DirWiz Logo
DirWiz News

Dealing with email trojan zip attachments

2017-06-12 15:48:26

Here at Directory Wizards we run Linux as our desktop of choice. While no security is perfect, this configuration all but eliminates the risk of being affected by virus-infected Windows executables.

Those crafty attackers are now compressing infected Windows executables as a zip file attached in fake attention grabbing emails: failed shipments, large fake bank transfers, bogus airline tickets etc. For a Linux user, it’s darned annoying to get these emails all the time.

After quite a bit of research, I found that it’s usually a single file (chm, scr, doc, js, exe) contained in the zip file. Failing to find a way for procmail to filter this, I did what every good programmer does, I wrote a program to detect these files.

Below is a program that parses the message looking for a zip attachment containing a single file. If found, it adds X-Zip-Trojan: yes to the message headers. From there, procmail can pick it up and act accordingly. For this to work you need Perl, Archive::Zip and MIME::Parser.

I offer no warranty for the following code.



use File::Temp;
use Archive::Zip qw( :ERROR_CODES :CONSTANTS );
use MIME::Parser;

sub has_trojan_zip
    if ($head->recommended_filename=~/\.zip$/i)
        open FILE,">",$fname || die $!;
        print FILE $_[0]->bodyhandle->as_string;
        close FILE;

        my $zip=Archive::Zip->new($fname);
        if ($zip->numberOfMembers==1)
            return 1 if $members[0]=~/\.(chm|scr|doc|js|exe)$/i;
    return 0;

my $parser = new MIME::Parser;
$entity=$parser->parse(\*STDIN) or die "parse failed";

my $flag=0;
foreach my $part ($entity->parts)
    $flag=1 if has_trojan_zip($part)==1;

$head->add('X-Zip-Trojan','Yes') if $flag==1;


/etc/procmailrc recipe snippet

#Check for zip trojans mark with X-Zip-Trojan
:0 B
* ^Content-Type: (application/zip|application/x-zip-compressed);
    :0 fbhw
    | /usr/local/bin/mime-zip-trojan.pl

# Delete if it has a trojan zip.
* ^X-Zip-Trojan: Yes
Share this article: Facebook LinkedIn Twitter reddit