|POPROXY Antivirus Project|
The POPROXY Antivirus Project
Note: This article was written in 2003.
If you have a mail server, you DO want some kind of virus protection, you can create filtering rules as mass mailing viruses arise, but in that way you will not offer virus protection against standard old fashioned viruses in PE (.EXE .COM) or Macro viruses or hostile scripts.
Typical situation is when somebody with an infected machine sends an infected .DOC Word document.
Another disadvantage of filtering rules is that, you have human limits in the number of rules you can add, and that there must be a human creating them (no Auto Update features)
In short, you DO need regular antivirus scanning TOO. (Filtering rules should be used to stop viruses from drowning resources)
A solution, would be to patch a regular antivirus to do the work on the fly, specially an antivirus with email scanning and autoupdate.
Norton Antivirus 2001 by Symantec
The one that I had handy, and that I have been using for the last 2 years was Norton Antivirus from Symantec.
NAV 2001 has something called POPROXY.EXE , this executable has no GUI besides a little icon in the system tray that can be disabled by a registry key. What it does is to act as a proxy in the POP connections, it saves email attachments on the fly to a temporary folder, and scans everything. According to what you configure you can Clean, Delete, Quarantine etc the infected files.
Problems of POPROXY
1. It is configured to bind the process to the IP address 127.0.0.1, which is only routed by the local machine, as a result it can ONLY be used by a POP client originating calls in the local machine.
2. It requires configuration of the POP client by changing the username adding a slash and the real destination IP address or host name, optionally port number too. popuser/mail.domain.com:810
First Step – A Gateway
The first step is fairly easy, to identify in the file the place of the string “127.0.0.1” that is used to bind the process. Once found it is replaced by the IP where you want to listen for incoming connections, or to listen in any IP by replacing with “0.0.0.0”
This leaded to a problem when IPs with more than 9 characters were used, so the place of the string was changed to an unused area of the file.
Second Step – A server side Proxy
POPROXY now acts as a gateway, it can receive connections from anywhere and connect to everywhere on behalf of the initial POP client. It can be installed in one server to be used by a whole company. But what if we want to use it right on the server too? Of course we would not want to make our customers change their POP client configuration, we should be able to receive in a totally transparent manner the real POP username.
The first step to accomplish this is to change the checking jump for slashes, so if a regular POP username (with no slash) is entered, the connection will not fail as it would do by default.
The second step is to decide where the POPROXY should connect, IP and PORT, this is done by checking for slashes, if it is found one, it connects acting as a gateway to the specified host as it would normally do, if it doesn’t find one, it connects to a specified IP and PORT, (ex. 127.0.0.1:109) were the default POP server is listening.
The third step is to send EVERYTHING after the USER command without parsing it for username, hostname and port portions.
Third and Last Step – A service in Windows 2000
If you have a Windows 9x Machine you will want to install it as a service, by inserting the proper registry key in RunServices, but if you have Windows 2000 you will need to use a program to run POPROXY as a service, the best one on earth is FireDaemon http://www.firedaemon.com
Of course you should configure by using the GUI or the registry, things like:
Don’t show icon in taskbar
Try to repair and quarantine if not possible (Nobody will be there to click anything!)
1. Server Performance. It was not designed to do server work, use it under you responsibility, but please feedback any success or failure. Perhaps you should schedule a BAT script restart (NET STOP, NET START) of the service every few hours or every day. Overall I had a good experience.
2. It protects only POP clients, IMAP or Webmail users will receive the emails even if they check with POP leaving copies.
3. The virus gets into the system by SMTP, so that should be the point were to scan, right before putting the imail into the mailbox, not after. The best solution, but… you should buy the software.
4. The IP information logged by the POP server will be useless.
5. You can connect only to ONE default IP, so if your POP server is listening into different Ips with different configurations, perhaps it is not for you. In IMAIL you can solve this by telling all your customers to use their FULL email as their POP user instead of the username, this will identify them uniquely.
