[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [SAGE] virus threat/software on Unix/Linux
>> Surely I'm not the only support person who's recently been asked
>> about the subject line. Management is asking why we don't run
>> anti-virus software on our Unix boxen.
>
> The point is not to protect the *nix box against infection, but to
> protect the targeted clients from infection.
>
> I found that many of the mail servers I'm responsible for were busy
> queuing and delivering those huge infected messages over the past few
> days. I installed a patch to qmail-smtpd that scans message bodies
> for windows-executable headers and returns a "552 we don't accept
> email with executable content" error to the sender. This has
> significantly reduced the load on the servers (and it's made a lot of
> suits happy to!).
I implemented a short patch for SpamAssassin and locla rules that allow
me to scan for these sorts of viruses without having to fuss with
explicit AV software.
The patch I submitted to SpamAssassin folks:
http://bugzilla.spamassassin.org/show_bug.cgi?id=2185
and include here. The patch can be applied to 2.5x and probably 2.4x
versions of SpamAssassin. I've also included my current current virus
rules that take advantage of the patch. With software like MIMEDefang,
spamass-milter, or my milter-spamc (not yet released), you can then
quarantine viruses (yes I know its virii, but that just doesn't roll off
the tongue the same way and causes blank looks in some people) like spam.
Note that 20_virus.cf file can just be dropped in /etc/mail/spamassassin
along with any other custom rules and local score changes you might use.
--
Anthony C Howe +33 6 11 89 73 78
http://www.snert.com/ ICQ: 7116561 AIM: Sir Wumpus
" " - Zen thought
############################################################################
# Simple Anti-Virus Rules
############################################################################
body GREETING_CARD_VIRUS /friend-greetings.com/i
describe GREETING_CARD_VIRUS See http://news.com.com/2100-1001-965570.html?tag=fd_lede2_hed
score GREETING_CARD_VIRUS 30.0
# Use the HTML_EMBEDS test instead
#rawbody DANGEROUS_HTML /<(?:applet|embed|script|object)/i
#describe DANGEROUS_HTML Embedded executable HTML objects pose security risk.
#score DANGEROUS_HTML 3.5
#
# Note the following are NOT addressed:
#
# It does not handle CLASSID attacks -- {f0-f000f0-0f0f0-0f0f00}
# could be dangerous.
#
# Capture email using either RFC 2047 or RFC 2231 to encode attachment
# filenames using character set encodings.
#
# RFC 2047 section 5 states that =?...?= cannot be used in quoted strings
# or MIME Content-Type or Content-Disposition headers. Catch them anyways
# just in case some email clients relax this restriction.
#
# The "IMPORTANT NOTE" at the end of RFC 2231 section 2 states these
# extensions should not be used lightly, so I take the view NOT AT ALL,
# especially in the case of a file name.
#
# Also watch out for bad quoting that a lax mail client might accept,
# such as: name=foo"bar.exe
#
# The list of executable Windows file extensions came from:
#
# http://support.microsoft.com/default.aspx?scid=kb;EN-US;q262617
# http://support.microsoft.com/default.aspx?scid=kb;en-us;Q273507
#
# With quotes...
full APPLICATION_OCTET_STREAM1 /Content-Type:\s*application\/octet-stream\;\s*name(?:\*[0-9]+)?=(?:3D)?\"[^"\;]+\s+\.(?:ade|adp|bas|bat|chm|cmd|com|cpl|crt|exe|hlp|hta|inf|ins|isp|js|jse|lnk|mda|mdb|mde|mdz|msc|msi|msp|mst|pcd|pif|reg|scr|sct|shs|shb|url|vb|vbe|vbs|wsc|wsf|wsh)\"/i
describe APPLICATION_OCTET_STREAM1 Attempts to hide Windows executable file extension with lots spaces.
