The Un-Official Proxomitron Forum

Full Version: Catch Suspicious Extensions [January 11, 2009]
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2
[HTTP headers]
Key = "!-URL-Killer: Catch Suspicious Extensions [ku] 20090111 (In)"
URL = "(^$LST(KBSP))(^$IHDR(Content-Type:*text/(html|javascript)*))"
Match = "$URL(http://*.(^([a-z]+{2,4})(^/))*.(hta|e(ml|xe)|hlp|jse|lnk|url|ba(s|t)|c(om|md)|vb(e|s|)|s(cr|hs)|p(if|cd)|a(d(e|  p)|nr)|c(hm|pl|rt)|i(ns|sp)|m(d(b|e)|s(c|i|p|t))|ws(f|h|c))(^?))$CONFIRM(SUSPICIOUS FILE EXTENSION FOUND\n\nBlock connection to the URL below?\n\n\u\n)"
Replace = "\k"

Key = "Content-Disposition: Catch Suspicious Extensions [ku] (In)"
URL = "(^$LST(KBSP))"
Match = "(*filename=$AV(\1.((hta|e(ml|xe)|hlp|jse|lnk|url|ba(s|t)|c(om|md)|vb(e|s|)|s(cr|hs)|p(if|cd)|a(d(e |p)|nr)|c(hm|pl|rt)|i(ns|sp)|m(d(b|e)|s(c|i|p|t))|ws(f|h|c))\2)))$CONFIRM(SUSPICIOUS FILE EXTENSION FOUND\n\nBlock connection to the file below?\n\n\1.\2\n\nHost:\n\h\n\nPath:\n\p\n)"
Replace = "\k"

This will catch any attempt to download files with the following extensions:

hta, eml, exe, hlp, jse, lnk, url, bas, bat, com, cmd, vb, vbe, vbs, scr, shs, pif, pcd, ade, adp, anr, chm, cpl, crt, ins, isp, mdb, mde, msc, msi, msp, mst, wsf, wsh, wsc

I think this will prove valuable against malicious iframe advertisements and any other method of "drive-by downloads". Previously I did not have a Content-Disposition filter. Hopefully all methods of downloading a file are now detected and "caught" with the above two filters! Smile!


Prompt for standard, direct-link downloads

Prompt for "content-disposition"-redirected downloads
Hi Kye-U,

Does this mean we will have to bypass Proxo if we want to download some frequently served installation files ending in .EXE ?
Nope, this filter will allow you to select whether or not you want to allow a download. I'll take a screenshot of the window and add it to the first post Smile!
Thanks a lot !! Smile!


Hello Kye-U,
I want to thank you very much for the second filter (content-disposition) that I just discovered today. In fact you're right, some downloads DO NOT trigger your good old Url-killer (suspicious ext.) that I've been using for years and I can say it has saved me a lot of times, many crap sites trying to fool people whith hidden .exe!

But your example (webroot) showed me that crapfiles could come in without triggering the UrlKiller, and be dowloaded by mistake or lack of attention!

So thanks again for that filter and for all the good job you're doing.
I'm glad you're finding it helpful! I can see how it would prove useful against the new "XP antivirus 2008/9" malware that's floating around Smile! Thank you for your comment!
Very good filters Kye-U! But sometimes they have false positives, here an example:

I don't know about header filters, could we improve these filters to not matching html files?

Thanks in advance!
Thanks Inminente, I've updated the first filter to match all content types other than HTML Wink
Updated again to not match text/javascript, as I was getting a false positive on WildersSecurity (with Google API).
Is your following filter still needed ?
[HTTP headers]
Out = TRUE
Key = "!-URL-Killer: Catch Suspicious Extensions [ku] (Out)"
URL = "(^$LST(KBSP))(^*=(^http://*.(^([a-z]+{2,4})(^/))))*.(hta|e(ml|xe)|hlp|jse|lnk|url|ba(s|t)|c(om|md)|vb(e
|s|)|s(cr|hs)|p(if|cd)|a(d(e| p)|nr)|c(hm|pl|rt)|i(ns|sp)|m(d(b|e)|s(c|i|p|t))|ws(f|h|c))(^?)$CONFIRM(
SUSPICIOUS FILE EXTENSION FOUND\n\nBlock connection to the URL below?\n\n\u\n)"
Replace = "\k"
are these "drive-by downloads" merely theoretical, or has anyone seen one of these mythical beasts in the wild?

just curious - with .js dis'd by default (by Proxo, not at the browser-level), i've not seen any...
I like these filters Kye-U, many thanks for them Wink And now lets try to improve them Big Teeth

Analyzing the code of the first filter:
- "$URL(http://" is ftp covered by the other filter?
- *.(^([a-z]+{2,4})(^/))*. looking for a extension of only letters (no numbers) between 2 and 4 chars.

The detection of the extension gives false positives in links like http://host1/clear.gif?url=host2/
Example here:
I recomend some code like (\1\?*|\1) or using \p for taking the real extension and later test it

One modification for the first filter:
Match = "$SET(url=\p)$TST(url=*.(hta|e(ml|xe)|hlp|jse|lnk|url|ba(s|t)|c(om|md)|vb(e|s|)|s(cr|hs)|p(if|cd)|a(d(e|    p)|nr)|c(hm|pl|rt)|i(ns|sp)|m(d(b|e)|s(c|i|p|t))|ws(f|h|c)))$LOG(R$DTM(c): Suspicious extension in \h\p)$CONFIRM(SUSPICIOUS FILE EXTENSION FOUND\n\nBlock connection to the URL below?\n\n\u\n)"

And one question, now both filters are for incoming connections, why do we use 2 filters? Could we join them?
Idea!! I think would be great for the framework to write a filter wich sets a variable with the extension of the file we are downloading, it would be very useful for many other filters.
Just waiting some recomends from your experience with this filter to start writing any code Wink

Here is a good link to test your both filters:
Thanks for that, I'll have to find time to work on this filter. The work/labs/assignments are slowly piling up!
The filter for taking extensions is done:
[HTTP headers]
Out = TRUE
Key = "! : Take extension {ln}090116 (out)"
URL = "$SET(path=\p)$TST(path=([^/]+/)+([^.]+.([^.]+)\1)+)$SET(path=)$SET(Extension=\1)$LOG(w$DTM(c): Extension: $GET(Extension))"

I think your above filters could be resumed to the following matching code working together with the taking extension filter
$TST(extension=(hta|e(ml|xe)|hlp|jse|lnk|url|ba(s|t)|c(om|md)|vb(e|s|)|s(cr|hs)|p(if|cd)|a(d(e|      p)|nr)|c(hm|pl|rt)|i(ns|sp)|m(d(b|e)|s(c|i|p|t))|ws(f|h|c)))$LOG(R$DTM(c): Suspicious extension in \h\p)$CONFIRM(SUSPICIOUS FILE EXTENSION FOUND\n\nBlock connection to the URL below?\n\n\u\n)
Pages: 1 2
Reference URL's