I found ?

>Who else has seen such
> an attack ?
Apparently they happen, as the guys from n.runs seem to have invented
some sort of solution for this problem, rendering attacks on AV
impossible (??) they call it aps-AV :
"Protects your company from malware threats (Worms, Virus, Trojans..),
aps-AV reuses your existing Anti-Virus software and supports multiple
Anti-Virus engines. aps-AV increases the malware detection rate
through the diversity and heuristics of these multiple engines.
However unlike the competition, aps-AV does not increase the remotely
exploitable attack surface."

http://www.nruns.com/_en/aps/
http://www.nruns.com/_downloads/aps-AV-Solution-Paper-EN.pdf

Is anybody using that system ?

>Are you monitoring your mail servers for such compromises
> regularly? The name of the Anti-Virus scanner will not be told,
> exploit might be available up on request, as soon as we analyzed it
> for content that might reveal specifics
> about us.
>
> Regards,
> Faas M. Mathiasen
> CISSP Denmark
>
> [1]
>
> > Dear List,
> > "We" have noticed a odd traffic pattern emerging from our mail
> > servers, an important amount of data left our network over the mail
> > server. Please understand "we" would like
> > to remain anonymous at this point. We monitored our mail servers for
> > availability and the patch level is as to latest specifications,
> > additionally we have anti-virus software
> > installed on all E-mail servers.
> >
> > Is anybody aware of an unpatched exploit against Exchange Server 2007 ?
> > Is there any other threat we have not taken into consideration ?
> >
> > Do you have recommendations as to how to proceed ? Obviously our mail
> > server hold important information and we can't simply turn them off,
> > though we have procedures on how to respond to incidents we don't have
> > a procedure for this particular case, as our mail server is inside our
> > company, maintained and updated regularly we had no important reason
> > to believe it could be compromised.
> >
> > We are currently investigating and took it off line for a few hours,
> > while installing a new clean server.
> >
> > Regards,
> > Faas M. Mathiasen
> > CISSP Denmark
> >
>

[ reply ]
Re: Possible Mail server compromise ? Feb 20 2008 02:43AM
Eduardo Tongson (propolice gmail com) (1 replies)
Re: Possible Mail server compromise ? Feb 20 2008 07:33PM
Faas M. Mathiasen (faas m mathiasen googlemail com) (1 replies)
Re: Possible Mail server compromise ? Feb 21 2008 02:38AM
Eduardo Tongson (propolice gmail com)
Re: Possible Mail server compromise ? Feb 19 2008 05:35PM
Bob Toxen (vger verysecurelinux com) (2 replies)
Re: Possible Mail server compromise ? Feb 20 2008 02:14AM
Jon Oberheide (jon oberheide org) (1 replies)
Re: Possible Mail server compromise ? Feb 20 2008 05:11PM
Valdis Kletnieks vt edu (1 replies)
Re: Possible Mail server compromise ? Feb 20 2008 07:25PM
Faas M. Mathiasen (faas m mathiasen googlemail com) (1 replies)
Re: Possible Mail server compromise ? Feb 20 2008 11:07PM
Peter Kosinar (goober ksp sk) (1 replies)
Re: Possible Mail server compromise ? Feb 21 2008 10:49AM
Faas M. Mathiasen (faas m mathiasen googlemail com) (1 replies)
RE: Possible Mail server compromise ? Feb 22 2008 12:38AM
Richard C Lewis (chad mr-lew com) (1 replies)
Re: Possible Mail server compromise ? Feb 26 2008 04:19PM
Faas M. Mathiasen (faas m mathiasen googlemail com)
Re: Possible Mail server compromise ? Feb 19 2008 06:46PM
Faas M. Mathiasen (faas m mathiasen googlemail com) (3 replies)
Re: Possible Mail server compromise ? Feb 20 2008 02:48PM
Eygene Ryabinkin (rea-sec codelabs ru) (2 replies)
Re: Possible Mail server compromise ? Feb 20 2008 10:59PM
Valdis Kletnieks vt edu (1 replies)
Re: Possible Mail server compromise ? Feb 21 2008 10:31AM
Faas M. Mathiasen (faas m mathiasen googlemail com) (1 replies)
Re: Possible Mail server compromise ? Feb 21 2008 05:13PM
Paul Schmehl (pauls utdallas edu)
Re: Possible Mail server compromise ? Feb 20 2008 07:10PM
Faas M. Mathiasen (faas m mathiasen googlemail com)
Re: Possible Mail server compromise ? Feb 20 2008 07:05AM
Bob Toxen (vger VerySecureLinux com) (1 replies)
Re: Possible Mail server compromise ? Feb 20 2008 07:25PM
Faas M. Mathiasen (faas m mathiasen googlemail com)
Re: Possible Mail server compromise ? Feb 20 2008 01:51AM
Valdis Kletnieks vt edu
Re: Possible Mail server compromise ? Feb 13 2008 09:55AM
Michael Loftis (mloftis wgops com)
Re: Possible Mail server compromise ? Feb 13 2008 05:09AM
Jon Oberheide (jon oberheide org)
Re: Possible Mail server compromise ? Feb 04 2008 07:05PM
Jon R. Kibler (Jon Kibler aset com) (1 replies)
Re: Possible Mail server compromise ? Feb 04 2008 09:39PM
Tony Maupin (tony themaupins com) (1 replies)
Re: Possible Mail server compromise ? Feb 04 2008 09:57PM
Faas M. Mathiasen (faas m mathiasen googlemail com) (1 replies)
Re: Possible Mail server compromise ? Feb 05 2008 05:49PM
Valdis Kletnieks vt edu
RE: Possible Mail server compromise ? Feb 04 2008 06:58PM
Worrell, Brian (BWorrell isdh IN gov)


 

Privacy Statement
Copyright 2010, SecurityFocus