Javier Albinarrate - LU8AJA

  • Increase font size
  • Default font size
  • Decrease font size

POPROXY Antivirus Project

Print
Article Index
POPROXY Antivirus Project
Code Modifications
All Pages

The POPROXY Antivirus Project

Introduction

Note: This article was written in 2003. 

If you have a mail server, you DO want some kind of virus protection, you can create filtering rules as mass mailing viruses arise, but in that way you will not offer virus protection against standard old fashioned viruses in PE (.EXE .COM) or Macro viruses or hostile scripts.

Typical situation is when somebody with an infected machine sends an infected .DOC Word document.

Another disadvantage of filtering rules is that, you have human limits in the number of rules you can add, and that there must be a human creating them (no Auto Update features)

In short, you DO need regular antivirus scanning TOO. (Filtering rules should be used to stop viruses from drowning resources)

A solution, would be to patch a regular antivirus to do the work on the fly, specially an antivirus with email scanning and autoupdate.

 

Norton Antivirus 2001 by Symantec

The one that I had handy, and that I have been using for the last 2 years was Norton Antivirus from Symantec.

NAV 2001 has something called POPROXY.EXE , this executable has no GUI besides a little icon in the system tray that can be disabled by a registry key. What it does is to act as a proxy in the POP connections, it saves email attachments on the fly to a temporary folder, and scans everything. According to what you configure you can Clean, Delete, Quarantine etc the infected files.

Problems of POPROXY

1. It is configured to bind the process to the IP address 127.0.0.1, which is only routed by the local machine, as a result it can ONLY be used by a POP client originating calls in the local machine.

2. It requires configuration of the POP client by changing the username adding a slash and the real destination IP address or host name, optionally port number too. popuser/mail.domain.com:810

First Step – A Gateway

The first step is fairly easy, to identify in the file the place of the string “127.0.0.1” that is used to bind the process. Once found it is replaced by the IP where you want to listen for incoming connections, or to listen in any IP by replacing with “0.0.0.0”

This leaded to a problem when IPs with more than 9 characters were used, so the place of the string was changed to an unused area of the file.

Second Step – A server side Proxy

POPROXY now acts as a gateway, it can receive connections from anywhere and connect to everywhere on behalf of the initial POP client. It can be installed in one server to be used by a whole company. But what if we want to use it right on the server too? Of course we would not want to make our customers change their POP client configuration, we should be able to receive in a totally transparent manner the real POP username.

The first step to accomplish this is to change the checking jump for slashes, so if a regular POP username (with no slash) is entered, the connection will not fail as it would do by default.

The second step is to decide where the POPROXY should connect, IP and PORT, this is done by checking for slashes, if it is found one, it connects acting as a gateway to the specified host as it would normally do, if it doesn’t find one, it connects to a specified IP and PORT, (ex. 127.0.0.1:109) were the default POP server is listening.

The third step is to send EVERYTHING after the USER command without parsing it for username, hostname and port portions.

Third and Last Step – A service in Windows 2000

If you have a Windows 9x Machine you will want to install it as a service, by inserting the proper registry key in RunServices, but if you have Windows 2000 you will need to use a program to run POPROXY as a service, the best one on earth is FireDaemon http://www.firedaemon.com

Of course you should configure by using the GUI or the registry, things like:

Don’t show icon in taskbar

Listening PORT

Try to repair and quarantine if not possible (Nobody will be there to click anything!)

Disadvantages

1. Server Performance. It was not designed to do server work, use it under you responsibility, but please feedback any success or failure. Perhaps you should schedule a BAT script restart (NET STOP, NET START) of the service every few hours or every day. Overall I had a good experience.

2. It protects only POP clients, IMAP or Webmail users will receive the emails even if they check with POP leaving copies.

3. The virus gets into the system by SMTP, so that should be the point were to scan, right before putting the imail into the mailbox, not after. The best solution, but… you should buy the software.

4. The IP information logged by the POP server will be useless.

5. You can connect only to ONE default IP, so if your POP server is listening into different Ips with different configurations, perhaps it is not for you. In IMAIL you can solve this by telling all your customers to use their FULL email as their POP user instead of the username, this will identify them uniquely.

6. If you want to configure it, you need to know what you are doing.

Advantages:

1. It is FREE, you only need the right NAV 2001 version

2. It works for almost anybody.

Last Words

That is it, easy to say, not so easy to read, decompile, write the machine code by hand, calculate all those jumps, and hex edit all those patches! Also, do you know the phrase “Where the hell is the address for that chunk of data?!” ?

The hard work is already done for this particular version.

You can change the values by using an Hex editor like HexWorkshop or UltraEdit, or just replace the already modified EXE.

Disclaimer

Just in case... You are responsible for what you do, don't blame anything on me! This was an excellent project to learn how to decompile and modify bytecode. Besides, it might be quite obsolete these days.

Files

ASM, EXE, TXT and disassembler files for this project (185KB RAR)

MS Debugger (7.2 MB RAR)



Last Updated on Friday, 26 June 2009 20:20  

Google Translate

English French German Italian Portuguese Spanish