Threaded Mode | Linear Mode

Aug. 30, 2005, 07:26 PM

My apologies and thanks , Kye-U . I should have been more specific . You answered my implied question .

Ralph · Aug. 30, 2005, 07:38 PM

Shoot , I thought I was logged in ; that was me in the "guest" post . Thanks , ProxRocks ; I assumed that was the case .

***Kye-U*** · Sep. 04, 2005, 04:30 AM

Version 4.40 is Released!

Last Updated: September 4th, 2005 - 1:32 AM EST

What's New?

Quote:[-Version 4.40-]

-Added (URL-Killer: Kill Suspicious Extensions [Kye-U] (Out))
--In response to the increase in Rotating Advertising Trojan Attacks
--Detects and Kills Connections to .pif, .bat, .com, .hta, .vbs, .cmd and .scr.

http://www.prxbx.com/forums/viewtopic.php?p=1115#1115

Download here!

MD5: 9CFDB2FD39E7BF0BFBCDC6697D231141

Siamesecat · Sep. 04, 2005, 06:01 PM

Kye-U,

Code:

In = FALSE

Out = TRUE

Key = "URL-Killer: Kill Suspicious Extensions [Kye-U] (Out)"

URL = "(^$LST(KBSP))(^*.com/(^*.com))*.(hta|com|vbs|bat|scr|pif)"

Match = "*&$ALERT(Connection to Suspicious Extension Killed:\n\n\u)"

Replace = "Connection to Suspicious Extension Killed\k"

In this filter, why do you single out .com hosts but not .net or .org or any
other suffix?
I am having problems understanding the structure of this filter. Why use the
double negative for .com with no slash? Why is the alert in the match rather
than in the replacement? Would that replacement not replace the alert?

***Kye-U*** · (This post was last modified: Sep. 04, 2005 06:39 PM by Kye-U.)

Version 4.41 is Released!

Last Updated: September 4th, 2005 - 3:08 PM EST

What's New?

Quote:[-Version 4.41-]

-Modified (URL-Killer: Kill Suspicious Extensions [Kye-U] (Out))
--Made more specific, removed false positives with search engines and webmail.

http://www.prxbx.com/forums/viewtopic.php?p=1115#1115

Download here!

MD5: E5141A185C6280F037F83F3636C9859E

***Kye-U*** · Sep. 04, 2005, 06:13 PM

Code:

In = FALSE 

Out = TRUE 

Key = "URL-Killer: Kill Suspicious Extensions [Kye-U] (Out)" 

URL = "(^$LST(KBSP))(^*.com/(^*.com))*.(hta|com|vbs|bat|scr|pif)" 

Match = "*&$ALERT(Connection to Suspicious Extension Killed:\n\n\u)" 

Replace = "Connection to Suspicious Extension Killed\k"

Siamesecat Wrote:In this filter, why do you single out .com hosts but not .net or .org or any other suffix?

I singled out .com hosts because there were some false positives with .com hosts because the filter thought that it was the .com extension.

Siamesecat Wrote:Why use the double negative for .com with no slash?

So that .com hosts won't get killed by the filter.

Siamesecat Wrote:Why is the alert in the match rather than in the replacement? Would that replacement not replace the alert?

I tried placing it in the Replacement box, but then it wouldn't work. Sad

Anyway, check out the new filter Smile!

I hope I've answered your questions.

New Filter:

Code:

[HTTP headers]

In = FALSE

Out = TRUE

Key = "URL-Killer: Kill Suspicious Extensions [Kye-U] (Out)"

URL = "(^$LST(KBSP))(^*.([a-z]+{2,4})(:[#1:65535]|)/(*=http(:|%3A)(//|%2F%2F)\w(.\w(.\w(.\w|)|)|).([a-z]+{2,4})(/|)|)((*|)\?(*|)[a-z]+=*.(hta|com|vbs|bat|scr|pif|cmd)|)(^*.(hta|com|vbs|bat|scr|pif|cmd)))"

Match = "*&$ALERT(Connection to Suspicious Extension Killed:\n\n\u)"

Replace = "Connection to Suspicious Extension Killed\k"

