Re: Klez.H worm preserved in Debian BTS

To: debian-devel@lists.debian.org
Subject: Re: Klez.H worm preserved in Debian BTS
From: Craig Sanders <cas@taz.net.au>
Date: Wed, 30 Oct 2002 08:56:20 +1100
Message-id: <[🔎] 20021029215620.GL27399@taz.net.au>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 20021029203742.GA18204@phy.olemiss.edu>
References: <[🔎] 20021029140552.A15286@elbonia.lubricants-oil.com> <[🔎] Pine.LNX.4.33.0210291413290.26198-100000@gradall.private.brainfood.com> <[🔎] 20021029203742.GA18204@phy.olemiss.edu>

On Tue, Oct 29, 2002 at 02:37:42PM -0600, Chris Lawrence wrote:
> On Oct 29, Adam Heath wrote:
> > On Tue, 29 Oct 2002, David D. Kilzer wrote:
> > > It might also be advisable to incorporate some email anti-virus scanning
> > > software on the mail exchangers (MX) for debian.org (or for a subset of
> > > the Debian mailing lists) since amavis-exim and clamscan are now
> > > available in testing/unstable (assuming the mail exchangers could handle
> > > the additional load).
> > 
> > Again, you haven't been paying attention.
> > 
> > lists.d.o runs mails from non-subscribers thru spamassassin already.
> 
> spamassassin is nice, but it doesn't scan for viruses (at least, not
> directly, although some have giveaway subjects).  Plus, the common
> virii often masquerade email addresses, so messages should be scanned
> regardless of who allegedly sent them.

it would be simpler, and a lot less expensive in terms of IO and CPU
resources, to just reject all windows executable attachments.

that would block all windows viruses, not just those that are already
known by AV scanners.

regexp patterns similar to the following four (which i use in my
postfix body_checks rules) would do the job:

---cut here---
# don't bother checking attachment bodies.  this will greatly speed
# up processing of large messages.
/^[0-9a-z+\/=]{60,}\s*$/        OK

# mime attachments 
/^(Content-(Disposition: attachment;|Type:).*|\s+)(file)?name\s*=\s*"?.*\.(lnk|bat|c[ho]m|cmd|com|exe|dll|vxd|pif|scr|hta|jse?|sh[mbs]|vb[esx]|ws[fh])"?\s*$/ REJECT

# uuencoded attachments
/^begin [0-9]{1,4} .*\.(lnk|bat|c[ho]m|cmd|com|exe|dll|vxd|pif|scr|hta|jse?|sh[mbs]|vb[esx]|ws[fh])$/ REJECT

# iframe exploit
/<iframe src=(3D)?cid:.* height=(3D)?0 width=(3D)?0>/   REJECT
---cut here---

note 1: the first rule ending in "OK" is very useful in postfix.  it
tells postfix to skip any line which looks like the content of an
attachment.  if you have a large body_checks file, this is a huge gain
in performance as otherwise, each line of every message is checked
against every regexp pattern in the body_checks file.

note 2: regexp syntax is PCRE (which *would* work in spamassassin).
some changes would need to be made for posix regexp, mostly change \s to
[:space:].

note 3: there may be some filename extensions that i missed, it's not an
exhaustive list of windows executable types.

craig

-- 
craig sanders <cas@taz.net.au>

Fabricati Diem, PVNC.
 -- motto of the Ankh-Morpork City Watch

Reply to:

References:
- Klez.H worm preserved in Debian BTS
  - From: "David D. Kilzer" <ddkilzer@lubricants-oil.com>
- Re: Klez.H worm preserved in Debian BTS
  - From: Adam Heath <doogie@debian.org>
- Re: Klez.H worm preserved in Debian BTS
  - From: Chris Lawrence <lawrencc@debian.org>

Prev by Date: Re: A Round of Removals
Next by Date: Re: Klez.H worm preserved in Debian BTS
Previous by thread: Re: Klez.H worm preserved in Debian BTS
Next by thread: Re: Klez.H worm preserved in Debian BTS
Index(es):
- Date
- Thread