Automatic MIME Parts Scanning with VirusTotal

MIME-TypesHere is a Python script that I developed for my personal use: I decided to release it because I think it could be helpful for many of you. In 2012, I started a project called CuckooMX. The goal was to automatically scan attachments in emails with Cuckoo to find for potential malicious files. Unfortunately, the project never reached a milestone to use it smoothly. Maintaining a set of Cuckoo sandboxes is really a pain and consume precious computing resources, so why not use the cloud? Yeah, the evil cloud can also be useful!

I wrote a new Python script which extracts MIME types from emails and checks them against I’m using it to scan my spam folder. But the domain has been registered in January 2001, this means that I’ve email addresses in almost all spam lists over the world! Besides scanning some private addresses, I’ve a catch-all address which sometimes receives  very interesting emails! The last update was to integrate the script with Elasticsearch to have a better reporting.

The implemented features are:

  • Use your own virustotal API.
  • MIME attachments can be dumped in a directory (for later investigations)
  • Unuseful MIME types can be excluded (ex: image/png,image/gif,image/jpeg,text/plain,text/html)
  • Results are logged via Syslog
  • Zip archives are inspected/processed
  • Virustotal results are send to an Elasticsearch instance

The primary purpose of this tool is to automate the scan of attachments for juicy files. It does NOT protect (no files are blocked). Here is an example of logged result:

Nov 18 13:48:25 marge[5225]: File: 7ce782ba4e23d6cf7b4896f9cd7481cc.obj \
     (7ce782ba4e23d6cf7b4896f9cd7481cc) Score: 0/55 Scanned: 2014-11-17 08:29:14 (1 day, 5:19:11)
Dec 12 18:41:20 marge[1104]: Processing zip archive:
Dec 12 18:41:21 marge[1104]: File: VOICE748-348736.scr \
     (acb05e95d713b1772fb96a5e607d539f) Score: 38/53 Scanned: 2014-11-13 15:45:04 (29 days, 2:56:17)

If the file has already been scanned by Virustotal, its score is returned as well as the scan time (+ time difference). If the file is unknown, it is uploaded for analyzis. Optionally, the Virustotal JSON reply can be indexed by Elasticsearch to generate live dashboards:

ELK VirusTotal Dashboard

(Click to enlarge)

The script can be used from the command line to parse data from STDIN or (as I do) it can be used from a Procmail config file (or any other mail handling tool):

* ^X-Spam-Flag: YES
    | /usr/local/bin/ -d /tmp/mime -c /etc/mime2vt.conf

The script is available here. If you’ve ideas to improve it, please share!

Botconf 2014 Wrap-Up Day #3

The Botconf venueI’m just back from Nancy and it’s time to publish the wrap-up for the last day! The last night was very short for most of the attendees: 30 minutes before the first talk, the coffee room was almost empty! This third started with “A new look at Fast Flux proxy networks” by Dhia Mahjoub from OpenDNS. Hendrik Adrian was also involved in this research but he can’t be present for personal reasons. OpenDNS provides DNS services and, as we all know, DNS is critical in botnets infrastructure. They have access to a very big source of information! It was already said multiple times, the crimeware scene is an eco-system. Modern malware communicate with their C&C through proxies. That was the topic of Dhia’s presentation: Fast-Flux proxy networks.

Read More →

Botconf 2014 Wrap-Up Day #2

Botconf AttendeesHere is my wrap-up for the second day. Yesterday, we had a nice evening with some typical local food and wine then we went outside for a walk across the city of Nancy. Let’s go!

Read More →

Botconf 2014 Wrap-Up Day #1

Botconf 2014Botconf is back for a second edition! If the first one was held last year in Nantes, botnet fighters from many countries are back in Nancy to discuss again about… botnets! As the name says, Botconf is a security conference which focus only on botnets. This is a very interesting topic because everybody was/is/will be infected and take part of a botnets. The one who never found an infected device on his network, throw the first hard drive! About the attendees, 200 people joined Nancy from many countries (South-Africa, Israel, South-America, Korean, Japan, and most European countries). There is  25 talks on the schedule prepared by more than 30 top speakers.

Read More →

Detecting Suspicious Devices On-The-Fly

RadarJust a link to my guest diary posted today on I briefly introduced a method to perform permanent vulnerability scanning of newly detected hosts. The solution is based on OSSEC, ArpWatch and Nmap.

The article is here.

NoSuchCon Wrap-Up Day #3

NoSuchCon VenueHere we go with a review of the last day. As usual, the social event had huge impacts on some attendees but after coffee everything was almost back to normal. The day started with Braden Thomas who presented “Reverse engineering MSP 430 device” or reverse engineering a real-estate lock box.

Read More →

NoSuchCon Wrap-Up Day #2

NoSuchCon2014Here is my wrap-up for the second day of the conference NoSuchCon organised in Paris. Where is the first wrap-up will you maybe ask? Due to an important last minute change in my planning, I just drove to Paris yesterday evening and missed the first day! This is the second edition of this French conference organised in Paris at the same place. A very nice location even if the audio/video devices are not of a top-quality. The event remains also the same: one single track with international speakers and talks oriented to “offensive” security. This year, I was invited to take part of the selection commitee.

Read More →

Repression VS. Prevention

Speed TicketThis morning, I retweeted a link to an article (in Dutch) published by a Belgian newspaper. It looks that Belgian municipalities (small as well as largest) which do not properly secure their data could be fined in a near future! Public services  manage a huge amount of private data about us. They know almost everything about our lifes! Increasing the security around these data looks a very good idea but… are fines a good idea? Fines are very repressive.

I’ll make a rough comparison with speeds tickets. I’m driving a lot, always on the road between two customers. More kilometers you spend on roads, more chances you have to be controlled by speed cameras. Sometimes, I receive a nice gift… a speed ticket! Ok, I admit: it’s frustrating. I’ve always the feeling to be 0wn3d but guess what? I just pay the bill and continue to use roads as before. This does not affect my way of driving, it is “part of the game”. I even know people who reserve a budget to pay their speed tickets! Just like any other risk, it can be quantified and we are free to take it into account … or not! Where is the breaking point between paying fines and driving slowly?

Read More →

Ninja’s OpenVAS Reporting

OpenVAS LogoHere is a quick blogpost which might be helpful to the OpenVAS users. OpenVAS is a free vulnerability scanner maintained by a German company. Initiality, it was a fork of Nessus but today it has nothing in common with the commercial vulnerability scanners. OpenVAS is a good alternative to commercial solutions when you need to deploy a vulnerability management process and you lack of a decent budget. But, like many “free” solutions, it does not mean that they don’t have a cost associated to it. Particularly, OpenVAS is lacking of a good documentation, even if the users mailing list is quite active.

Read More → 2014 Wrap-Up Day #3

The Internet is broken

The third day is over! After the speaker dinner in a cool place and a very short night, I attended more talks today (no workshops). Let’s go for the daily quick wrap-up…

Read More →