mime2vt.py

Unpack MIME attachments from STDIN and check them against virustotal.com Use it indepently:

cat /tmp/mail.dump | mime2vt -c /etc/mime2vt.conf

Or via tools like Procmail:

:0
* ^X-Spam-Flag: YES
{
        :0c
        | /usr/local/bin/mime2vt.py -d /tmp/mime -c /home/xavier/.mime2vt.conf
	:0
	spam
}

Usage

mime2vt.py [-h] [-d DIRECTORY] [-v] [-c CONFIG]

Unpack MIME attachments from a file and check them against virustotal.com

optional arguments:
-h, --help            show this help message and exit
-d DIRECTORY, --directory DIRECTORY
                      directory where files will be extracted (default: /tmp)
-v, --verbose         verbose output
-c CONFIG, --config CONFIG
                      configuration file (default: /etc/mime2vt.conf)

Results

Information is sent via Syslog:

Dec 12 18:41:20 marge mime2vt.py[1104]: Processing zip archive: 4359ae6078390f417ab0d4411527a5c2.zip Dec 12 18:41:21 marge mime2vt.py[1104]: File: VOICE748-348736.scr (acb05e95d713b1772fb96a5e607d539f) Score: 38/53 Scanned: 2014-11-13 15:45:04 (29 days, 2:56:17)

A SQLite database is created to store useful information about the malicious files:

CREATE TABLE files(md5 TEXT PRIMARY KEY,
                   filename TEXT,
                   first_vt_score TEXT,
                   last_vt_score TEXT,
                   first_seen DATETIME DEFAULT CURRENT_TIMESTAMP,
                   last_seen DATETIME DEFAULT CURRENT_TIMESTAMP,
                   occurrences INTEGER
)

The database is created automatically if not present.

Requirements

sudo pip install python-dateutil
sudo pip install elasticsearch
sudo pip install virustotal-api    

Todo