score APPLICATION_OCTET_STREAM1 30.0
# With quotes...
#full APPLICATION_OCTET_STREAM2 /Content-Type:\s*application\/octet-stream\;\s*name(?:\*[0-9]+)?=(?:3D)?\"[^"\;]+\.(?:bmp|doc|txt|gif|htm|html|jpg|jpeg|mpg|mpeg|pdf|png|xls|zip|gz|tar|tgz|ade|adp|bas|bat|chm|cmd|com|cpl|crt|exe|hlp|hta|inf|ins|isp|js|jse|lnk|mda|mdb|mde|mdz|msc|msi|msp|mst|pcd|pif|reg|scr|sct|shs|shb|url|vb|vbe|vbs|wsc|wsf|wsh)\.(?:ade|adp|bas|bat|chm|cmd|com|cpl|crt|exe|hlp|hta|inf|ins|isp|js|jse|lnk|mda|mdb|mde|mdz|msc|msi|msp|mst|pcd|pif|reg|scr|sct|shs|shb|url|vb|vbe|vbs|wsc|wsf|wsh)\"/i
#describe APPLICATION_OCTET_STREAM2 Double extension.
#score APPLICATION_OCTET_STREAM2 30.0
# Without quotes...
#full APPLICATION_OCTET_STREAM3 /Content-Type:\s*application\/octet-stream\;\s*name(?:\*[0-9]+)?=(?:3D)?[^"\;][^\;\s]*\.(?:bmp|doc|txt|gif|htm|html|jpg|jpeg|mpg|mpeg|pdf|png|xls|zip|gz|tar|tgz|ade|adp|bas|bat|chm|cmd|com|cpl|crt|exe|hlp|hta|inf|ins|isp|js|jse|lnk|mda|mdb|mde|mdz|msc|msi|msp|mst|pcd|pif|reg|scr|sct|shs|shb|url|vb|vbe|vbs|wsc|wsf|wsh)\.(?:ade|adp|bas|bat|chm|cmd|com|cpl|crt|exe|hlp|hta|inf|ins|isp|js|jse|lnk|mda|mdb|mde|mdz|msc|msi|msp|mst|pcd|pif|reg|scr|sct|shs|shb|url|vb|vbe|vbs|wsc|wsf|wsh)/i
#describe APPLICATION_OCTET_STREAM3 Double extension.
#score APPLICATION_OCTET_STREAM3 30.0
# application\/x-msdownload
#full APPLICATION_X_MSDOWNLOAD /Content-Type:\s*application\/x-msdownload\;\s*name(?:\*[0-9]+)?=(?:3D)?\"[^"\;]+\..{3}\.(?:ade|adp|bas|bat|chm|cmd|com|cpl|crt|exe|hlp|hta|inf|ins|isp|js|jse|lnk|mda|mdb|mde|mdz|msc|msi|msp|mst|pcd|pif|reg|scr|sct|shs|shb|url|vb|vbe|vbs|wsc|wsf|wsh)\"/i
#describe APPLICATION_X_MSDOWNLOAD Double extensions, last indicating a Windows executable. Possible virus.
#score APPLICATION_X_MSDOWNLOAD 30.0
#full CONTENT_TYPE_IS_APPLICATION /Content-Type:\s*application\/[^\;]+\;/i
#full CONTENT_TYPE_IS_APPLICATION_OCTET_STREAM /Content-Type:\s*application\/octet-stream\;/i
#full CONTENT_TYPE_NOT_APPLICATION /Content-Type:\s*(?:text|audio|video|image)\/[^\;]+\;/i
#full CONTENT_DISPOSITION_HAS_DOUBLE_EXTENSION_QUOTE /Content-Type:\s*[^\;]+\;\s*name(?:\*[0-9]+)?=(?:3D)?\"[^"\;]+\.[^"\;]{3}\.[^"\;]{3}\"/i
#full CONTENT_DISPOSITION_HAS_DOUBLE_EXTENSION_NO_QUOTE /Content-Type:\s*[^\;]+\;\s*name(?:\*[0-9]+)?=(?:3D)?[^"\;\s]+\.[^"\;\s]{3}\.[^"\;\s]{3}/i
