detect and block ACE archive

Marcin Rożek Fri, 20 Apr 2018 01:15:13 -0700

Hello,
Recently, bad people try to send ransomware in ACE archive with .rar extension. 
Inside is .jse file.


Unfortunately, amavisd-new is passing this undetected (does not recognize ACE 
archive and can’t unpack it).

Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) Extracting mime components from a 
string
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) Issued a new file name: p001
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) Issued a new file name: p002
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) Issued a new pseudo part: p003
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) p003 1 Content-Type: 
multipart/mixed
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) Charging 1551 bytes to remaining 
quota 25461000 (out of 25461000, (0%)) - by mime_decode
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) p001 1/1 Content-Type: 
text/plain, base64, size: 1551, SHA1 digest: 
0ee8569abe1472ea4ddc0f5d2fd62cc13cbbe995
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) reparenting p001 from p000 to p003
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) Charging 34500 bytes to remaining 
quota 25459449 (out of 25461000, (0%)) - by mime_decode
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) p002 1/2 Content-Type: 
application/octet-stream, base64, size: 34500, SHA1 digest: 
3168e9d25b548b4b73fa62b188921648c73593c7, name: Kwit_Skan.rar
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) reparenting p002 from p000 to p003
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) get_deadline mime_decode - 
deadline in 480.0 s, set to 288.000 s
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) prolong_timer mime_decode: timer 
288, was 288, deadline in 480.0 s
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) get_deadline mime_decode-1 - 
deadline in 480.0 s, set to 288.000 s
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) prolong_timer mime_decode-1: 
timer 288, was 288, deadline in 480.0 s
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) inspect_dsn: parts: 
multipart/mixed, text/plain, application/octet-stream
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) inspect_dsn: not a bounce
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) get_deadline dsn_parse - deadline 
in 480.0 s, set to 288.000 s
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) prolong_timer dsn_parse: timer 
288, was 288, deadline in 480.0 s
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) decode_parts: level=1, #parts=3 : 
p001, p002, p003
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) running file(1) on 2 files, 
arglist size 23
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) run_command: [2353] /usr/bin/file 
p001 p002 </dev/null 2>&1
Apr 20 09:49:55 mx01 amavis[2353]: (02239-01) open_on_specific_fd: target fd0 
closing, to become < /dev/null
Apr 20 09:49:55 mx01 amavis[2353]: (02239-01) open_on_specific_fd: target fd1 
closing, to become (65) &=19
Apr 20 09:49:55 mx01 amavis[2353]: (02239-01) open_on_specific_fd: target fd1 
dup2 from fd19 (65) &=19
Apr 20 09:49:55 mx01 amavis[2353]: (02239-01) open_on_specific_fd: source fd19 
closed
Apr 20 09:49:55 mx01 amavis[2353]: (02239-01) open_on_specific_fd: target fd2 
closing, to become (65) &1
Apr 20 09:49:55 mx01 amavis[2353]: (02239-01) open_on_specific_fd: target fd2 
dup2 from fd1 (65) &1
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) result line from file(1): p001: 
UTF-8 Unicode text, with CRLF line terminators\n
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) lookup_re("UTF-8 Unicode text, 
with CRLF line terminators") matches key "(?^i:^UTF.* Unicode text\\b)", 
result="txt"
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) lookup 
[map_full_type_to_short_type] => true,  "UTF-8 Unicode text, with CRLF line 
terminators" matches, result="txt", matching_key="(?^i:^UTF.* Unicode text\\b)"
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) File-type of p001: UTF-8 Unicode 
text, with CRLF line terminators; (txt)
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) result line from file(1): p002: 
ACE archive data version 20, from Win/32, version 20 to extract, with recovery 
record, solid\n
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) lookup_re("ACE archive data 
version 20, from Win/32, version 20 to extract, with recovery record, solid") 
matches key "(?^:^)", result="dat"
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) lookup 
[map_full_type_to_short_type] => true,  "ACE archive data version 20, from 
Win/32, version 20 to extract, with recovery record, solid" matches, 
result="dat", matching_key="(?^:^)"
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) File-type of p002: ACE archive 
