Tuesday, February 5, 2008

Shell Script To Augment Antivirus Software On Unix and Linux Mail Servers

Hello again,

Today's offering is, as usual, borne of personal experience. I first found this method of helping combat virus emails back in the "I Love You" days, when vbscript was automatically opened by all MS products and allowed sufficient access to the Windows system Registry to enable anyone with moderate scripting abilities (or the manual dexterity to cut and paste) to completely destroy other users' systems via embedded (or even attached) scripts. Thank God they've gone out of their way over the past decade to make sure that won't ever happen again (heavy sarcasm - I'm not sure what the proper emoticon for that would be ;)

This shell script is a bit of a "shell" in and of itself, since it reflects a specific setup and probably won't exactly match anyone else's without a bit of modifying. It's one way I found to help out a flood of virus emails on any Linux or Unix host that acts as a mail server (sendmail, qmail, what have you). If you still store your email locally on a Linux or Unix host and have your users access that via POP of IMAP, this can help you clean out virii without having to go near anyone's personal computer.

This script should, optimally, be run as a cron job (once a minute perhaps), but if the situation is desperate, it can also be run in a command line "while loop" to make sure it never takes a break. That can be accomplished like so (We'd also, under this circumstance, recommend running it so that it won't stop running if you get disconnected from your terminal - You can use nohup or check this previous post regarding what to do if nohup hangs up anyway for alternatives, like running the command backgrounded in a subshell) :

host # while :; do /full/path/to/viruscleaner.sh;sleep 5;done

The mechanics of the script are fairly crude, as this is not meant to be a substitute for adequate virus protection on Windows machines, nor is it meant to outperform existing Linux and Unix antivirus products. This shell script is presented as an augmentation to the above mentioned safeguards and can help make them more efficient by taking some of the work away from them.

As an example, one of the simple things this script does to help combat virii waiting in your mail queue is to simply change extensions on attachments to mails that match your search criteria. Rather than delete, or quarantine, a potentially viral email, simply changing the extension of the attachment (From, say, .vbs to .whyInTheWorldWouldYouEverOpenThis ;) can make a huge difference. When someone receives an email with an unknown file type extension attached, they will (at the very least) be prompted by Windows as to whether or not they wish to open it. If you name your new extensions ridiculously enough, they should also be forced to pick a program to open the attachment with. You have every right to be completely baffled if one of your users goes through the double hassle of opening up an email attachment called ClickHere.whyInTheWorldWouldYouEverOpenThis ;) That's why another thing the script tries to do is rewrite vbs code so it won't execute properly.

Extensible possibilities for this script are pretty much endless, since you can do anything to the contents of a mail file on a Linux or Unix system. For instance, if the attachment was uuencoded, you could change the name and then randomly substitute characters in the uuencoded attachment so that it would never be able to be decoded.

Hope you all have fun with this and it saves you some sweat :)

Cheers,


Creative Commons License


This work is licensed under a
Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License

#!/bin/sh

#
# viruscleaner.sh
# Check for viral attachments in
# your email work directory
#
# 2008 - Mike Golvach - eggi@comcast.net
#
# Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License
#

cd /var/mail
while :
do
for x in `ls -1d *`
do
egrep -il "Subject: Resume"\|"Subject: I *LOVE *YOU"\|"Subject: fw"\|"Subject: Susitikim"\|"Subject: This *Is *Funny"\|"Subject: Mother"\|"Subject: joke" $x >/dev/null 2>&1
if [ $? -eq 0 ]
then
/usr/local/bin/perl -p -i -e 's/HKEY.*/ifthenfor else #/' $x
/usr/local/bin/perl -p -i -e 's/begin.*//' $x
/usr/local/bin/perl -p -i -e 's/(ap\.wri|c.Copy|regget|regcreate|On Error).*//i' $x
/usr/local/bin/perl -p -i -e 's/set (fso|file|wscr|dir).*//i' $x
/usr/local/bin/perl -p -i -e 's/\(\)/####/' $x
/usr/local/bin/perl -p -i -e 's/sub /end sub/' $x
/usr/local/bin/perl -p -i -e 's/vbs/bad/' $x
/usr/local/bin/perl -p -i -e 's/Subject: I *LOVE *YOU/Subject: Cleaned_ILOVEYOU/i' $x
/usr/local/bin/perl -p -i -e 's/Subject: fw/Subject: Cleaned_fw/i' $x
/usr/local/bin/perl -p -i -e 's/Subject: Sus/Subject: Cleaned_Sus/i' $x
/usr/local/bin/perl -p -i -e 's/Subject: This *Is *Funny/Subject: Cleaned_This Is Funny/i' $x
/usr/local/bin/perl -p -i -e 's/Subject: Mother/Subject: Cleaned_Mother/i' $x
/usr/local/bin/perl -p -i -e 's/Subject: joke/Subject: Cleaned_joke/i' $x
/usr/local/bin/perl -p -i -e 's/Subject: Resume/Subject: Cleaned_Resume/i' $x
fi
done
sleep 60
done


, Mike