Koozali.org: home of the SME Server

Hash/SHA256 based attachment filter - catched WannaCry

Offline Knuddi

  • *
  • 540
  • +0/-0
    • http://www.scanmailx.com
Hash/SHA256 based attachment filter - catched WannaCry
« on: May 24, 2017, 09:11:00 PM »
Dear all,

I have now enhanced the SMEOptimizer (https://wiki.contribs.org/SMEOptimizer) with a new attachment filter functionality that showed its value during the recent WannaCry attack. As with the DNS Blacklist for IPs and URLs, this is also SME community enhanced (you contribute). All attachments will based on their SHA1 hash signature be checked against a central DNS based database - if matched they will be rejected. The actual attachment will never leave your server, only the signature.

If not matched directly as malicious, then the SHA1 and SHA256 signature is stored locally and then afterwards checked up against VirusTotal. If there is a match here, then the signatures (as well as size and filename) will be sent to the shared DNS database to all users benefit and can get this matched next time.

Old users should get the modules automatically and only need to configure the VirusTotal API. As of right now 25,827,548 spam reports have been submitted for the DNS Blacklist!!

Question or suggestions are as always welcome.

Enjoy,
Jesper


Offline jameswilson

  • *
  • 795
  • +0/-0
    • Security Warehouse, professional security equipment
Re: Hash/SHA256 based attachment filter - catched WannaCry
« Reply #1 on: June 01, 2017, 02:12:04 AM »
I'd like to impliment this but it seems a script install and not something that could be updated via yum?
I may be wrong of course but that's the only reason i haven't.

Offline Knuddi

  • *
  • 540
  • +0/-0
    • http://www.scanmailx.com
Re: Hash/SHA256 based attachment filter - catched WannaCry
« Reply #2 on: June 01, 2017, 06:58:07 AM »
To make it available via yum, I would need to build an RPM and I just haven't come around to that (I do not have a build environment at the moment). But technically there is no problems with doing that. I would also like to make the server-manager UX but again - time hasn't permitted.


Offline Knuddi

  • *
  • 540
  • +0/-0
    • http://www.scanmailx.com
Re: Hash/SHA256 based attachment filter - catched WannaCry
« Reply #3 on: June 06, 2017, 07:46:02 PM »
Pleased to see many user contributed malware hashed in the system already. Just shows that the SME server with all best practices enabled (as I am sure all do) still allow bad stuff through. When use base of this system grows a little we can catch these thing inline and before they reach the users inboxes...

Offline Stefano

  • *
  • 10,894
  • +3/-0
Re: Hash/SHA256 based attachment filter - catched WannaCry
« Reply #4 on: June 06, 2017, 07:52:10 PM »
first of all thank you for your work

I installed your "plugin" on all servers of mine (mail servers, of course), 'cause I'm very interested in virus filtering
 :-)

Offline Knuddi

  • *
  • 540
  • +0/-0
    • http://www.scanmailx.com
Re: Hash/SHA256 based attachment filter - catched WannaCry
« Reply #5 on: June 06, 2017, 08:00:02 PM »
@Stefano,
Make sure to also register for the VirusTotal API key to get full effect.

Offline Stefano

  • *
  • 10,894
  • +3/-0
Re: Hash/SHA256 based attachment filter - catched WannaCry
« Reply #6 on: June 06, 2017, 08:04:17 PM »
done, I'm waiting to see if I have some interesting feedback in the next few days

Offline ReetP

  • *
  • 3,960
  • +6/-0
Re: Hash/SHA256 based attachment filter - catched WannaCry
« Reply #7 on: June 06, 2017, 08:41:30 PM »
I can probably flesh out a basic rpm with templates but would need a hand with some stuff.

Anyone willing to help?
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Stefano

  • *
  • 10,894
  • +3/-0
Re: Hash/SHA256 based attachment filter - catched WannaCry
« Reply #8 on: June 06, 2017, 09:08:55 PM »
I could be interested.. Next week I'd have plenty of time

Offline ReetP

  • *
  • 3,960
  • +6/-0
Re: Hash/SHA256 based attachment filter - catched WannaCry
« Reply #9 on: June 07, 2017, 01:22:38 PM »
OK,

I have vaguely fleshed out some files here:

https://github.com/reetp/smeserver-SMEOptimizer

Some notes/ comments:

I have physically added the qpsmptd/plugin to the rpm. The script can check for updates to this
I can't see the /etc/mail/spamassassin/smeoptimizer.cf on my testbox - I would have added it otherwise
DB needs to be created manually. Ideally it should be created from the RPM and a random password used

These keys could be in a DB entry (and later in a server-panel):

-alerts=[Yes|No]:        Enable checks and alerts for SME server downtime or registration in DNS Blacklist - default Yes.
-contact=[Email]:        Set the contact email address where alerts are sent to - default admin@<your domain>.
-VTAPI=[API Key]:        This is the VirusTotal public API key used to check attachments (will remain local).
-DNSBL=[qpsmtpd|sa]:     This configures whether the DNS blacklist lookup rejects directly (qpsmtpd) or scores (sa=SpamAssassin).

