On Wed, 2008-02-13 at 00:41 +0100, Faas M. Mathiasen wrote:
[snip]
Is anybody aware if this is common knowledge? Who else has seen such
an attack ? Are you monitoring your mail servers for such compromises
regularly? The name of the Anti-Virus scanner will not be told,
exploit might be available up on request, as soon as we analyzed it
for content that might reveal specifics
about us.
Unfortunately, this is not an uncommon occurance as numerous
vulnerabilities have been discovered in AV vendor software [1]. In
fact, SANS listed antivirus software as one of the top 20 security risks
of 2007 [2]. While many of these vulnerabilities are considered only
"locally" exploitable, using the engines within the context of a mail
server exposes them to be triggered remotely by any rogue email as you
have seen.
To address these exploits against mail servers (and against normal end
hosts as well), I'd suggest deploying your scan engines within a
disposable virtualized environment that can be thrown away when a
exploit is detected and restored from a clean snapshot. For example, we
currently employ a milter frontend that sends mail attachments to a
backend service for analysis that has 10 antivirus engines and 2
behavioral engines, each within a Xen VM instance. This obviously
increases the amount of malware we can detect with multiple,
heterogeneous engines, but more importantly, provides strong isolation
from the mail server itself.
Regards,
Jon Oberheide
[1] NVD ulnerabilities by AV vendor between 2005 and 2007
[2] http://www.sans.org/top20/#s5
--
Jon Oberheide <jon@oberheide.org>
GnuPG Key: 1024D/F47C17FE
Fingerprint: B716 DA66 8173 6EDD 28F6 F184 5842 1C89 F47C 17FE
av-vulns.png
Description: PNG image
signature.asc
Description: This is a digitally signed message part
