DirWiz Logo
Archive
DirWiz News

Dealing with email trojan zip attachments

2015-09-28 07:28:08

Here at Directory Wizards we run Linux as our desktop of choice. While no security is perfect, this configuration all but eliminates the risk of being affected by virus-infected Windows executables.

Those crafty attackers are now compressing infected Windows executables as a zip file attached in fake attention grabbing emails: failed shipments, large fake bank transfers, bogus airline tickets etc. For a Linux user, it's darned annoying to get these emails all the time.

After quite a bit of research, I found that it's usually a single file (chm, scr, doc, js, exe) contained in the zip file. Failing to find a way for procmail to filter this, I did what every good programmer does, I wrote a program to detect these files.

Below is a program that parses the message looking for a zip attachment containing a single file. If found, it adds X-Zip-Trojan: yes to the message headers. From there, procmail can pick it up and act accordingly. For this to work you need Perl, Archive::Zip and MIME::Parser.

I offer no warranty for the following code.

mime-zip-trojan.pl

#!/usr/bin/perl

use File::Temp;
use Archive::Zip qw( :ERROR_CODES :CONSTANTS );
use MIME::Parser;

sub has_trojan_zip
{
	$head=$_[0]->head;
	if ($head->recommended_filename=~/\.zip$/i)
	{
		$fh=File::Temp->new();
		$fname=$fh->filename;
		open FILE,">",$fname || die $!;
		print FILE $_[0]->bodyhandle->as_string;
		close FILE;

		my $zip=Archive::Zip->new($fname);
		if ($zip->numberOfMembers==1)
		{
			@members=$zip->memberNames;
			return 1 if $members[0]=~/\.(chm|scr|doc|js|exe)$/i;
		}
	}
	return 0;
}

my $parser = new MIME::Parser;
$parser->output_to_core(1);
$entity=$parser->parse(\*STDIN) or die "parse failed";

my $flag=0;
foreach my $part ($entity->parts)
{
	$flag=1 if has_trojan_zip($part)==1;
}

$head=$entity->head;
$head->add('X-Zip-Trojan','Yes') if $flag==1;

$entity->print(\*STDOUT);

/etc/procmailrc recipe snippet

#Check for zip trojans mark with X-Zip-Trojan
:0 B
* ^Content-Type: (application/zip|application/x-zip-compressed);
{
	:0 fbhw
	| /usr/local/bin/mime-zip-trojan.pl
}

# Delete if it has a trojan zip.
:0
* ^X-Zip-Trojan: Yes
	/dev/null

Share this article: Facebook LinkedIn Twitter reddit
Directory
  1. Directify
  2. UnitySync
Password
  1. emPass
Free
  1. FillDrive
  2. Mailer
Obsolete
  1. Profiler
  2. SimpleSync