[Mimedefang] Nested Attachments
Paul Murphy
pmurphy at ionixpharma.com
Fri Mar 5 11:55:09 EST 2004
Jon,
> Using MD 2.39.
>
> As some recent worms have been nearly making it through our
> AV scanners, we added ZIP files to the bad filenames list and
> quarantine such files for manual examination. However, with
> the latest worms, we have seen several instances where the
> ZIP (or PIF) files were nested attachments.
Yes, I've seen a few of those. Also some executable files in ZIPs with names
like "abcdefg .exe" which are trying to hide from semi-blind users, and
which make the logs look funny.
> If my tests are accurate, MD will not recognize as a bad
> filename an attachment within an attachment. If this is
> indeed the case, it blows away our last line of defense for
> stuff missed by AV scans.
>
> Two questions:
> 1) Does 2.39 recognize dangerous attachments within attachments?
> 2) If not, is this one of the fixes on 2.40?
After the feedback on this list, and a couple of interesting experiences of my
own, I changed my filter somewhat to try to address this, and spent a couple of
nervous hours sending strange zip files from my home system to my office system
and praying for a quarantine notification.
My current filter, which shows several changes from the previous version, is
attached below. Apologies to those who think that the K&R C-style bracket
placement is wonderful - I find it impossible to follow, so use a more
spaced-out and aligned style...
#--------------------WARNING - BEWARE TEXT
WRAPPING!----------------------------------------------------------
# Check for banned files in ZIP files - may add considerable processing time
# especially for large ZIP files or with many members
#
# Version 2.1, Paul Murphy [pmurphy at ionixpharma.com], 5/3/04
# Thanks to Michal Jankowski [Michal.Jankowski at fuw.edu.pl] for base code
#define stuff for scanning inside ZIP files for bad files
my ($bad_zip_exts, $re);
# Important - don't allow ZIP files (or ARJ/BZP/TAR/JAR, etc) in ZIP files!
# Note that this is _NOT_ the default list for Mimedefang, as we're trying to
prevent nested archives
$bad_exts =
'(ade|adp|app|arj|asd|asf|asx|bas|bat|bzp|chm|cmd|com|cpl|crt|dll|exe|fxp|hlp|ht
a|hto|inf|ini|ins|isp|jar|jse?|lib|lnk|mdb|mde|mht|msc|msi|msp|mst|ocx|pcd|pif|p
rg|reg|scr|sct|sh|shb|shs|sys|url|vb|vbe|vbs|vcs|vxd|wmd|wms|wmz|wsc|wsf|wsh|zip
|\{[^\}]+\})';
$re = '\.' . $bad_zip_exts . '\.*([^-A-Za-z0-9_.,]|$)';
if (lc($ext) =~ /\.zip$/) # it's a ZIP file
{
use Archive::Zip qw(:ERROR_CODES); # complains about AZ_OK if error
codes are not included
my $path = $entity->bodyhandle->path;
my $zip = Archive::Zip->new();
Archive::Zip::setErrorHandler(sub {}); # catch STDERR stuff and discard
if ($zip->read($path) == AZ_OK) # file is OK and can be read
{
md_syslog('debug', "Scanning zip file, Path=$path");
my $tfname = Archive::Zip::tempFileName('.');
my @members = $zip->members();
foreach my $member (@members)
{
if (! $member->isDirectory()) # no sense worrying about folders
{
my $file = $member->fileName();
$size = $member->uncompressedSize(); # check for DoS content
md_syslog('debug', "scanning ZIP member $file, size=$size");
if ($size > 50e6) # approx 50Mb
{
md_graphdefang_log('Archive member too big ', $file,
$RelayAddr);
action_discard();
return;
}
if ($member->isEncrypted()) # confidential... or could be a
virus
{
md_syslog('debug', "Scanning Encrypted ZIP member $file,
size=$size");
if ( (lc($file) =~ $re) || (lc($file) =~ $bad_zip_exts) )
{
md_graphdefang_log('Encrypted_badfile', $file, $RelayAddr);
action_notify_administrator("A file called $file was detected
in an encrypted ZIP file attached to an incoming e-mail - quarantined.");
action_quarantine_entire_message("An encrypted ZIP attachment
containing $file was removed from this document as it\nconstituted a security
hazard. If you require this document, please contact\nIT Support to arrange for
it to be released.\n");
# drop it
action_discard();
return;
} # bad extension
else
{
md_syslog('debug', "Scanning ZIP member $file, size=$size");
# check for bad files in the ZIP
if ( (lc($file) =~ $re) || (lc($file) =~ $bad_zip_exts) )
{
md_graphdefang_log('badfile', $file, $RelayAddr);
action_notify_administrator("A file called $file was
detected in a ZIP file attached to an incoming e-mail - quarantined.");
action_quarantine_entire_message("A ZIP attachment
containing $file was removed from this document as it\nconstituted a security
hazard. If you require this document, please contact\nIT Support to arrange for
it to be released.\n");
action_discard();
return;
}
}
} # if encrypted
else
{ #not encrypted - check names then virus check the contents
if ( (lc($file) =~ $re) || (lc($file) =~ $bad_zip_exts) ) #
bad file
{
md_graphdefang_log('badfile', $file, $RelayAddr);
action_notify_administrator("A file called $file was detected
in a ZIP file attached to an incoming e-mail - quarantined.");
action_quarantine_entire_message("A ZIP attachment containing
$file was removed from this document as it\nconstituted a security hazard. If
you require this document, please contact\nIT Support to arrange for it to be
released.\n");
# drop it
action_discard();
return;
} # bad extension
else
{
$zip->extractMember($member, $tfname); # let's have a
look....
use File::Scan;
my $scanner = File::Scan->new;
my $virus = $scanner->scan($tfname);
unlink($tfname);
if ($virus)
{
md_graphdefang_log('virus', $virus, $RelayAddr);
action_discard();
return;
} # if virus
} # not bad file
} # else not encrypted
} #if not dir
} #foreach member
} #ZIP read OK
else # problems reading the file
{
md_graphdefang_log('badzip', $file, $RelayAddr);
action_notify_administrator("A corrupt ZIP file was attached to an
incoming e-mail - quarantined.");
action_quarantine_entire_message("A corrupt ZIP attachment was
removed from this document as it\nconstituted a security hazard. If you require
this document, please contact\nIT Support to arrange for it to be released.\n");
# drop it
action_discard();
return;
}
} # if zipfile
#------------------------------------------------------------------------------
Best Wishes,
Paul.
__________________________________________________
Paul Murphy
Head of Informatics
Ionix Pharmaceuticals Ltd
418 Science Park, Cambridge, CB4 0PA
Tel. 01223 433741
Fax. 01223 433788
_______________________________________________________________________
DISCLAIMER:
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to which they
are addressed. If you have received this email in error please contact
the sender or the Ionix IT Helpdesk on +44 (0) 1223 433741
_______________________________________________________________________
More information about the MIMEDefang
mailing list