Incidents
Possible Mail server compromise ? Feb 04 2008 06:28PM
Faas M. Mathiasen (faas m mathiasen googlemail com) (3 replies)
Re: Possible Mail server compromise ? Feb 12 2008 11:41PM
Faas M. Mathiasen (faas m mathiasen googlemail com) (3 replies)
Re: Possible Mail server compromise ? Feb 18 2008 07:19PM
Faas M. Mathiasen (faas m mathiasen googlemail com) (2 replies)
Re: Possible Mail server compromise ? Feb 20 2008 02:43AM
Eduardo Tongson (propolice gmail com) (1 replies)
Re: Possible Mail server compromise ? Feb 20 2008 07:33PM
Faas M. Mathiasen (faas m mathiasen googlemail com) (1 replies)
Re: Possible Mail server compromise ? Feb 21 2008 02:38AM
Eduardo Tongson (propolice gmail com)
Re: Possible Mail server compromise ? Feb 19 2008 05:35PM
Bob Toxen (vger verysecurelinux com) (2 replies)
On Mon, Feb 18, 2008 at 08:19:41PM +0100, Faas M. Mathiasen wrote:
> Dear All,
> Since I got a storm of e-mail to my last post, I'd like to summarise
> some of them
> and have something more structured:

> Jon Oberheide send me some impressive statistics with regards of
> vulnerabilities within AV Software, interesting enough most of them
> are remotely exploitable :O
Most? I would expect most to offer patches quickly.

> That said, I'll answer my own questions :
> > Is anybody aware if this is common knowledge?
> Apparently it is, somebody pointed me to these presentations :

> Attacking Anti-Virus - Feng Xue (a.k.a Sowhat), Nevis Labs @Blachkat 2008
> Couldn't find any material ?

> The Death of Anti-Virus defense in Depth? - Revisiting AV Software by
> Sergio Alvarez and Thierry Zoller
> @ this years Cansecwest 2008 and last years Hack.lu 2007
> http://www.nruns.com/ps/The_Death_of_AV_Defense_in_Depth-Revisiting_Anti
-Virus_Software.pdf

> The interesting thing about it is that in one slide they show exactly
> what happened !! :O Scary this even works, looks cute and unrealistic
> on paper but feels terrible when it bites you in the behind.

> Alex Wheeler (ISS) found a lot of these bugs in 2005!
> http://www.theregister.co.uk/2005/03/18/mcafee_vuln/

> The more I searched the more I found ?

> >Who else has seen such
> > an attack ?
> Apparently they happen, as the guys from n.runs seem to have invented
> some sort of solution for this problem, rendering attacks on AV
> impossible (??) they call it aps-AV :
> "Protects your company from malware threats (Worms, Virus, Trojans..),
> aps-AV reuses your existing Anti-Virus software and supports multiple
> Anti-Virus engines. aps-AV increases the malware detection rate
> through the diversity and heuristics of these multiple engines.
> However unlike the competition, aps-AV does not increase the remotely
> exploitable attack surface."
That sounds like "snake oil". The more code (i.e., adding their
product) the greater the "remotely exploitable attack surface".

We have developed an excellent spam and virus filter that uses ClamAV as
the virus signature matching engine and have had great success with it.
We also add our own proprietary virus filtering on top of ClamAV to
block most viruses too new to have a signature.

> http://www.nruns.com/_en/aps/
> http://www.nruns.com/_downloads/aps-AV-Solution-Paper-EN.pdf

> Is anybody using that system ?
I hope not.

> >Are you monitoring your mail servers for such compromises
> > regularly? The name of the Anti-Virus scanner will not be told,
> > exploit might be available up on request, as soon as we analyzed it
> > for content that might reveal specifics
> > about us.
Yes, monitoring mail servers and virus filters (if separate) for
compromise and keeping patches up-to-date is critical, of course.

Best regards,

Bob Toxen, CTO
Horizon Network Security
"Your expert in Spam and Virus Filters, Linux server hardening, Firewalls,
Network Monitoring, Linux System Administration, VPNs, local and remote
backup software, and Network Security consulting, in business for
18 years."

www.VerySecureLinux.com/virus.html [Spam and virus filter]
www.RealWorldLinuxSecurity.com [Our 5* book: "Real World Linux Security"]
bob (at) VerySecureLinux (dot) com [email concealed] (e-mail)
+1 770.662.8321 (Office: 10am-6pm M-F U.S. Eastern Time)

My article on "The Seven Deadly Sins of Linux Security" was
published in the May/June 2007 issue of ACM's QUEUE Magazine.