#full CONTENT_TYPE_CONTAINS_WINDOWS_EXE_QUOTE /Content-Type:\s*[^\;]+\;\s*name(?:\*[0-9]+)?=(?:3D)?\"[^"\;]+\.(?:ade|adp|bas|bat|chm|cmd|com|cpl|crt|exe|hlp|hta|inf|ins|isp|js|jse|lnk|mda|mdb|mde|mdz|msc|msi|msp|mst|pcd|pif|reg|scr|sct|shs|shb|url|vb|vbe|vbs|wsc|wsf|wsh)\"/i
#full CONTENT_TYPE_CONTAINS_WINDOWS_EXE_NO_QUOTE /Content-Type:\s*[^\;]+\;\s*name(?:\*[0-9]+)?=(?:3D)?[^"\;][^\;\s]*\.(?:ade|adp|bas|bat|chm|cmd|com|cpl|crt|exe|hlp|hta|inf|ins|isp|js|jse|lnk|mda|mdb|mde|mdz|msc|msi|msp|mst|pcd|pif|reg|scr|sct|shs|shb|url|vb|vbe|vbs|wsc|wsf|wsh)/i
#full CONTENT_DISPOSITION_CONTAINS_WINDOWS_EXE_QUOTE /Content-Disposition:\s*[^\;]+\;\s*filename(?:\*[0-9]+)?=(?:3D)?\"[^"\;]+\.(?:ade|adp|bas|bat|chm|cmd|com|cpl|crt|exe|hlp|hta|inf|ins|isp|js|jse|lnk|mda|mdb|mde|mdz|msc|msi|msp|mst|pcd|pif|reg|scr|sct|shs|shb|url|vb|vbe|vbs|wsc|wsf|wsh)\"/i
#full CONTENT_DISPOSITION_CONTAINS_WINDOWS_EXE_NO_QUOTE /Content-Disposition:\s*[^\;]+\;\s*filename(?:\*[0-9]+)?=(?:3D)?[^"\;][^\;\s]*\.(?:ade|adp|bas|bat|chm|cmd|com|cpl|crt|exe|hlp|hta|inf|ins|isp|js|jse|lnk|mda|mdb|mde|mdz|msc|msi|msp|mst|pcd|pif|reg|scr|sct|shs|shb|url|vb|vbe|vbs|wsc|wsf|wsh)/i
rawbody HAS_IFRAME_TAG /<iframe /i
meta IFRAME_AND_EXECUTABLE (MICROSOFT_EXECUTABLE && HAS_IFRAME_TAG)
describe IFRAME_AND_EXECUTABLE Contains an IFRAME tag and Windows executable. Possibly a virus.
score IFRAME_AND_EXECUTABLE 30.0
full __CONTENT_TYPE_HAS_DOUBLE_EXTENSION_QUOTE /Content-Type:\s*[^\;]+\;\s*name(?:\*[0-9]+)?=(?:3D)?\"[^"\;]+\.[^"\;]{3}\.[^"\;]{3}\"/i
describe __CONTENT_TYPE_HAS_DOUBLE_EXTENSION_QUOTE Attachment has a double filename extension , eg something.doc.exe
full __CONTENT_TYPE_HAS_DOUBLE_EXTENSION_NO_QUOTE /Content-Type:\s*[^\;]+\;\s*name(?:\*[0-9]+)?=(?:3D)?[^"\;\s]+\.[^"\;\s]{3}\.[^"\;\s]{3}/i
describe __CONTENT_TYPE_HAS_DOUBLE_EXTENSION_NO_QUOTE Attachment has a double filename extension, eg something.doc.exe
meta EXECUTABLE_WITH_DOUBLE_EXTENSION (MICROSOFT_EXECUTABLE && (__CONTENT_TYPE_HAS_DOUBLE_EXTENSION_QUOTE || __CONTENT_TYPE_HAS_DOUBLE_EXTENSION_NO_QUOTE))
describe EXECUTABLE_WITH_DOUBLE_EXTENSION Windows executable with double file extension. Probably a virus.
