From: Alex Kramarov (alexincredimail.com)
Date: Tue Aug 19 2003 - 16:04:44 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I would like to share a solution that i applied to my server to counter the
flooding effect of this worm - my 2 T1 and another smaller connections to
the internet were completely flooded by incoming mail within 3 hours of the
worm spreading start.

As known, the worm attempts to send emails repeatedly to the same addresses,
every email message is around 100K, so the only way to have ANY mail traffic
going during the attack is to block the infected computers from hitting the
server, so to blocking incoming connections from infected IP's dramatically
reduces bandwidth consumption.

The system is based on postfix detecting and logging the viruses by the
subject (there are about 10 different subjects the worm uses), and a cron
job parsing the log files and applying iptables rules to block the infected
PC's. The system is not perfect, but it can help survive this smtp storm

to detect the viruses, i created a map for header checking at
/etc/postfix/header_checks containing :

/^Content-(Type|Disposition):.*(file)?name
*=.*\.(com|exe|lnk|bat|scr|chm|hlp|hta|reg|shs|vbe|vbs|wsf|wsh|pif)/ REJECT
Email rejected, an attachment with .${3} extension detected.
/^Subject: Re: (Movie|Application)/ REJECT the email subject is identical to
the one produced by W32-SoBig worm
/^Subject: Your mail server sent us a virus$/ REJECT Thanks, but no thanks -
your notifications cause more problems then they solve.
/^Subject: Re: Approved$/ REJECT Rejected, probably sent by a W32.HLLW.Mankx
virus
/^Subject: Re: Details$/ REJECT Rejected, probably sent by a W32.HLLW.Mankx
virus
/^Subject: Re: Wicked screensaver$/ REJECT Rejected, probably sent by a
W32.HLLW.Mankx virus
/^Subject: Re: Re: My details$/ REJECT Rejected, probably sent by a
W32.HLLW.Mankx virus
/^Subject: Re: Your application$/ REJECT Rejected, probably sent by a
W32.HLLW.Mankx virus
/^Subject: (Re: |)Thank you!$/ REJECT Rejected, probably sent by a
W32.HLLW.Mankx virus

the first line blocks all executable attachments (you do not need these for
this particular job, but it helps to trap other viruses), the second blocks
the W32-SoBig.e, which produces the virus in zip files, and the "Your mail
server sent us a virus" blocks the "helpful" notifications of other
antivirus software.

the last few subjects detect the W32.HLLW.Mankx worm messages, and log them
into maillog. to make postfix actually apply the checks , add the following
to main.cf :

header_checks = regexp:/etc/postfix/header_checks

after this, you clients will not receive these messages, and this is half
way. each message containing the worm will be logged like this :

Aug 19 19:44:02 mail postfix/cleanup[22251]: 2E3EF46C5F: reject: header
Subject: Re: Wicked screensaver from unknown[66.183.209.78];
from=<ordershtmlhelp.com> to=<copyrightagentxxxxx.com> proto=ESMTP
helo=<ALAN>: Rejected, probably sent by a W32.HLLW.Mankx virus

to block these infected computer from hammering your system over and over, i
have a cron job running every 15 minutes, which greps the maillog for such
messages, and blocks the originating IP's :

#!/bin/sh

#reset iptables to default
/etc/init.d/iptables start

# locate all infected computers in the maillog, check that they are valid
IP's, sort and remove duplicates, and add the IP's to the top of iptables
rules to drop connections attempts
grep /var/log/maillog -e "W32.HLLW.Mankx" | \
 awk -F \[ '{ print $3 }' |awk -F \] '{ print $1 }' | \
 grep -e "^[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*$" |sort |uniq| \
 xargs -n 1 -i iptables -I INPUT 1 -s {} -p tcp --dport 25 -j DROP

--------------------------------
of course, some better detection could be done by real time response tools
like snort with accompanying log parsing software, but this is what i have
come up in the short time i had. one could also design some daemon tailing
the log file and applying the block immediately, and not by cron job. I hope
that this would help people. anyone who sees here a security problem, please
report back. thank you.

Please CC the replies to me, i am on digest list.

Alex.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]