« Big Jump in Crimeware for 2007 | Main | Podcast: Why Is Image Spam Flooding Our Inboxes? A Discussion With Commtouch »

According to Brian Kreb's Security Fix, cybercriminals are exploiting a number of security vulnerabilities in MailEnable, an email server program offered by many large Web hosting companies.

Over the past several months, MailEnable has released a half-dozen patches to try to fix vulnerabilities that allow hackers to totally hijack a user's system. But apparently many MailEnable customers are either not registered, and are therefore not receiving the update notices, or are simply ignoring them.

Lawrence Baldwin, chief forensics officer for myNetWatchman, said, "We are seeing hundreds of mail servers getting compromised via the rash of MailEnable vulnerabilities that have been discovered and announced in the last few months."

Baldwin and his company are often contacted by people after an ISP has blocked them because of spamming. myNetWatchman does provide a program that checks firewall logs and will alert you if your system shows signs of being compromised.

And as evidence that hackers and cybercriminals are joining forces and sharing information, the code showing how to exploit MailEnable has been posted on several high-profile hacker sites. Baldwin continued, "We could actually see that the miscreants became aware of a new vulnerability in early to mid January, had a full month of ravaging and pillaging MailEnable systems" before a patch was released.

Besides using hijacked systems to send spam, the cybercrooks are also using code to steal passwords from systems. That includes spying on Microsoft Windows remote desktop protocol (RDP) traffic to snatch passwords from anyone who logs on remotely to administer their mail servers.

The hackers also seem to be planting malware that enables them to crack encrypted Windows system passwords. Why would they do that when they already have control of the system? Very simply, many Web hosts using MailEnable also put a number of systems on the same Windows Active Directory domain using the same password to remotely configure the machines. Thus, steal one password, and you can control all of the hosting company’s mail servers. Sounds like a botnet to me.

The prevalence of this exploit directly correlates to the number of botnets, which Shadowserver.org says has tripled in the past three weeks alone. Unfortunately, servers will continue to remain compromised even after applying the MailEnable updates, as the exploit works through the Windows logon process, which is quite difficult to repair.

"I think the hackers' intentions have been to collect as many login accounts or authentication mechanisms to the compromised machines as they can, so that even after the infection is cleaned up, they can still get back in," Ron Bradburn, director of engineering for Vancouver, Canada-based Peer 1 Dedicated Hosting, said.

Peer 1 offers back-up services that help customers recover from such intrusions, but many don’t choose that route. For them, the only safe way to recover from such an attack is to reinstall the operating system on the Web host.

Posted by pschooff in |Digg This|Add to del.icio.us

Trackback Pings

TrackBack URL for this entry:
http://www.ebizq.net/mt/mt-tb.cgi/1623