score EXECUTABLE_WITH_DOUBLE_EXTENSION 30.0
full __MISMATCHED_CONTENT_TYPE_AND_EXTENSION_QUOTE /Content-Type:\s*(?:text|audio|video|image)\/[^\;]+\;\s*name(?:\*[0-9]+)?=(?:3D)?\"[^"\;]+\.(?:ade|adp|bas|bat|chm|cmd|com|cpl|crt|exe|hlp|hta|inf|ins|isp|js|jse|lnk|mda|mdb|mde|mdz|msc|msi|msp|mst|pcd|pif|reg|scr|sct|shs|shb|url|vb|vbe|vbs|wsc|wsf|wsh)\"/i
full __MISMATCHED_CONTENT_TYPE_AND_EXTENSION_NO_QUOTE /Content-Type:\s*(?:text|audio|video|image)\/[^\;]+\;\s*name(?:\*[0-9]+)?=(?:3D)?[^"\;][^\;\s]*\.(?:ade|adp|bas|bat|chm|cmd|com|cpl|crt|exe|hlp|hta|inf|ins|isp|js|jse|lnk|mda|mdb|mde|mdz|msc|msi|msp|mst|pcd|pif|reg|scr|sct|shs|shb|url|vb|vbe|vbs|wsc|wsf|wsh)/i
meta MISMATCHED_CONTENT_TYPE_AND_EXTENSION (__MISMATCHED_CONTENT_TYPE_AND_EXTENSION_QUOTE || __MISMATCHED_CONTENT_TYPE_AND_EXTENSION_NO_QUOTE)
describe MISMATCHED_CONTENT_TYPE_AND_EXTENSION Windows executable extension and mismatched Content-Type. Probably a virus.
score MISMATCHED_CONTENT_TYPE_AND_EXTENSION 30.0
# Know MIME part separator used by virus.
full VIRUS_MIME_PART1 /--\#r0xx\#/
describe VIRUS_MIME_PART1 Looks like a virus
score VIRUS_MIME_PART1 30.0
# http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.e@mm.html
# http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.f@mm.html
header __VIRUS_SOBIG_F1 Subject =~ /(?:Re: Details|Re: Approved|Re: Re: My details|Re: Thank you!|Re: That movie|Re: Wicked screensaver|Re: Your application|Thank you!|Your details)/i
full __VIRUS_SOBIG_F2 /Content-Type:[^\;]+\;\s*name(?:\*[0-9]+)?=(?:3D)?\"?(?:your_details|application|document|screensaver|movie|details|wicked_scr|your_document|thank_you|movie0045|document_all|document_9446)\./i
meta VIRUS_SOBIG_F (__VIRUS_SOBIG_F1 || __VIRUS_SOBIG_F2)
describe VIRUS_SOBIG_F Virus see http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.f@mm.html (includes sobig.e)
score VIRUS_SOBIG_F 30.0
# http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.redist.c@mm.html
full VIRUS_HLLW_REDIST_C /Content-Type:\s*[^\;]+\;\s*name(?:\*[0-9]+)?=(?:3D)?\"?(?:CartoonComedy|PswdLst01|Database(?:\d+)|Soccer(?:\d+)|FireScreen|Armadillo|WebDesignSetup)\./i
describe VIRUS_HLLW_REDIST_C Virus see http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.redist.c@mm.html
score VIRUS_HLLW_REDIST_C 30.0
# http://securityresponse.symantec.com/avcenter/venc/data/w32.jantic.b@mm.html
full VIRUS_JANTIC_B /Content-Type:\s*[^\;]+\;\s*name(?:\*[0-9]+)?=(?:3D)?\"?attachment\.exe/i
describe VIRUS_JANTIC_B Virus see http://securityresponse.symantec.com/avcenter/venc/data/w32.jantic.b@mm.html
score VIRUS_JANTIC_B 30.0
header VIRUS_HYBRIS_GEN From =~ /hahaha\@sexyfun\.net/i
describe VIRUS_HYBRIS_GEN Virus see http://www.symantec.com/avcenter/venc/data/w95.hybris.gen.html
score VIRUS_HYBRIS_GEN 30.0
header __VIRUS_MIMAIL_A1 Subject =~ /^your account /i
full __VIRUS_MIMAIL_A2 /Content-Type:\s*[^\;]+\;\s*name(?:\*[0-9]+)?=(?:3D)?\"?message\.zip/i
meta VIRUS_MIMAIL_A (__VIRUS_MIMAIL_A1 && __VIRUS_MIMAIL_A2)