Oddysey · Sep. 04, 2005, 06:22 PM

Siamesecat;

Siamesecat Wrote:Kye-U,

Code:

In = FALSE Out = TRUE Key = "URL-Killer: Kill Suspicious Extensions [Kye-U] (Out)" URL = "(^$LST(KBSP))(^*.com/(^*.com))*.(hta|com|vbs|bat|scr|pif)" Match = "*&$ALERT(Connection to Suspicious Extension Killed:\n\n\u)" Replace = "Connection to Suspicious Extension Killed\k"

In this filter, why do you single out .com hosts but not .net or .org or any
other suffix?
I am having problems understanding the structure of this filter. Why use the
double negative for .com with no slash? Why is the alert in the match rather
than in the replacement? Would that replacement not replace the alert?

In order:
I don't know why he didn't include the other TLD's, he'll have to answer that one hisownself. Shock

A double negative effectively does not consume any characters, but still matches. Nice for those times when you want to check for something, but not use Multi=True. There are other uses, this is just the first that comes to mind. D'oh!

An ALERT will still fire when a match is True, even though it's about to be replaced. It occurs as the code is being read by the browser, not after everything else is loaded. In fact, this is one of the surest ways to give the user feedback that a filter has indeed fired off, possibly even better than the log window. You can also conditionally trigger additional filters, based on the user's input.

Our Fearless Leader will no doubt come along and edit my answers to reflect the truth, just wait a moment or two....... Microphone

Oddysey

***Kye-U*** · Sep. 04, 2005, 06:38 PM

Oddysey Wrote:Our Fearless Leader will no doubt come along and edit my answers to reflect the truth, just wait a moment or two.......

***Kye-U*** · Sep. 07, 2005, 01:41 AM

Version 4.42 is Released!

Last Updated: September 6th, 2005 - 10:43 PM EST

What's New?

Quote:[-Version 4.42-]

-Modified (URL-Killer: Kill Suspicious Extensions [Kye-U] (Out))
--Rewrote match; should be much more efficient and rid of most false-positives.

http://www.prxbx.com/forums/viewtopic.php?p=1115#1115

Download here!

MD5: 1730ED5C3F86520354175808E8F202A3

Siamesecat · Sep. 07, 2005, 05:08 AM

Kye-U and Oddysey,
Thanks. I understand now.
Incidentally, where did you get the information about the rotating advertising trojan attacks? I tried searching for it, but could not find any reference. Is there a website that is known to be using that kind of trickery?

mozerd · Sep. 07, 2005, 12:03 PM

Kye-U, thanks for the security pack Version 4.42 -- it works and I no longer have to turn off the ALERTS box ,,, prior to this version the ALERTS box was popping up frequently to the point of being more than annoying:-) And thanks to Oddysey for his contribution :-)

***Kye-U*** · Sep. 07, 2005, 08:11 PM

Version 4.43 is Released!

Last Updated: September 7th, 2005 - 5:13 PM EST

What's New?

Quote:[-Version 4.43-]

-Modified (URL-Killer: Kill Suspicious Extensions [Kye-U] (Out))
--Added more suspicious extensions, and a Confirm box to either accept the connection, or to kill it.

http://www.prxbx.com/forums/viewtopic.php?p=1115#1115

Download here!

MD5: D52FB47213437C98AF744BD5ACDE32BD

***Kye-U*** · Sep. 07, 2005, 08:16 PM

Siamesecat: Read this topic for more information: http://www.dslreports.com/forum/remark,14196120

Mozerd: Believe me, it was getting on my nerves too xD (Which explains the 3 consecutive updates)

***Kye-U*** · Sep. 08, 2005, 03:46 AM

In v4.43, I've added many extensions that are common in spreading trojans. I've included EXE. You are confronted with a confirm box, asking if you would like to allow the connection or kill it.

This should act as sort of a secondary firewall, if you know what I mean. The javascript can be as encoded and unbreakable as it wants to be, but this filter will catch the output, the URL to the trojan/worm/virus. Eyes Closed Smile

nxIsle · Sep. 08, 2005, 04:34 AM

Wow. This is excellent, Kye-U. Fantastic work! Cool