A smeoptimizer enabled/disabled key could also be added

e.g.

config set smeoptimizer service alerts Yes contact admin@somewhere.com VTAPI 12345wxyz DBSBL qpsmtpd

[root@test plugins]# config set smeoptimizer service alerts Yes contact admin@somewhere.com VTAPI 12345wxyz DBSBL qpsmtpd
[root@test plugins]# config show smeoptimizer
smeoptimizer=service
    DBSBL=qpsmtpd
    VTAPI=12345wxyz
    alerts=Yes
    contact=admin@somewhere.com

Those would need some rewriting in the main script, and with some files being templated in the RPM some of the setup/init stuff would not be required, but I do not want to touch the script right now !

You can either fork the repo or I can add you as a contributor if you are interested in helping.

To test:

Copying over the files manually

Add the DB

Run the file

/usr/local/smeoptimizer/SMEOptimizer.pl --initialize

See what breaks......

B. Rgds
John
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Knuddi

  • *
  • 540
  • +0/-0
    • http://www.scanmailx.com
Re: Hash/SHA256 based attachment filter - catched WannaCry
« Reply #10 on: June 07, 2017, 07:48:25 PM »
@John,
Awsome good start. There is actually no need for more files that the SMEOptimizer.pl to start with, the rest is being pulled when using the "-initialize" command. What would be really interesting would be to automatically create the MySQL DB and store a random username and password in the smeoptimizer config DB. I can make the script pick up these rather than using pre-configured default username/password.

The .spec should also have a requirement for perl-Email-MIME (for the attachment filter).

I would obviously be ready to contribute to get this packaged well.



Offline ReetP

  • *
  • 3,960
  • +6/-0
Re: Hash/SHA256 based attachment filter - catched WannaCry
« Reply #11 on: June 08, 2017, 12:46:47 AM »
Hi Jesper,

Thought I'd get the ball rolling :-)

Get all that. I thought it might be easier to have the initial files in the RPM and then updates can be pulled. I'm never keen on having to drag stuff in on install personally. Not a biggy though.

Added the require to the spec thanks.

If I add some keys as described will you use them ?

eg:

smeoptimizer=service
    status=enabled
    DBSBL=qpsmtpd
    VTAPI=12345wxyz
    alerts=Yes
    contact=admin@somewhere.com (Have to think about this one)

DB - that's a good one and I need to have a look at that as I am not sure of the answer. I'll have a look at it for sure.

As far as contributing I can either add you to the git repo or you can fork it, or take it over yourself - I just did it for convenience really.

I can also give you a login to my build box if you want - it has git and a whole RPM mock build system on it. Let me know and I can give you an account.

B. Rgds
John
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Knuddi

  • *
  • 540
  • +0/-0
    • http://www.scanmailx.com
Re: Hash/SHA256 based attachment filter - catched WannaCry
« Reply #12 on: June 08, 2017, 04:05:28 PM »
Its important that the configuration changes are made through the script and not directly in the DB. This because f.ex the contact address must be communicated to the central server or it will not be able to send alerts when server is blacklisted or having SMTP issues.

So for a starter, only the "smeoptimizer" DB should be created. The rest will be created during "-initialize" and when being configured.

It would be awesome to have access to a build environment and then jointly get this ready for release. Again, it should be super simple

Also remember that this contribs is and will not be static as the advantages (DNSBL and Attachment filter) will only be available and enabled if you contribute by sending spam reports and SHAs that VirusTotal detected. Therefore the backend (smeoptimizer.com) will start and stop these services on the fly. Its a community system - share to benefit.

Offline ReetP

  • *
  • 3,960
  • +6/-0
Re: Hash/SHA256 based attachment filter - catched WannaCry
« Reply #13 on: June 08, 2017, 05:10:22 PM »
OK - well if you are happy to have a hack I'll get you an account on my box PDQ

I do think a 'enabled/disabled' key would be good though, unless you are going to build a web panel too !
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline SchulzStefan

  • *
  • 620
  • +0/-0
Re: Hash/SHA256 based attachment filter - catched WannaCry
« Reply #14 on: June 18, 2017, 11:47:26 AM »
I Installed the contrib, thank you for your work.

I registered at VirusTotal and got an email from alert@smeoptimizer.com:

"Thank you for registering your SME Server (9.2) with SME Optimizer. Your server is registered with its unique key and its public IP 84.120.123.53. With SME Optimizer you and your server contributes to the DNS blacklist that you also get access to. When your server has provided enough spam samples, then the SpamAssassin based DNS Blacklist rules will be downloaded automatically and enabled.

SME Optimizer will also on a daily basis check your servers public IP for listings in more than 80 international DNS blacklist and inform you via email in case you get listed. Additionally, the system will check your server from remote for downtime or other email issues. This is tested by trying to connect to the SMTP port 25.

Enjoy!

Best regards,
SME Optimizer"

As I have no static IP does this affect SMEOptimizer?

Thank's for answering.

Regards,
stefan
And then one day you find ten years have got behind you.

Time, 1973
(Mason, Waters, Wright, Gilmour)