describe VIRUS_MIMAIL_A Virus see http://securityresponse.symantec.com/avcenter/venc/data/w32.mimail.a@mm.html
score VIRUS_MIMAIL_A 30.0
header __TROJAN_DUMARU_1 From =~ /<security\@microsoft.com>/i
header __TROJAN_DUMARU_2 Subject =~ /Use this patch immediately/i
meta TROJAN_DUMARU (MICROSOFT_EXECUTABLE && __TROJAN_DUMARU_1 && __TROJAN_DUMARU_2)
describe TROJAN_DUMARU Trojan see http://securityresponse.symantec.com/avcenter/venc/data/w32.dumaru@mm.html
score TROJAN_DUMARU 30.0
header __VIRUS_PANOL_1 Subject =~ /The easy, automatic way to keep your PC virus-free/i
full __VIRUS_PANOL_2 /Content-Type:\s*[^\;]+\;\s*name(?:\*[0-9]+)?=(?:3D)?\"?Virus_scanner\.exe/i
meta VIRUS_PANOL (__VIRUS_PANOL_1 && __VIRUS_PANOL_2)
describe VIRUS_PANOL Virus see http://securityresponse.symantec.com/avcenter/venc/data/w32.panol@mm.html
score VIRUS_PANOL 30.0
header __VIRUS_MINIMAN_1 Subject =~ /The Bin Laden game/i
full __VIRUS_MINIMAN_2 /Content-Type:\s*[^\;]+\;\s*name(?:\*[0-9]+)?=(?:3D)?\"?Virus\.vbs/i
meta VIRUS_MINIMAN (__VIRUS_MINIMAN_1 && __VIRUS_MINIMAN_2)
describe VIRUS_MINIMAN Virus see http://securityresponse.symantec.com/avcenter/venc/data/w32.miniman@mm.html
score VIRUS_MINIMAN 30.0
header __VIRUS_PANDEM_B1 From =~ /\@microsoft.com/i
full __VIRUS_PANDEM_B2 /Content-Type:\s*[^\;]+\;\s*name(?:\*[0-9]+)?=(?:3D)?\"?(?:patch\.zip|patch_329390\.exe)/i
meta VIRUS_PANDEM_B (__VIRUS_PANDEM_B1 && __VIRUS_PANDEM_B2)
describe VIRUS_PANDEM_B Virus see http://securityresponse.symantec.com/avcenter/venc/data/w32.pandem.b.worm.html
score VIRUS_PANDEM_B 30.0
# http://securityresponse.symantec.com/avcenter/venc/data/w32.zush@mm.html
header __VIRUS_ZUSH1 Subject =~ /Vazna informacija!/i
full __VIRUS_ZUSH2 /Content-Type:[^\;]+\;\s*name(?:\*[0-9]+)?=(?:3D)?\"?Setup32\.exe/i
meta VIRUS_ZUSH (__VIRUS_ZUSH1 || __VIRUS_ZUSH2)
describe VIRUS_ZUSH Virus see http://securityresponse.symantec.com/avcenter/venc/data/w32.zush@mm.html
score VIRUS_ZUSH 30.0
# http://securityresponse.symantec.com/avcenter/venc/data/w32.hopalong@mm.html
header __VIRUS_HOPALONG1 Subject =~ /Look At This!!!/i
full __VIRUS_HOPALONG2 /Content-Type:[^\;]+\;\s*name(?:\*[0-9]+)?=(?:3D)?\"?hop_along\.exe/i
meta VIRUS_HOPALONG (__VIRUS_HOPALONG1 || __VIRUS_HOPALONG2)
describe VIRUS_HOPALONG Virus see http://securityresponse.symantec.com/avcenter/venc/data/w32.hopalong@mm.html
score VIRUS_HOPALONG 30.0
--- PerMsgStatus.pm.orig 2003-07-03 13:55:02.000000000 +0200
+++ PerMsgStatus.pm 2003-07-03 14:06:14.000000000 +0200
@@ -941,9 +941,11 @@
}
if ($multipart_boundary eq $_) {
+ my $mime_headers = '';
my $starting_line = $line;
for ($line++; defined($_ = $bodyref->[$line]); $line++) {
s/\r//;
+ $mime_headers .= $_;
if (/^$/) { last; }
@@ -963,7 +965,7 @@
if (!$ctypeistext) {
# skip this attachment, it's non-text.
- push (@{$self->{body_text_array}}, "[skipped $ctype attachment]\n");
+ push (@{$self->{body_text_array}}, $mime_headers."[skipped $ctype content]\n");
for ($line++; defined($_ = $bodyref->[$line]); $line++) {
if ($end_boundary eq $_) { last; }