Catch Suspicious Extensions [January 11, 2009]

[Kye-U]

Code:

[HTTP headers]
In = TRUE
Out = FALSE
Key = "!-URL-Killer: Catch Suspicious Extensions [ku] 20090111 (In)"
URL = "(^$LST(KBSP))(^$IHDR(Content-Type:*text/(html|javascript)*))"
Match = "$URL(http://*.(^([a-z]+{2,4})(^/))*.(hta|e(ml|xe)|hlp|jse|lnk|url|ba(s|t)|c(om|md)|vb(e|s|)|s(cr|hs)|p(if|cd)|a(d(e|  p)|nr)|c(hm|pl|rt)|i(ns|sp)|m(d(b|e)|s(c|i|p|t))|ws(f|h|c))(^?))$CONFIRM(SUSPICIOUS FILE EXTENSION FOUND\n\nBlock connection to the URL below?\n\n\u\n)"
Replace = "\k"

In = TRUE
Out = FALSE
Key = "Content-Disposition: Catch Suspicious Extensions [ku] (In)"
URL = "(^$LST(KBSP))"
Match = "(*filename=$AV(\1.((hta|e(ml|xe)|hlp|jse|lnk|url|ba(s|t)|c(om|md)|vb(e|s|)|s(cr|hs)|p(if|cd)|a(d(e |p)|nr)|c(hm|pl|rt)|i(ns|sp)|m(d(b|e)|s(c|i|p|t))|ws(f|h|c))\2)))$CONFIRM(SUSPICIOUS FILE EXTENSION FOUND\n\nBlock connection to the file below?\n\n\1.\2\n\nHost:\n\h\n\nPath:\n\p\n)"
Replace = "\k"

This will catch any attempt to download files with the following extensions:

hta, eml, exe, hlp, jse, lnk, url, bas, bat, com, cmd, vb, vbe, vbs, scr, shs, pif, pcd, ade, adp, anr, chm, cpl, crt, ins, isp, mdb, mde, msc, msi, msp, mst, wsf, wsh, wsc

I think this will prove valuable against malicious iframe advertisements and any other method of "drive-by downloads". Previously I did not have a Content-Disposition filter. Hopefully all methods of downloading a file are now detected and "caught" with the above two filters!

Screenshots:


  filter.jpg (Size: 230.93 KB / Downloads: 1244)
Prompt for standard, direct-link downloads


  f2.jpg (Size: 45.75 KB / Downloads: 1190)
Prompt for "content-disposition"-redirected downloads