Security Incidents mailing list archives
Re: Possible Mail server compromise ?
From: Jon Oberheide <jon () oberheide org>
Date: Wed, 13 Feb 2008 00:09:56 -0500
On Wed, 2008-02-13 at 00:41 +0100, Faas M. Mathiasen wrote: [snip]
Is anybody aware if this is common knowledge? Who else has seen such an attack ? Are you monitoring your mail servers for such compromises regularly? The name of the Anti-Virus scanner will not be told, exploit might be available up on request, as soon as we analyzed it for content that might reveal specifics about us.
Unfortunately, this is not an uncommon occurance as numerous vulnerabilities have been discovered in AV vendor software [1]. In fact, SANS listed antivirus software as one of the top 20 security risks of 2007 [2]. While many of these vulnerabilities are considered only "locally" exploitable, using the engines within the context of a mail server exposes them to be triggered remotely by any rogue email as you have seen. To address these exploits against mail servers (and against normal end hosts as well), I'd suggest deploying your scan engines within a disposable virtualized environment that can be thrown away when a exploit is detected and restored from a clean snapshot. For example, we currently employ a milter frontend that sends mail attachments to a backend service for analysis that has 10 antivirus engines and 2 behavioral engines, each within a Xen VM instance. This obviously increases the amount of malware we can detect with multiple, heterogeneous engines, but more importantly, provides strong isolation from the mail server itself. Regards, Jon Oberheide [1] NVD ulnerabilities by AV vendor between 2005 and 2007 [2] http://www.sans.org/top20/#s5 -- Jon Oberheide <jon () oberheide org> GnuPG Key: 1024D/F47C17FE Fingerprint: B716 DA66 8173 6EDD 28F6 F184 5842 1C89 F47C 17FE
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Re: Possible Mail server compromise ?, (continued)
- Re: Possible Mail server compromise ? Jon R. Kibler (Feb 04)
- Re: Possible Mail server compromise ? Tony Maupin (Feb 04)
- Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 04)
- Re: Possible Mail server compromise ? Valdis . Kletnieks (Feb 05)
- Re: Possible Mail server compromise ? Tony Maupin (Feb 04)
- Re: Possible Mail server compromise ? Jon R. Kibler (Feb 04)
- Message not available
- Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 04)
- Message not available
- Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 04)
- Re: Possible Mail server compromise ? Gary Baribault (Feb 04)
- Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 04)
- Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 04)
- Re: Possible Mail server compromise ? Michael Loftis (Feb 13)
- Re: Possible Mail server compromise ? Jon Oberheide (Feb 13)
- Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 19)
- Re: Possible Mail server compromise ? Bob Toxen (Feb 19)
- Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 19)
- Re: Possible Mail server compromise ? Valdis . Kletnieks (Feb 20)
- Re: Possible Mail server compromise ? Bob Toxen (Feb 20)
- Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 20)
- Re: Possible Mail server compromise ? Eygene Ryabinkin (Feb 20)
- Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 20)
- Re: Possible Mail server compromise ? Valdis . Kletnieks (Feb 20)
- Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 21)