Re: Possible Mail server compromise ?

["Faas M. Mathiasen" <faas.m.mathiasen () googlemail com>]

Dear All,
Since I got a storm of e-mail to my last post, I'd like to summarise
some of them
and have something more structured:

Jon Oberheide send me some impressive statistics with regards of
vulnerabilities within AV Software, interesting enough most of them
are remotely exploitable :O

That said, I'll answer my own questions :
> Is anybody aware if this is common knowledge?
Apparently it is, somebody pointed me to these presentations :

Attacking Anti-Virus - Feng Xue (a.k.a Sowhat), Nevis Labs @Blachkat 2008
Couldn't find any material ?

The Death of Anti-Virus defense in Depth? - Revisiting AV Software by
Sergio Alvarez and Thierry Zoller
@ this years Cansecwest 2008 and last years Hack.lu 2007
http://www.nruns.com/ps/The_Death_of_AV_Defense_in_Depth-Revisiting_Anti-Virus_Software.pdf

The interesting thing about it is that in one slide they show exactly
what happened !! :O Scary this even works, looks cute and unrealistic
on paper but feels terrible when it bites you in the behind.

Alex Wheeler (ISS) found  a lot of these bugs in 2005!
http://www.theregister.co.uk/2005/03/18/mcafee_vuln/

The more I searched the more I found ?

> Who else has seen such
> an attack ?
Apparently they happen, as the guys from n.runs seem to have invented
some sort of solution for this problem, rendering attacks on AV
impossible (??) they call it aps-AV :
"Protects your company from malware threats (Worms, Virus, Trojans..),
aps-AV reuses your existing Anti-Virus software and supports multiple
Anti-Virus engines. aps-AV increases the malware detection rate
through the diversity and heuristics of these multiple engines.
However unlike the competition,  aps-AV does not increase the remotely
exploitable attack surface."

http://www.nruns.com/_en/aps/
http://www.nruns.com/_downloads/aps-AV-Solution-Paper-EN.pdf

Is anybody using that system ?

> Are you monitoring your mail servers for such compromises
> regularly? The name of the Anti-Virus scanner will not be told,
> exploit might be available up on request, as soon as we analyzed it
> for content that might reveal specifics
> about us.
>
> Regards,
> Faas M. Mathiasen
> CISSP Denmark
>
> [1]
>
> > Dear List,
> > "We" have noticed a odd traffic pattern emerging from our mail
> > servers, an important amount of data left our network over the mail
> > server. Please understand "we" would like
> > to remain anonymous at this point. We monitored our mail servers for
> > availability and the patch level is as to latest specifications,
> > additionally we have anti-virus software
> >  installed on all E-mail servers.
> >
> > Is anybody aware of an unpatched exploit against Exchange Server 2007  ?
> >  Is there any other threat we have not taken into consideration ?
> >
> > Do you have recommendations as to how to proceed ? Obviously our mail
> > server hold important information and we can't simply turn them off,
> > though we have procedures on how to respond to incidents we don't have
> > a procedure for this particular case, as our mail server is inside our
> > company, maintained and updated regularly we had no important reason
> > to believe it could be compromised.
> >
> > We are currently investigating and took it off line for a few hours,
> > while installing a new clean server.
> >
> > Regards,
> > Faas M. Mathiasen
> > CISSP Denmark