Aug. 28, 2008, 07:51 PM
In an attempt to prevent malicious pages (such as Antivirus XP 2008/9) from going through with their fake scanning progress bar, I've decided to write a pretty simple filter to kill all SCRIPT, IFRAME, OBJECT, EMBED, APPLET tags and ON____/HREF attributes, with the ability to bypass the filter (after having to click on "OK" on a genuine confirm message).
For those wanting to truly test this filter out, you can test it on an ACTUAL Antivirus XP 2008 site here (use caution, if you somehow have the following filter disabled or Proxomitron disabled, and you see the prompt to start scanning, go to the Task Manager and terminate the IEXPLORER or FIREFOX process):
http://###avxp-2008.###net/sysscan/ (remove the two sets of ###)
Take a look at Malware Database's list of Malicious Domains for August 2008: http://malwaredatabase.net/blog/index.ph...the-month/
See anything that's RegEx-able? (aka, see any patterns?)
For those wanting to truly test this filter out, you can test it on an ACTUAL Antivirus XP 2008 site here (use caution, if you somehow have the following filter disabled or Proxomitron disabled, and you see the prompt to start scanning, go to the Task Manager and terminate the IEXPLORER or FIREFOX process):
http://###avxp-2008.###net/sysscan/ (remove the two sets of ###)
Code:
[Patterns]
Name = "Kill Drive-By Malware-Installing Pages"
Active = TRUE
URL = "$TYPE(htm)([^.]++.|)([a-z0-9-]++|)(antivir(us|-)|virus-|scanner|free(-|)scan|av(-|)xp|(av|xp)(-|)200(8|9)|(ad|spy)ware|trojan)([a-z0-9-]++|).[^/]+\8($TST(\8=*(\&|\?)prx_trust=1)$SET(prx_trust=1)|$TST(\8=*\?*)$SET(sep=\q\&)|(^$TST(\8=*\?*))$SET(sep=\?)|)"
Limit = 16
Match = "(?)\0(^$TST(prx_trust=1))(^$TST(topmatched=1))$SET(topmatched=1)$SET(9="
"<div style="position: absolute; top: 0; left: 0; z-index: 500; width: 100%; color: red; background-color: yellow; font-weight: bold; font-size: 16px;"
" border-bottom: 2px solid black; height: 25px; vertical-align: middle; text-align: left; line-height: 20px; padding-left: 5px;">"
"Possible Malware Site: All SCRIPTs, IFRAMEs, OBJECTs, APPLETs, EMBEDs, Links disabled. <a href="http://\h\p$GET(sep)prx_trust=1" onclick="return confirm('Bypassing filtering on this site may introduce false information and allow dangerous scripts to run. Are you sure you want to continue?');">Bypass</a></div>\0)"
"|"
"(^$TST(prx_trust=1))"
"("
"< (script|iframe|object|applet|embed)\1$SET(9=<textarea style="display: none !important;")"
"|(<a(rea|))\6$SET(a_area=1)$SET(9=\6)"
"|([^a-z]on[a-z]+|action|href$TST(a_area=1)$SET(a_area=))=$SET(9= foo=)"
"|</ (script|iframe|object|applet|embed) >$SET(9=</textarea>)"
")"
Replace = "\9"
Take a look at Malware Database's list of Malicious Domains for August 2008: http://malwaredatabase.net/blog/index.ph...the-month/
See anything that's RegEx-able? (aka, see any patterns?)