+- The Un-Official Proxomitron Forum (https://www.prxbx.com/forums)
+-- Forum: Proxomitron Filters (/forumdisplay.php?fid=38)
+--- Forum: Privacy/Security/Spam (/forumdisplay.php?fid=10)
+--- Thread: Kill Drive-By Malware-Installing Pages (/showthread.php?tid=1081)
Kill Drive-By Malware-Installing Pages - Kye-U - Aug. 28, 2008 07:51 PM
In an attempt to prevent malicious pages (such as Antivirus XP 2008/9) from going through with their fake scanning progress bar, I've decided to write a pretty simple filter to kill all SCRIPT, IFRAME, OBJECT, EMBED, APPLET tags and ON____/HREF attributes, with the ability to bypass the filter (after having to click on "OK" on a genuine confirm message).
For those wanting to truly test this filter out, you can test it on an ACTUAL Antivirus XP 2008 site here (use caution, if you somehow have the following filter disabled or Proxomitron disabled, and you see the prompt to start scanning, go to the Task Manager and terminate the IEXPLORER or FIREFOX process):
http://###avxp-2008.###net/sysscan/ (remove the two sets of ###)
Code:
[Patterns]
Name = "Kill Drive-By Malware-Installing Pages"
Active = TRUE
URL = "$TYPE(htm)([^.]++.|)([a-z0-9-]++|)(antivir(us|-)|virus-|scanner|free(-|)scan|av(-|)xp|(av|xp)(-|)200(8|9)|(ad|spy)ware|trojan)([a-z0-9-]++|).[^/]+\8($TST(\8=*(\&|\?)prx_trust=1)$SET(prx_trust=1)|$TST(\8=*\?*)$SET(sep=\q\&)|(^$TST(\8=*\?*))$SET(sep=\?)|)"
Limit = 16
Match = "(?)\0(^$TST(prx_trust=1))(^$TST(topmatched=1))$SET(topmatched=1)$SET(9="
"<div style="position: absolute; top: 0; left: 0; z-index: 500; width: 100%; color: red; background-color: yellow; font-weight: bold; font-size: 16px;"
" border-bottom: 2px solid black; height: 25px; vertical-align: middle; text-align: left; line-height: 20px; padding-left: 5px;">"
"Possible Malware Site: All SCRIPTs, IFRAMEs, OBJECTs, APPLETs, EMBEDs, Links disabled. <a href="http://\h\p$GET(sep)prx_trust=1" onclick="return confirm('Bypassing filtering on this site may introduce false information and allow dangerous scripts to run. Are you sure you want to continue?');">Bypass</a></div>\0)"
"|"
"(^$TST(prx_trust=1))"
"("
"< (script|iframe|object|applet|embed)\1$SET(9=<textarea style="display: none !important;")"
"|(<a(rea|))\6$SET(a_area=1)$SET(9=\6)"
"|([^a-z]on[a-z]+|action|href$TST(a_area=1)$SET(a_area=))=$SET(9= foo=)"
"|</ (script|iframe|object|applet|embed) >$SET(9=</textarea>)"
")"
Replace = "\9"Take a look at Malware Database's list of Malicious Domains for August 2008: http://malwaredatabase.net/blog/index.php/2008/08/21/malicious-domains-of-the-month/
See anything that's RegEx-able?
(aka, see any patterns?)
RE: Kill Drive-By Malware-Installing Pages - Kye-U - Aug. 29, 2008 02:43 PM
For additional security, I'd recommend importing the two Header filters in this topic:
http://prxbx.com/forums/showthread.php?tid=1029
RE: Kill Drive-By Malware-Installing Pages - besafe - Sep. 05, 2008 12:00 AM
Thanks for the filters.
RE: Kill Drive-By Malware-Installing Pages - Oddysey - Sep. 11, 2008 03:28 PM
Fearless Leader;
Instead of Kill Drive-By Malware-Installing Pages, shouldn't that be Kill Surf-By Malware-Installing Pages?
Oddysey