data version 20, from Win/32, version 20 to extract, with recovery record, 
solid; (dat)
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) decompose_part: p001 - atomic
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) decompose_part: p002 - atomic
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) get_deadline parts_decode - 
deadline in 479.9 s, set to 288.000 s
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) prolong_timer parts_decode: timer 
288, was 288, deadline in 479.9 s
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) lookup [bypass_header_checks] => 
undef, "xxx@xxx" does not match
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) check_header: 0, OK
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) lookup [bypass_header_checks] => 
undef, "xxx@xxx" does not match
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) Checking for banned types and 
filenames
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) lookup: (scalar) matches, 
result="DEFAULT"
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) lookup [banned_filename], 1 
matches for "xxx@xxx", results: "(constant:DEFAULT)"=>"DEFAULT"
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) collect banned table[0]: xxx@xxx, 
tables: DEFAULT=>Amavis::Lookup::RE=ARRAY(0x2764760)
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) starting banned checks - 
traversing message structure tree
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) check_for_banned (p003,p001) 
multipart/mixed | text/plain,.txt
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) doing banned check for xxx@xxx on 
multipart/mixed | text/plain,.txt
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) 
lookup_re(["multipart/mixed","text/plain",".txt"]), no matches
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) lookup [check_bann:xxx@xxx] => 
undef, ["multipart/mixed","text/plain",".txt"] does not match
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) lookup [banned_namepath_re] => 
undef, "P=p003\tL=1\tM=multipart/mixed\nP=p001\tL=1/1\tM=text/plain\tT=txt" 
does not match
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) p.path xxx@xxx: 
"P=p003,L=1,M=multipart/mixed | P=p001,L=1/1,M=text/plain,T=txt"
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) check_for_banned (p003,p002) 
multipart/mixed | application/octet-stream,.dat,Kwit_Skan.rar
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) doing banned check for xxx@xxx on 
multipart/mixed | application/octet-stream,.dat,Kwit_Skan.rar
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) 
lookup_re(["multipart/mixed","application/octet-stream",".dat","Kwit_Skan.rar"]),
 no matches
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) lookup [check_bann:xxx@xxx] => 
undef, ["multipart/mixed","application/octet-stream",".dat","Kwit_Skan.rar"] 
does not match
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) lookup [banned_namepath_re] => 
undef, 
"P=p003\tL=1\tM=multipart/mixed\nP=p002\tL=1/2\tM=application/octet-stream\tT=dat\tN=Kwit_Skan.rar"
 does not match
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) p.path xxx@xxx: 
"P=p003,L=1,M=multipart/mixed | 
P=p002,L=1/2,M=application/octet-stream,T=dat,N=Kwit_Skan.rar"
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) banned check: any=0, all=N (1)
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) lookup_re("MAIL") matches key 
"(?^:^MAIL$)", result="1"
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) lookup [keep_decoded_original] => 
true,  "MAIL" matches, result="1", matching_key="(?^:^MAIL$)"
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) Issued a new file name: p004
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) presenting full original message 
to scanners as 
/var/spool/amavisd/tmp/amavis-20180420T094955-02239-79PbWM9A/parts/p004
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) Calling virus scanners, 3 files 
to scan in /var/spool/amavisd/tmp/amavis-20180420T094955-02239-79PbWM9A/parts
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) invoking av-scanner ClamAV-clamd
(…)


file Kwit_Skan.rar
Kwit_Skan.rar: ACE archive data version 20, from Win/32, version 20 to extract, 
with recovery record, solid

I try to block it:

$banned_filename_re = new_RE(
### BLOCKED ANYWHERE
# qr'^UNDECIPHERABLE$',  # is or contains any undecipherable components
  qr'^\.(exe-ms|dll)$',                   # banned file(1) types, rudimentary
  qr'^\.jse$',
  qr'^\.pif$',
  qr'^\.ace$',
  qr'^ACE archive data version.*$',

But amavisd-new still passes this ransomware archives☹

Can you help me with banning ACE archive by filetype or add support for ACE 
archives to amavisd (eg. by using unace)?
I’m using amavisd-new-2.11.0-3.el7.noarch on CentOS Linux release 7.4.1708

--
Best regards,
Marcin

detect and block ACE archive

Reply via email to