Archive
DirWiz News

Dealing with email trojan zip attachments

2017-06-12 15:48:26

Here at Directory Wizards we run Linux as our desktop of choice. While no security is perfect, this configuration all but eliminates the risk of being affected by virus-infected Windows executables.

Those crafty attackers are now compressing infected Windows executables as a zip file attached in fake attention grabbing emails: failed shipments, large fake bank transfers, bogus airline tickets etc. For a Linux user, it’s darned annoying to get these emails all the time.

After quite a bit of research, I found that it’s usually a single file (chm, scr, doc, js, exe) contained in the zip file. Failing to find a way for procmail to filter this, I did what every good programmer does, I wrote a program to detect these files.

Below is a program that parses the message looking for a zip attachment containing a single file. If found, it adds X-Zip-Trojan: yes to the message headers. From there, procmail can pick it up and act accordingly. For this to work you need Perl, Archive::Zip and MIME::Parser.

I offer no warranty for the following code.

mime-zip-trojan.pl

#!/usr/bin/perl

use File::Temp;
use Archive::Zip qw( :ERROR_CODES :CONSTANTS );
use MIME::Parser;

sub has_trojan_zip
{
    $head=$_[0]->head;
    if ($head->recommended_filename=~/\.zip$/i)
    {
        $fh=File::Temp->new();
        $fname=$fh->filename;
        open FILE,">",$fname || die $!;
        print FILE $_[0]->bodyhandle->as_string;
        close FILE;

        my $zip=Archive::Zip->new($fname);
        if ($zip->numberOfMembers==1)
        {
            @members=$zip->memberNames;
            return 1 if $members[0]=~/\.(chm|scr|doc|js|exe)$/i;
        }
    }
    return 0;
}

my $parser = new MIME::Parser;
$parser->output_to_core(1);
$entity=$parser->parse(\*STDIN) or die "parse failed";

my $flag=0;
foreach my $part ($entity->parts)
{
    $flag=1 if has_trojan_zip($part)==1;
}

$head=$entity->head;
$head->add('X-Zip-Trojan','Yes') if $flag==1;

$entity->print(\*STDOUT);>>>

/etc/procmailrc recipe snippet

#Check for zip trojans mark with X-Zip-Trojan
:0 B
* ^Content-Type: (application/zip|application/x-zip-compressed);
{
    :0 fbhw
    | /usr/local/bin/mime-zip-trojan.pl
}

# Delete if it has a trojan zip.
:0
* ^X-Zip-Trojan: Yes
    /dev/null