6. If you want to configure it, you need to know what you are doing.
1. It is FREE, you only need the right NAV 2001 version
2. It works for almost anybody.
That is it, easy to say, not so easy to read, decompile, write the machine code by hand, calculate all those jumps, and hex edit all those patches! Also, do you know the phrase “Where the hell is the address for that chunk of data?!” ?
The hard work is already done for this particular version.
You can change the values by using an Hex editor like HexWorkshop or UltraEdit, or just replace the already modified EXE.
Just in case... You are responsible for what you do, don't blame anything on me! This was an excellent project to learn how to decompile and modify bytecode. Besides, it might be quite obsolete these days.
MS Debugger (7.2 MB RAR)
These are the few bytes that need to be modified and their explanation.
POPROXY_O.EXE Original File bundled with NAV 2001
POPROXY_B.EXE Patched version for Gateway and Server Side.
Bind to 0.0.0.0
Default Server IP 127.0.0.1
Default Server Port 8110
Address Hex ASCII Description
0000BCD0-0000BCD1 AE1F 8110 Remote Port sin / (Hex Inv)
0000BCDC-0000BCDD 6E00 110 Default Remote Port con / (Hex Inv)
00004BB0 2B + OK Return Character
00004F68 2F / Mail Separator Character
00004F7B 5C \ Mail Alternative Separator Character
00004FD2 3A : Port Separator Character
00010400-0001040F 0.0.0.0 IP Local Bind (End with 0x00)
00010410-0001011F 127.0.0.1 Default Remote IP (End with 0x00)
00409C2A 6800044100 push 00410400
No char "/" requirement for USER:
00404820 83BDECFDFFFF00 cmp dword[ebp+FFFFFDEC], 00000000
00404827 E982000000 jmp 004048AE JUMP Always
00404A30 51 push ecx
00404A31=E94A720000 jmp 0000BC80
00404A36=EB00 jmp 00404A38
00404A38 8B85FCFDFFFF mov eax, dword[ebp+FFFFFDFC]
0040BC80 83BDECFDFFFF00 cmp dword[ebp+FFFFFDEC], 00000000
0040BC87 0F8513000000 jne 0040BCA0
0040BC8D 6810044100 push 00410410 (StringData)"127.0.0.1" Default IP
0040BC92 E9A18DFFFF jmp 00404A38
0040BCA0 8B95B8FDFFFF mov edx, dword[ebp+FFFFFDB8] Hostname after /
0040BCA6 52 push edx
0040BCA7 E98C8DFFFF jmp 00404A38
Remote Port Management:
004049DA=E9E1720000 jmp 0000BCC0
0040BCC0 83BDECFDFFFF00 cmp dword[ebp+FFFFFDEC], 00000000
0040BCC7 0F850C000000 jne 0040BCA0
0040BCCD C745E4AE1F0000 mov dword[ebp-1C], 00001FAE (8110) Port of Def IP
0040BCD4 E9088DFFFF jmp 004049E1
0040BCD9 C745E46E000000 mov dword[ebp-1C], 0000006E (110) Def General Port
0040BCE0 E9FC8CFFFF jmp 004049E1
USER command Management:
00404C07 C645FC0D mov byte[ebp-04], 0D
00404C0B=E920710000 jmp 0040BD30
00404C11=EB00 jmp 00404C13
00404C13=EB00 jmp 00404C15
00404C15 68ACF54000 push 0040F5AC (StringData)"USER %s <cr><lf>"
0040BD30 83BDECFDFFFF00 cmp dword[ebp+FFFFFDEC], 00000000
0040BD37 0F8513000000 jne 0040BD50
0040BD3D 8B8DF0FDFFFF mov ecx, dword[ebp+FFFFFDF0] ebp-210 Print FULL str
0040BD43 51 push ecx
0040BD44 E9CC8EFFFF jmp 00404C15
0040BD50 8B8DFCFDFFFF mov ecx, dword[ebp+FFFFFDFC] Print User before /
0040BD56 8B5148 mov edx, dword[ecx+48]
0040BD59 52 push edx
0040BD5A E9B68EFFFF jmp 00404C15
|< Prev||Next >|