POPROXY Antivirus Project

Friday, 25 July 2008 07:59 Javier Albinarrate
Print

The POPROXY Antivirus Project

Introduction

Note: This article was written in 2003. 

If you have a mail server, you DO want some kind of virus protection, you can create filtering rules as mass mailing viruses arise, but in that way you will not offer virus protection against standard old fashioned viruses in PE (.EXE .COM) or Macro viruses or hostile scripts.

Typical situation is when somebody with an infected machine sends an infected .DOC Word document.

Another disadvantage of filtering rules is that, you have human limits in the number of rules you can add, and that there must be a human creating them (no Auto Update features)

In short, you DO need regular antivirus scanning TOO. (Filtering rules should be used to stop viruses from drowning resources)

A solution, would be to patch a regular antivirus to do the work on the fly, specially an antivirus with email scanning and autoupdate.

 

Norton Antivirus 2001 by Symantec

The one that I had handy, and that I have been using for the last 2 years was Norton Antivirus from Symantec.

NAV 2001 has something called POPROXY.EXE , this executable has no GUI besides a little icon in the system tray that can be disabled by a registry key. What it does is to act as a proxy in the POP connections, it saves email attachments on the fly to a temporary folder, and scans everything. According to what you configure you can Clean, Delete, Quarantine etc the infected files.

Problems of POPROXY

1. It is configured to bind the process to the IP address 127.0.0.1, which is only routed by the local machine, as a result it can ONLY be used by a POP client originating calls in the local machine.

2. It requires configuration of the POP client by changing the username adding a slash and the real destination IP address or host name, optionally port number too. popuser/mail.domain.com:810

First Step – A Gateway

The first step is fairly easy, to identify in the file the place of the string “127.0.0.1” that is used to bind the process. Once found it is replaced by the IP where you want to listen for incoming connections, or to listen in any IP by replacing with “0.0.0.0”

This leaded to a problem when IPs with more than 9 characters were used, so the place of the string was changed to an unused area of the file.

Second Step – A server side Proxy

POPROXY now acts as a gateway, it can receive connections from anywhere and connect to everywhere on behalf of the initial POP client. It can be installed in one server to be used by a whole company. But what if we want to use it right on the server too? Of course we would not want to make our customers change their POP client configuration, we should be able to receive in a totally transparent manner the real POP username.

The first step to accomplish this is to change the checking jump for slashes, so if a regular POP username (with no slash) is entered, the connection will not fail as it would do by default.

The second step is to decide where the POPROXY should connect, IP and PORT, this is done by checking for slashes, if it is found one, it connects acting as a gateway to the specified host as it would normally do, if it doesn’t find one, it connects to a specified IP and PORT, (ex. 127.0.0.1:109) were the default POP server is listening.

The third step is to send EVERYTHING after the USER command without parsing it for username, hostname and port portions.

Third and Last Step – A service in Windows 2000

If you have a Windows 9x Machine you will want to install it as a service, by inserting the proper registry key in RunServices, but if you have Windows 2000 you will need to use a program to run POPROXY as a service, the best one on earth is FireDaemon http://www.firedaemon.com

Of course you should configure by using the GUI or the registry, things like:

Don’t show icon in taskbar

Listening PORT

Try to repair and quarantine if not possible (Nobody will be there to click anything!)

Disadvantages

1. Server Performance. It was not designed to do server work, use it under you responsibility, but please feedback any success or failure. Perhaps you should schedule a BAT script restart (NET STOP, NET START) of the service every few hours or every day. Overall I had a good experience.

2. It protects only POP clients, IMAP or Webmail users will receive the emails even if they check with POP leaving copies.

3. The virus gets into the system by SMTP, so that should be the point were to scan, right before putting the imail into the mailbox, not after. The best solution, but… you should buy the software.

4. The IP information logged by the POP server will be useless.

5. You can connect only to ONE default IP, so if your POP server is listening into different Ips with different configurations, perhaps it is not for you. In IMAIL you can solve this by telling all your customers to use their FULL email as their POP user instead of the username, this will identify them uniquely.

6. If you want to configure it, you need to know what you are doing.

Advantages:

1. It is FREE, you only need the right NAV 2001 version

2. It works for almost anybody.

Last Words

That is it, easy to say, not so easy to read, decompile, write the machine code by hand, calculate all those jumps, and hex edit all those patches! Also, do you know the phrase “Where the hell is the address for that chunk of data?!” ?

The hard work is already done for this particular version.