Author,
"Real World Linux Security: Intrusion Detection, Prevention, and Recovery"
2nd Ed., Prentice Hall, 848 pages, ISBN: 9780130464569
Also available in Japanese, Chinese, Czech, and Polish.

> > Regards,
> > Faas M. Mathiasen
> > CISSP Denmark
> >
> > [1]
> >
> > > Dear List,
> > > "We" have noticed a odd traffic pattern emerging from our mail
> > > servers, an important amount of data left our network over the mail
> > > server. Please understand "we" would like
> > > to remain anonymous at this point. We monitored our mail servers for
> > > availability and the patch level is as to latest specifications,
> > > additionally we have anti-virus software
> > > installed on all E-mail servers.
> > >
> > > Is anybody aware of an unpatched exploit against Exchange Server 2007 ?
> > > Is there any other threat we have not taken into consideration ?
> > >
> > > Do you have recommendations as to how to proceed ? Obviously our mail
> > > server hold important information and we can't simply turn them off,
> > > though we have procedures on how to respond to incidents we don't have
> > > a procedure for this particular case, as our mail server is inside our
> > > company, maintained and updated regularly we had no important reason
> > > to believe it could be compromised.
> > >
> > > We are currently investigating and took it off line for a few hours,
> > > while installing a new clean server.
> > >
> > > Regards,
> > > Faas M. Mathiasen
> > > CISSP Denmark

[ reply ]
Re: Possible Mail server compromise ? Feb 20 2008 02:14AM
Jon Oberheide (jon oberheide org) (1 replies)
Re: Possible Mail server compromise ? Feb 20 2008 05:11PM
Valdis Kletnieks vt edu (1 replies)
Re: Possible Mail server compromise ? Feb 20 2008 07:25PM
Faas M. Mathiasen (faas m mathiasen googlemail com) (1 replies)
Re: Possible Mail server compromise ? Feb 20 2008 11:07PM
Peter Kosinar (goober ksp sk) (1 replies)
Re: Possible Mail server compromise ? Feb 21 2008 10:49AM
Faas M. Mathiasen (faas m mathiasen googlemail com) (1 replies)
RE: Possible Mail server compromise ? Feb 22 2008 12:38AM
Richard C Lewis (chad mr-lew com) (1 replies)
Re: Possible Mail server compromise ? Feb 26 2008 04:19PM
Faas M. Mathiasen (faas m mathiasen googlemail com)
Re: Possible Mail server compromise ? Feb 19 2008 06:46PM
Faas M. Mathiasen (faas m mathiasen googlemail com) (3 replies)
Re: Possible Mail server compromise ? Feb 20 2008 02:48PM
Eygene Ryabinkin (rea-sec codelabs ru) (2 replies)
Re: Possible Mail server compromise ? Feb 20 2008 10:59PM
Valdis Kletnieks vt edu (1 replies)
Re: Possible Mail server compromise ? Feb 21 2008 10:31AM
Faas M. Mathiasen (faas m mathiasen googlemail com) (1 replies)
Re: Possible Mail server compromise ? Feb 21 2008 05:13PM
Paul Schmehl (pauls utdallas edu)
Re: Possible Mail server compromise ? Feb 20 2008 07:10PM
Faas M. Mathiasen (faas m mathiasen googlemail com)
Re: Possible Mail server compromise ? Feb 20 2008 07:05AM
Bob Toxen (vger VerySecureLinux com) (1 replies)
Re: Possible Mail server compromise ? Feb 20 2008 07:25PM
Faas M. Mathiasen (faas m mathiasen googlemail com)
Re: Possible Mail server compromise ? Feb 20 2008 01:51AM
Valdis Kletnieks vt edu
Re: Possible Mail server compromise ? Feb 13 2008 09:55AM
Michael Loftis (mloftis wgops com)
Re: Possible Mail server compromise ? Feb 13 2008 05:09AM
Jon Oberheide (jon oberheide org)
Re: Possible Mail server compromise ? Feb 04 2008 07:05PM
Jon R. Kibler (Jon Kibler aset com) (1 replies)
Re: Possible Mail server compromise ? Feb 04 2008 09:39PM
Tony Maupin (tony themaupins com) (1 replies)
Re: Possible Mail server compromise ? Feb 04 2008 09:57PM
Faas M. Mathiasen (faas m mathiasen googlemail com) (1 replies)
Re: Possible Mail server compromise ? Feb 05 2008 05:49PM
Valdis Kletnieks vt edu
RE: Possible Mail server compromise ? Feb 04 2008 06:58PM
Worrell, Brian (BWorrell isdh IN gov)


 

Privacy Statement
Copyright 2010, SecurityFocus