Post Reply 
Catch Suspicious Extensions [January 11, 2009]
Apr. 21, 2008, 11:49 PM
Post: #1
Catch Suspicious Extensions [January 11, 2009]
Code:
[HTTP headers]
In = TRUE
Out = FALSE
Key = "!-URL-Killer: Catch Suspicious Extensions [ku] 20090111 (In)"
URL = "(^$LST(KBSP))(^$IHDR(Content-Type:*text/(html|javascript)*))"
Match = "$URL(http://*.(^([a-z]+{2,4})(^/))*.(hta|e(ml|xe)|hlp|jse|lnk|url|ba(s|t)|c(om|md)|vb(e|s|)|s(cr|hs)|p(if|cd)|a(d(e|  p)|nr)|c(hm|pl|rt)|i(ns|sp)|m(d(b|e)|s(c|i|p|t))|ws(f|h|c))(^?))$CONFIRM(SUSPICIOUS FILE EXTENSION FOUND\n\nBlock connection to the URL below?\n\n\u\n)"
Replace = "\k"

In = TRUE
Out = FALSE
Key = "Content-Disposition: Catch Suspicious Extensions [ku] (In)"
URL = "(^$LST(KBSP))"
Match = "(*filename=$AV(\1.((hta|e(ml|xe)|hlp|jse|lnk|url|ba(s|t)|c(om|md)|vb(e|s|)|s(cr|hs)|p(if|cd)|a(d(e |p)|nr)|c(hm|pl|rt)|i(ns|sp)|m(d(b|e)|s(c|i|p|t))|ws(f|h|c))\2)))$CONFIRM(SUSPICIOUS FILE EXTENSION FOUND\n\nBlock connection to the file below?\n\n\1.\2\n\nHost:\n\h\n\nPath:\n\p\n)"
Replace = "\k"

This will catch any attempt to download files with the following extensions:

hta, eml, exe, hlp, jse, lnk, url, bas, bat, com, cmd, vb, vbe, vbs, scr, shs, pif, pcd, ade, adp, anr, chm, cpl, crt, ins, isp, mdb, mde, msc, msi, msp, mst, wsf, wsh, wsc

I think this will prove valuable against malicious iframe advertisements and any other method of "drive-by downloads". Previously I did not have a Content-Disposition filter. Hopefully all methods of downloading a file are now detected and "caught" with the above two filters! Smile!

Screenshots:


.jpg  filter.jpg (Size: 230.93 KB / Downloads: 1093)
Prompt for standard, direct-link downloads


.jpg  f2.jpg (Size: 45.75 KB / Downloads: 1037)
Prompt for "content-disposition"-redirected downloads
Visit this user's website
Add Thank You Quote this message in a reply
[-] The following 1 user says Thank You to Kye-U for this post:
TheScaryGuy
Apr. 24, 2008, 11:02 PM
Post: #2
RE: Catch Suspicious Extensions [April 21, 2008]
Hi Kye-U,

Does this mean we will have to bypass Proxo if we want to download some frequently served installation files ending in .EXE ?
Add Thank You Quote this message in a reply
Apr. 24, 2008, 11:14 PM
Post: #3
RE: Catch Suspicious Extensions [April 21, 2008]
Nope, this filter will allow you to select whether or not you want to allow a download. I'll take a screenshot of the window and add it to the first post Smile!
Visit this user's website
Add Thank You Quote this message in a reply
[-] The following 1 user says Thank You to Kye-U for this post:
TheScaryGuy
Apr. 24, 2008, 11:23 PM
Post: #4
RE: Catch Suspicious Extensions [April 21, 2008]
Thanks a lot !! Smile!
Add Thank You Quote this message in a reply
Aug. 27, 2008, 09:21 PM
Post: #5
RE: Catch Suspicious Extensions [April 21, 2008]
Hello Kye-U,
I want to thank you very much for the second filter (content-disposition) that I just discovered today. In fact you're right, some downloads DO NOT trigger your good old Url-killer (suspicious ext.) that I've been using for years and I can say it has saved me a lot of times, many crap sites trying to fool people whith hidden .exe!

But your example (webroot) showed me that crapfiles could come in without triggering the UrlKiller, and be dowloaded by mistake or lack of attention!

So thanks again for that filter and for all the good job you're doing.
Quote this message in a reply
Aug. 28, 2008, 03:46 AM
Post: #6
RE: Catch Suspicious Extensions [April 21, 2008]
I'm glad you're finding it helpful! I can see how it would prove useful against the new "XP antivirus 2008/9" malware that's floating around Smile! Thank you for your comment!
Visit this user's website
Add Thank You Quote this message in a reply
Sep. 23, 2008, 08:19 PM
Post: #7
RE: Catch Suspicious Extensions [April 21, 2008]
Very good filters Kye-U! But sometimes they have false positives, here an example:
http://userstyles.org/styles/site/facebook.com

I don't know about header filters, could we improve these filters to not matching html files?