You can change the values by using an Hex editor like HexWorkshop or UltraEdit, or just replace the already modified EXE.

Disclaimer

Just in case... You are responsible for what you do, don't blame anything on me! This was an excellent project to learn how to decompile and modify bytecode. Besides, it might be quite obsolete these days.

Files

ASM, EXE, TXT and disassembler files for this project (185KB RAR)

MS Debugger (7.2 MB RAR)


Code Modifications

These are the few bytes that need to be modified and their explanation.

POPROXY_O.EXE Original File bundled with NAV 2001
POPROXY_B.EXE Patched version for Gateway and Server Side.

Values:
      Bind to               0.0.0.0
      Default Server IP     127.0.0.1
      Default Server Port   8110


17/05/2002 03:00
===================================================================================
Constants:
-----------
Address           Hex             ASCII       Description
0000BCD0-0000BCD1 AE1F            8110        Remote Port sin / (Hex Inv)
0000BCDC-0000BCDD 6E00            110         Default Remote Port con / (Hex Inv)
00004BB0          2B              +           OK Return Character
00004F68          2F              /           Mail Separator Character
00004F7B          5C              \           Mail Alternative Separator Character
00004FD2          3A              :           Port Separator Character
00010400-0001040F                 0.0.0.0     IP Local Bind (End with 0x00)
00010410-0001011F                 127.0.0.1   Default Remote IP (End with 0x00)
===================================================================================
Patches:
--------
===================================================================================
Bind IP:
00409C2A 6800044100             push 00410400     
===================================================================================
No char "/" requirement for USER:
00404820 83BDECFDFFFF00          cmp dword[ebp+FFFFFDEC], 00000000
00404827 E982000000              jmp 004048AE                          JUMP Always
===================================================================================
Host Management:

00404A30 51                      push ecx
00404A31=E94A720000              jmp 0000BC80
00404A36=EB00                    jmp 00404A38
00404A38 8B85FCFDFFFF            mov eax, dword[ebp+FFFFFDFC]
-----------------------------------------------------------------------------------
0040BC80 83BDECFDFFFF00          cmp dword[ebp+FFFFFDEC], 00000000
0040BC87 0F8513000000            jne 0040BCA0
0040BC8D 6810044100              push 00410410 (StringData)"127.0.0.1" Default IP
0040BC92 E9A18DFFFF              jmp 00404A38
0040BC97
--------
0040BCA0 8B95B8FDFFFF            mov edx, dword[ebp+FFFFFDB8]     Hostname after /
0040BCA6 52                      push edx
0040BCA7 E98C8DFFFF              jmp 00404A38
0040BCAC
===================================================================================
Remote Port Management:

004049DA=E9E1720000              jmp 0000BCC0
004049DF=EB00
004049E1
-----------------------------------------------------------------------------------
0040BCC0 83BDECFDFFFF00          cmp dword[ebp+FFFFFDEC], 00000000
0040BCC7 0F850C000000            jne 0040BCA0
0040BCCD C745E4AE1F0000          mov dword[ebp-1C], 00001FAE (8110) Port of Def IP
0040BCD4 E9088DFFFF              jmp 004049E1
0040BCD9 C745E46E000000          mov dword[ebp-1C], 0000006E  (110) Def General Port
0040BCE0 E9FC8CFFFF              jmp 004049E1
0040BCE5
===================================================================================
USER command Management:

00404C07 C645FC0D                mov byte[ebp-04], 0D
00404C0B=E920710000              jmp 0040BD30
00404C10=..                      Relleno
00404C11=EB00                    jmp 00404C13
00404C13=EB00                    jmp 00404C15
00404C15 68ACF54000              push 0040F5AC (StringData)"USER %s <cr><lf>"
-----------------------------------------------------------------------------------
0040BD30  83BDECFDFFFF00         cmp dword[ebp+FFFFFDEC], 00000000
0040BD37  0F8513000000           jne 0040BD50
0040BD3D  8B8DF0FDFFFF           mov ecx, dword[ebp+FFFFFDF0] ebp-210 Print FULL str
0040BD43  51                     push ecx
0040BD44  E9CC8EFFFF             jmp 00404C15
0040BD49
--------
0040BD50  8B8DFCFDFFFF           mov ecx, dword[ebp+FFFFFDFC]   Print User before /
0040BD56  8B5148                 mov edx, dword[ecx+48]
0040BD59  52                     push edx
0040BD5A  E9B68EFFFF             jmp 00404C15
0040BD5F
===================================================================================

 

Last Updated on Friday, 26 June 2009 20:20