Browse code
MailFollowURLS: detect Trojan.IRC-Script-33
| ... | ... |
@@ -1,3 +1,8 @@ |
| 1 |
+Sun Sep 23 13:49:12 BST 2007 (njh) |
|
| 2 |
+---------------------------------- |
|
| 3 |
+ * libclamav/mbox.c: MailFollowURLS: Prefer .exes for download, catches |
|
| 4 |
+ Trojan.IRC-Script-33 |
|
| 5 |
+ |
|
| 1 | 6 |
Sat Sep 22 18:14:49 EEST 2007 (edwin) |
| 2 | 7 |
------------------------------------- |
| 3 | 8 |
* libclamav/cvd.c: seek on the underlying file descriptor and not FILE*. |
| ... | ... |
@@ -36,6 +36,8 @@ static char const rcsid[] = "$Id: mbox.c,v 1.381 2007/02/15 12:26:44 njh Exp $"; |
| 36 | 36 |
#endif |
| 37 | 37 |
#endif |
| 38 | 38 |
|
| 39 |
+#define _GNU_SOURCE |
|
| 40 |
+ |
|
| 39 | 41 |
#include <stdio.h> |
| 40 | 42 |
#include <stdlib.h> |
| 41 | 43 |
#include <errno.h> |
| ... | ... |
@@ -156,7 +158,7 @@ typedef enum {
|
| 156 | 156 |
#endif |
| 157 | 157 |
#endif |
| 158 | 158 |
|
| 159 |
-#if (!defined(C_WINDOWS)) && !defined(C_BEOS) |
|
| 159 |
+#ifndef C_WINDOWS |
|
| 160 | 160 |
#define closesocket(s) close(s) |
| 161 | 161 |
#define SOCKET int |
| 162 | 162 |
#endif |
| ... | ... |
@@ -184,6 +186,10 @@ typedef unsigned int in_addr_t; |
| 184 | 184 |
#define EISCONN WSAEISCONN |
| 185 | 185 |
#endif |
| 186 | 186 |
|
| 187 |
+#ifdef C_WINDOWS |
|
| 188 |
+#define strcasestr(h, n) strstr(h, n) /* This will cause isBounceMessage() to match too much */ |
|
| 189 |
+#endif |
|
| 190 |
+ |
|
| 187 | 191 |
/* |
| 188 | 192 |
* Define this to handle messages covered by section 7.3.2 of RFC1341. |
| 189 | 193 |
* This is experimental code so it is up to YOU to (1) ensure it's secure |
| ... | ... |
@@ -2835,7 +2841,7 @@ parseEmailBody(message *messageIn, text *textIn, mbox_ctx *mctx, unsigned int re |
| 2835 | 2835 |
* Don't bother with text/plain or |
| 2836 | 2836 |
* text/html |
| 2837 | 2837 |
*/ |
| 2838 |
- if(strstr(s, "text/plain") != NULL) |
|
| 2838 |
+ if(strcasestr(s, "text/plain") != NULL) |
|
| 2839 | 2839 |
/* |
| 2840 | 2840 |
* Don't bother to save the |
| 2841 | 2841 |
* unuseful part, read past |
| ... | ... |
@@ -2845,7 +2851,7 @@ parseEmailBody(message *messageIn, text *textIn, mbox_ctx *mctx, unsigned int re |
| 2845 | 2845 |
*/ |
| 2846 | 2846 |
continue; |
| 2847 | 2847 |
if((!doPhishingScan) && |
| 2848 |
- (strstr(s, "text/html") != NULL)) |
|
| 2848 |
+ (strcasestr(s, "text/html") != NULL)) |
|
| 2849 | 2849 |
continue; |
| 2850 | 2850 |
break; |
| 2851 | 2851 |
} |
| ... | ... |
@@ -3993,6 +3999,31 @@ do_checkURLs(const char *dir, tag_arguments_t *hrefs) |
| 3993 | 3993 |
|
| 3994 | 3994 |
n = 0; |
| 3995 | 3995 |
|
| 3996 |
+ /* |
|
| 3997 |
+ * Sort .exes higher up so that there's more chance they'll be |
|
| 3998 |
+ * downloaded and scanned |
|
| 3999 |
+ */ |
|
| 4000 |
+ for(i = FOLLOWURLS; (i < hrefs->count) && (n < FOLLOWURLS); i++) {
|
|
| 4001 |
+ const char *url = (const char *)hrefs->value[i]; |
|
| 4002 |
+ const char *ptr; |
|
| 4003 |
+ |
|
| 4004 |
+ if(strncasecmp("http://", url, 7) != 0)
|
|
| 4005 |
+ continue; |
|
| 4006 |
+ |
|
| 4007 |
+ ptr = strrchr(url, '.'); |
|
| 4008 |
+ if(ptr == NULL) |
|
| 4009 |
+ continue; |
|
| 4010 |
+ if(strcasecmp(ptr, ".exe") == 0) {
|
|
| 4011 |
+ /* FIXME: Could be swapping with another .exe */ |
|
| 4012 |
+ cli_dbgmsg("swap %s %s\n", hrefs->value[n], hrefs->value[i]);
|
|
| 4013 |
+ ptr = hrefs->value[n]; |
|
| 4014 |
+ hrefs->value[n++] = url; |
|
| 4015 |
+ hrefs->value[i] = ptr; |
|
| 4016 |
+ } |
|
| 4017 |
+ } |
|
| 4018 |
+ |
|
| 4019 |
+ n = 0; |
|
| 4020 |
+ |
|
| 3996 | 4021 |
for(i = 0; i < hrefs->count; i++) {
|
| 3997 | 4022 |
const char *url = (const char *)hrefs->value[i]; |
| 3998 | 4023 |
|