Thanks in advance!
Add Thank You Quote this message in a reply
Jan. 11, 2009, 03:26 AM
Post: #8
RE: Catch Suspicious Extensions [January 10, 2009]
Thanks Inminente, I've updated the first filter to match all content types other than HTML Wink
Visit this user's website
Add Thank You Quote this message in a reply
Jan. 12, 2009, 01:01 AM
Post: #9
RE: Catch Suspicious Extensions [January 11, 2009]
Updated again to not match text/javascript, as I was getting a false positive on WildersSecurity (with Google API).
Visit this user's website
Add Thank You Quote this message in a reply
Jan. 12, 2009, 12:32 PM
Post: #10
RE: Catch Suspicious Extensions [January 11, 2009]
Is your following filter still needed ?
Code:
[HTTP headers]
In = FALSE
Out = TRUE
Key = "!-URL-Killer: Catch Suspicious Extensions [ku] (Out)"
URL = "(^$LST(KBSP))(^*=(^http://*.(^([a-z]+{2,4})(^/))))*.(hta|e(ml|xe)|hlp|jse|lnk|url|ba(s|t)|c(om|md)|vb(e
|s|)|s(cr|hs)|p(if|cd)|a(d(e| p)|nr)|c(hm|pl|rt)|i(ns|sp)|m(d(b|e)|s(c|i|p|t))|ws(f|h|c))(^?)$CONFIRM(
SUSPICIOUS FILE EXTENSION FOUND\n\nBlock connection to the URL below?\n\n\u\n)"
Replace = "\k"
Add Thank You Quote this message in a reply
Jan. 12, 2009, 12:40 PM
Post: #11
RE: Catch Suspicious Extensions [January 11, 2009]
are these "drive-by downloads" merely theoretical, or has anyone seen one of these mythical beasts in the wild?

just curious - with .js dis'd by default (by Proxo, not at the browser-level), i've not seen any...
Add Thank You Quote this message in a reply
Jan. 12, 2009, 05:50 PM
Post: #12
RE: Catch Suspicious Extensions [January 11, 2009]
I like these filters Kye-U, many thanks for them Wink And now lets try to improve them Big Teeth

Analyzing the code of the first filter:
- "$URL(http://" is ftp covered by the other filter?
- *.(^([a-z]+{2,4})(^/))*. looking for a extension of only letters (no numbers) between 2 and 4 chars.

The detection of the extension gives false positives in links like http://host1/clear.gif?url=host2/cbs.com
Example here: http://www.cbs.com/primetime/big_bang_th...=true&cc=2
I recomend some code like (\1\?*|\1) or using \p for taking the real extension and later test it

One modification for the first filter:
Code:
Match = "$SET(url=\p)$TST(url=*.(hta|e(ml|xe)|hlp|jse|lnk|url|ba(s|t)|c(om|md)|vb(e|s|)|s(cr|hs)|p(if|cd)|a(d(e|    p)|nr)|c(hm|pl|rt)|i(ns|sp)|m(d(b|e)|s(c|i|p|t))|ws(f|h|c)))$LOG(R$DTM(c): Suspicious extension in \h\p)$CONFIRM(SUSPICIOUS FILE EXTENSION FOUND\n\nBlock connection to the URL below?\n\n\u\n)"

And one question, now both filters are for incoming connections, why do we use 2 filters? Could we join them?
Add Thank You Quote this message in a reply
Jan. 13, 2009, 11:44 PM
Post: #13
RE: Catch Suspicious Extensions [January 11, 2009]
Idea!! I think would be great for the framework to write a filter wich sets a variable with the extension of the file we are downloading, it would be very useful for many other filters.
Just waiting some recomends from your experience with this filter to start writing any code Wink

Here is a good link to test your both filters: http://prdownload.berlios.de/avidemux/av..._win32.exe
Add Thank You Quote this message in a reply
[-] The following 1 user says Thank You to lnminente for this post:
TheScaryGuy
Jan. 15, 2009, 05:31 AM
Post: #14
RE: Catch Suspicious Extensions [January 11, 2009]
Thanks for that, I'll have to find time to work on this filter. The work/labs/assignments are slowly piling up!
Visit this user's website
Add Thank You Quote this message in a reply
Jan. 15, 2009, 11:21 AM
Post: #15
Cool RE: Catch Suspicious Extensions [January 11, 2009]
The filter for taking extensions is done:
Code:
[HTTP headers]
In = FALSE
Out = TRUE
Key = "! : Take extension {ln}090116 (out)"
URL = "$SET(path=\p)$TST(path=([^/]+/)+([^.]+.([^.]+)\1)+)$SET(path=)$SET(Extension=\1)$LOG(w$DTM(c): Extension: $GET(Extension))"

I think your above filters could be resumed to the following matching code working together with the taking extension filter
Code:
$TST(extension=(hta|e(ml|xe)|hlp|jse|lnk|url|ba(s|t)|c(om|md)|vb(e|s|)|s(cr|hs)|p(if|cd)|a(d(e|      p)|nr)|c(hm|pl|rt)|i(ns|sp)|m(d(b|e)|s(c|i|p|t))|ws(f|h|c)))$LOG(R$DTM(c): Suspicious extension in \h\p)$CONFIRM(SUSPICIOUS FILE EXTENSION FOUND\n\nBlock connection to the URL below?\n\n\u\n)
Add Thank You Quote this message in a reply
Post Reply 


Forum Jump: