[Mimedefang] Extending filter_bad_filename to catch deceptive names

Kelson Vibber kelson at speed.net
Fri May 16 15:39:01 EDT 2003


In the last few days I've seen a lot of defanged files that had names like 
"DSL Modem Uncapper.rar.exe" or "s3msong.MP3.pif".  I suspect these are 
copies of Fizzer that weren't caught by clamd, although it's possible there 
may be another new virus making the rounds that I just haven't heard about 
yet.

Anyway, I defang anything that trips filter_bad_filename, with a few 
exceptions.  (Mostly I've picked a few filetypes that are likely to have 
domain names in the filename and use File::MMagic to make sure they are what 
they say they are.)  I also quarantine anything which trips 
filter_bad_filename but claims to be audio/x-wav or audio/x-midi on the basis 
that these are *only* going to be viruses trying to trick Outlook/IE into 
running them automatically.

It occurred to me that deceptive filenames like 
"Innocent-sounding-file.txt.exe" are also a fairly sure-fire sign of a virus, 
and a way to block those that haven't yet made it into your virus scanner of 
choice.

What I've done for the moment is to create a function called 
filter_deceptive_filename.  I only call it if the attachment has already 
tripped filter_bad_filename, and it looks for the pattern where a file ends 
in an innocent-looking extension followed by a dangerous extension.  If it 
matches, I quarantine it with a warning.  Otherwise, it defangs it as it 
would have otherwise.

Here's what I have so far:

# This procedure returns true for entities which end in a "bad" extension 
after another extension
# (such as Open_me.txt.exe)
sub filter_deceptive_filename {
    my($entity) = @_;
    my($bad_exts, $re);

    # Bad extensions
    $bad_exts = 
'(?:ade|adp|app|asd|asf|asx|bas|bat|chm|cmd|com|cpl|crt|dll|exe|fxp|hlp|hta|hto|inf|ini|ins|isp|jse?|lib|lnk|mdb|mde|msc|msi|msp|mst|ocx|pcd|pif|prg|reg|scr|sct|sh|shb|shs|sys|vb|vbe|vbs|vcs|vxd|wmd|wms|wmz|wsc|wsf|wsh|\{)';
    $good_exts = '(?:avi|doc|mov|mp3|rm|rar|txt|xls|zip)';
    # Do not allow:
    # - "safe" extensions followed by optional whitespace and an "unsafe" 
extension
    $re = '\.' . $good_exts . '\s*\.' . $bad_exts . '$';
    return re_match($entity, $re);
}

This is just a quick-and-dirty version based on filter_bad_filename and adding 
the "good" extensions I've seen plus some similar ones.  I'm sure there are 
better ways to do this.  Maybe it would be simpler to add its functionality 
to filter_bad_filename and just return a different value depending on whether 
the extension is just risky or actually deceptive.

Any thoughts?

-- 
Kelson Vibber
SpeedGate Communications, <www.speed.net>




More information about the MIMEDefang mailing list