Home
Skip to main content
a technical website in support of
Link to CyberSoft.com
CyberSoft News Virus Alerts White Papers Training & Support Downloads

CyberSoft White Papers

Immunity to Worm/Virus Attacks by File Type Blocking

Email and File Virus Scanning by File Type

24 April 2001
Peter V. Radatti
CyberSoft, Inc.

Many people call all software attacks viruses. In fact, there are dozens of different types of attacks including viruses, worms, logic bombs, trojans, etc. Many of the most destructive attacks have recently been worm attacks. The Love Letter "Viruses", the Killer Resume "Viruses" and dozens more are actually worms that enter systems via email. There is one special fact about all of the mentioned attacks. They were all written in Microsoft's Visual Basic for Applications (VBA). There are several programs that require you to use VBA in email messages but if you are not using one of these programs and they are rare, then there is no reason why you should allow VBA applications on your system. After all, if you are not using it, it has no business being there. The significance of this fact is that you can become immune to all VBA based attacks, both known and unknown by just blocking all messages containing VBA applications.

This same theory can be generalized to all types of applications. If you are operating a Microsoft Windows 2000 system, there is no reason why Unix applications should exist on its filesystem. The reverse is also usually true of the Unix system. While this is not as useful as the first example involving email messages, the theory can taken a step farther. For example, if you are running a Windows 2000 system and you don't use VBA applications, OLE based Macros or Java applications, then there is no legitimate reason for these applications to exist on the system. If as a company policy you do not use Macros then any files containing Macros may be a new unknown attack. It is at the very least a violation of company policy. By blocking or eliminating all Macro based files on a system, the system becomes immune to all Macro viruses. This can be made practical in two ways. Add type blocking to a virus scanner or add type blocking to an Antivirus Real Time System (ART). An ART system scans files for viruses when they are copied, executed or moved in real time. It does not wait for an event like a system scan, but operates "real time", on a as needed basis. By adding type blocking to an ART system, virus scanner and network communications, you can extend your virus scanners ability to locate new unknown viruses. This can be very significant.

Using the UAD tool, which is part of the CyberSoft VFind Security Tool Kit (VSTK), you can automatically and recursively decompose complex files for scanning and analysis. As part of this process it will resolve the type of a file or message, including all of its attachments or subcomponents. Email messages are complex "file" types that consist of a message header, message body and other encapsulated attachments. UAD identifies each attachment recursively by its encapsulation method and contents. In addition, UAD makes no assumptions about the file's contents based upon the file's name. UAD makes its identification based upon direct inspection of the data itself. For those of you who prefer Unix Bourne shell script languages to the English language here is a small example of how to use UAD to block email of various types:

$VSTK_HOME/bin/uad -z $filename 2>/dev/null | nawk '$2 =="Name:">&&(\
$3 ~ /\.vbs$/ || $3 ~ /\.com$/ || $3 ~ /\.exe$/ || \
$3 ~ /\.shs$/ || $3 ~ /\.wsf$/ || $3 ~ /\.wsh$/ || \
$3 ~ /\.scr$/ || $3 ~ /\.dll$/ || $3 ~ /\.hlp$/ || \
$3 ~ /\.js$/ ) { print "bad attachment type: "$3 }'

Another tool included in the VSTK is MvFilter. This is the OLE Macro disinfection tool. It can also be used to insure no Macro viruses exist in a message or file. A Unix Bourne shell script example of how to do this is:

FILENAME=/export/home/test/engineering.doc
export FILENAME
VSTK_HOME=/usr/lib/vstk
export VSTK_HOME
${VSTK_HOME}/bin/mvfilter ${FILENAME} 2> /dev/null > /dev/null
ERR=$?
case ${ERR} in
   20)
      echo ${FILENAME}  "contains no macros"
      ;;
   40)
      echo ${FILENAME}  "unrecognized file type"
      ;;
   81)
      echo ${FILENAME}  "not an OLE document/message"
      ;;
    *)
      echo "It worked"
      ;;
esac

If you combine the first example with the second example while additionally using UAD to decompose an email that contains Macro bearing OLE attachments then you could effectively detect, decompose and disinfect attachments in email. The now disinfected and decomposed message would have to be rebuilt but that can be done using public domain software like gzip and various mime encoders.

The purpose of this paper was not to present a completed program. It was to provide concepts, ideas and known working code segments to solve complex problems. This is in keeping with the VFind tool mentality. All of the VSTK tools mentioned in this article are included in the VSTK, VSTKP and VSTKCW tool kits. If you are interested in additional examples of programs written around the VSTK and VSTKP products visit www.cybersoft.com.

Back

© 2007 CyberSoft, Inc. All rights reserved.
Questions or comments? Please email the webmaster.