The Un-Official Proxomitron Forum

Full Version: Kill Drive-By Malware-Installing Pages
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
In an attempt to prevent malicious pages (such as Antivirus XP 2008/9) from going through with their fake scanning progress bar, I've decided to write a pretty simple filter to kill all SCRIPT, IFRAME, OBJECT, EMBED, APPLET tags and ON____/HREF attributes, with the ability to bypass the filter (after having to click on "OK" on a genuine confirm message).

For those wanting to truly test this filter out, you can test it on an ACTUAL Antivirus XP 2008 site here (use caution, if you somehow have the following filter disabled or Proxomitron disabled, and you see the prompt to start scanning, go to the Task Manager and terminate the IEXPLORER or FIREFOX process):

http://###avxp-2008.###net/sysscan/ (remove the two sets of ###)

Code:
[Patterns]
Name = "Kill Drive-By Malware-Installing Pages"
Active = TRUE
URL = "$TYPE(htm)([^.]++.|)([a-z0-9-]++|)(antivir(us|-)|virus-|scanner|free(-|)scan|av(-|)xp|(av|xp)(-|)200(8|9)|(ad|spy)ware|trojan)([a-z0-9-]++|).[^/]+\8($TST(\8=*(\&|\?)prx_trust=1)$SET(prx_trust=1)|$TST(\8=*\?*)$SET(sep=\q\&)|(^$TST(\8=*\?*))$SET(sep=\?)|)"
Limit = 16
Match = "(?)\0(^$TST(prx_trust=1))(^$TST(topmatched=1))$SET(topmatched=1)$SET(9="
        "<div style="position: absolute; top: 0; left: 0; z-index: 500; width: 100%; color: red; background-color: yellow; font-weight: bold; font-size: 16px;"
        " border-bottom: 2px solid black; height: 25px; vertical-align: middle; text-align: left; line-height: 20px; padding-left: 5px;">"
        "Possible Malware Site: All SCRIPTs, IFRAMEs, OBJECTs, APPLETs, EMBEDs, Links disabled. <a href="http://\h\p$GET(sep)prx_trust=1" onclick="return confirm('Bypassing filtering on this site may introduce false information and allow dangerous scripts to run. Are you sure you want to continue?');">Bypass</a></div>\0)"
        "|"
        "(^$TST(prx_trust=1))"
        "("
        "< (script|iframe|object|applet|embed)\1$SET(9=<textarea style="display: none !important;")"
        "|(<a(rea|))\6$SET(a_area=1)$SET(9=\6)"
        "|([^a-z]on[a-z]+|action|href$TST(a_area=1)$SET(a_area=))=$SET(9= foo=)"
        "|</ (script|iframe|object|applet|embed) >$SET(9=</textarea>)"
        ")"
Replace = "\9"

Take a look at Malware Database's list of Malicious Domains for August 2008: http://malwaredatabase.net/blog/index.ph...the-month/

See anything that's RegEx-able? Wink (aka, see any patterns?)
For additional security, I'd recommend importing the two Header filters in this topic:

http://prxbx.com/forums/showthread.php?tid=1029
Thanks for the filters.
Fearless Leader;

Instead of Kill Drive-By Malware-Installing Pages, shouldn't that be Kill Surf-By Malware-Installing Pages?

Big Teeth



Oddysey
Reference URL's