Cutwail/PushDo SMTP Attack Vulnerability Detection

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Cutwail/PushDo SMTP Attack Vulnerability Detection

L2 Linker

I've recently set up a new PA-100-VM and been closely analysing it along with all of the traffic that goes through it.  It is running 7.0.3 along with the latest updates to all definition files (updated nightly).

 

In the process of doing this I've determined that the PA is not picking up on a fairly common SMTP attack - that being the Cutwail SMTP auth brute force.  There is a bit more info about this here:

 

 https://blog.avast.com/2013/06/25/15507/

 https://serverfault.com/questions/667322/email-server-attack-from-telnet

 

A machine infected with this worm will attempt to brute force SMTP auth other random machines on the Internet.

 

The good thing is that all of the attempts involve a very characteristic SMTP EHLO of ylmf-pc.  So they are patently obvious to identify.

 

I've written a custom malware signature that detects this and IP blocks the offending hosts for the maximum 3600s (I would block for longer if this was possible).  This works well.  Lots of hits and no brute forcing anymore 😉

 

The questions I have are:

 

- Is there a way to submit this to Palo Alto so that this attack is picked up by the threat signatures without me having to write a custom vulnerability sig?  I can open a case but I would have thought there were easier ways than this to have this information fed into the system.

 

- Is there a reason this hasn't been already added?  This is a very common vulnerability by all accounts.  I haven't tried but I imagine the PA will pick up on the trojan exe's that this worm uses to transmit itself, but as a non-infected user I also want protection from other remote machines who have been exploited and I would expect the appliance would be protecting me from known brute force attacks.

 

 

1 REPLY 1

L7 Applicator

The best way to communicate on these types of issues with Palo Alto is by opening an official support ticket.

 

Support will first be able to determine what current signatures are aimed at this vulnerabiliity.  This will be fastest if you have the CVE handy.

 

Assuming there is an approach against the CVE, they will be able to determine if you are correctly configured so that the traffic is reviewed against the existing signature.

 

Should there not be anything in place now, they can also be your conduit to submit requests for enhancements to the correct team.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
  • 2576 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!