[Mimedefang] clamav

Paul Whittney pwhittney at net.arrivetech.com
Mon Jun 13 12:54:22 EDT 2005 

-ray,

Since our site needs zip's to send exe's, I cant just block zip's, and
the box I'm using is not powerful enough to cope with clamav, so I
starting matching on the first line of the zip's base64 encoding. I've
also been concerned about unzipping files on the server to check them.

# in sub filter ($$$$)
# .....
if (lc($ext) =~ /zip/) {
	md_graphdefang_log('ziptest', $path);
	my $lines = $entity->body();
	my $found = 0;
	my $name = "";
	if (scalar( @$lines )) {
		# It has lines....
		my $line = @$lines[0];
		if ($line =~ m/^UEsDBAoAAAAAA.{6}uS6g1MtEAADLRAAAmAA/) {
			$found = 1;
			$name = "Sober.O";
		} elsif ($line =~ m/^UEsDBAoAAAAAA.{6}iZMYWCWMAAAljAA/) {
			$found = 1; 
			$name = "Netsky";
		# ... more elsif's
		} else {
			md_syslog('notice',"nomatch-ziptest,$line\n");
		}
	}
	md_graphdefang_log('ziptest', "End found = $found, name = $name");
	if ($found) {
		md_graphdefang_log('virus', "Found Virus: $name");
		action_change_header('Subject', '[MIMEDefang Altered] ' . $Subject);
		action_delete_all_headers('X-Virus-Status');
		action_add_header('X-Virus-Status', "Yes, name=$name");
		action_drop_with_warning(
			"Dropped $fname ($type) containing virus $name."
		);
		action_quarantine($entity, "A known virus signature was
				detected, and removed\n");
		return;
	}
}
# ........

It also shows signatures of zip files that don't match, eg: (and I hope
some scanners don't flag this email)
nomatch-ziptest,UEsDBAoAAAAAAJQjyDIoHXIEAH4AAAB+AABUAAAAZGV0YWlscy50eHQgICAg
nomatch-ziptest,UEsDBAoAAAAAAA91xjIoHXIEAH4AAAB+AABTAAAAZG9jdW1lbnQudHh0ICAg
nomatch-ziptest,UEsDBBQAAgAIAIadrjI8wr3OIAAAADoAAAAKAAAAc2VlbWVlLmljb3PytWKA
nomatch-ziptest,UEsDBAoAAAAAAHawxjIoHXIEAH4AAAB+AABXAAAAZGF0YS5ydGYgICAgICAg

You could monitor the increase of these, and alert you when 3 new
signatures within 30 seconds arrive (unlikely to be our software team
sending another zip file thats identical to the first), and write rules
for each.

The ones in that list (if run through something like:
perl -MMIME::Base64 \
	-e 'print decode_base64("AAAAZGF0YS5ydGYgICAgI") . "]\n"'
not ideal, but hey, and can have control characters in.. ;-) gives:

details.txt    ]
document.txt   ]
seemee.icosòµb]
data.rtf       ]

Not looked into where the boundaries exist, or if a decode can match
multiple spaces at the end.

Issues are if the zip use a README.txt file at the front, or if the
filename goes to a second BASE64 line... I wonder if the second line
would show more space characters? I might start logging the second line
in the syslog file, to see if there is something there.

Not sure if this'll help anyone.

-Paul

On Fri, Jun 10, 2005 at 05:06:04PM -0500, -ray wrote:
> 
> Notice lots and lots of spaces in the filename to fool users into thinking 
> it's a .txt file.  Has anyone coded a MD rule to check for more than say 
> 10 consequtive spaces in a filename in a zip file?  Should be pretty 
> simple, just haven't had time to look at it yet...
> 
-- 
Paul Whittney                                  ArriveTech, Inc.
Network Specialist / Systems Engineer         / |670 West 36th Street,
                                             /--|Erie, PA, 16508, USA
PWhittney [at] arrivetech.com (Main)        /   |www.arrivetech.com 
PWhittney [at] net.arrivetech.com (Aux)    /    |Tel: 814 868 3306

More information about the MIMEDefang mailing list