DirWiz Logo
DirWiz News

Dealing with email trojan zip attachments

2015-09-28 07:28:08

Here at Directory Wizards we run Linux as our desktop of choice. While no security is perfect, this configuration all but eliminates the risk of being affected by virus-infected Windows executables.

Those crafty attackers are now compressing infected Windows executables as a zip file attached in fake attention grabbing emails: failed shipments, large fake bank transfers, bogus airline tickets etc. For a Linux user, it's darned annoying to get these emails all the time.

After quite a bit of research, I found that it's usually a single file (chm, scr, doc, js, exe) contained in the zip file. Failing to find a way for procmail to filter this, I did what every good programmer does, I wrote a program to detect these files.

Below is a program that parses the message looking for a zip attachment containing a single file. If found, it adds X-Zip-Trojan: yes to the message headers. From there, procmail can pick it up and act accordingly. For this to work you need Perl, Archive::Zip and MIME::Parser.

I offer no warranty for the following code.



use File::Temp;
use Archive::Zip qw( :ERROR_CODES :CONSTANTS );
use MIME::Parser;

sub has_trojan_zip
	if ($head->recommended_filename=~/\.zip$/i)
		open FILE,">",$fname || die $!;
		print FILE $_[0]->bodyhandle->as_string;
		close FILE;

		my $zip=Archive::Zip->new($fname);
		if ($zip->numberOfMembers==1)
			return 1 if $members[0]=~/\.(chm|scr|doc|js|exe)$/i;
	return 0;

my $parser = new MIME::Parser;
$entity=$parser->parse(\*STDIN) or die "parse failed";

my $flag=0;
foreach my $part ($entity->parts)
	$flag=1 if has_trojan_zip($part)==1;

$head->add('X-Zip-Trojan','Yes') if $flag==1;


/etc/procmailrc recipe snippet

#Check for zip trojans mark with X-Zip-Trojan
:0 B
* ^Content-Type: (application/zip|application/x-zip-compressed);
	:0 fbhw
	| /usr/local/bin/mime-zip-trojan.pl

# Delete if it has a trojan zip.
* ^X-Zip-Trojan: Yes

Share this article: Facebook LinkedIn Twitter reddit
  1. Directify
  2. UnitySync
  1. emPass
  1. FillDrive
  2. Mailer
  1. Profiler
  2. SimpleSync