Post Reply 
Kill Drive-By Malware-Installing Pages
Aug. 28, 2008, 07:51 PM
Post: #1
Kill Drive-By Malware-Installing Pages
In an attempt to prevent malicious pages (such as Antivirus XP 2008/9) from going through with their fake scanning progress bar, I've decided to write a pretty simple filter to kill all SCRIPT, IFRAME, OBJECT, EMBED, APPLET tags and ON____/HREF attributes, with the ability to bypass the filter (after having to click on "OK" on a genuine confirm message).

For those wanting to truly test this filter out, you can test it on an ACTUAL Antivirus XP 2008 site here (use caution, if you somehow have the following filter disabled or Proxomitron disabled, and you see the prompt to start scanning, go to the Task Manager and terminate the IEXPLORER or FIREFOX process):

http://###avxp-2008.###net/sysscan/ (remove the two sets of ###)

Code:
[Patterns]
Name = "Kill Drive-By Malware-Installing Pages"
Active = TRUE
URL = "$TYPE(htm)([^.]++.|)([a-z0-9-]++|)(antivir(us|-)|virus-|scanner|free(-|)scan|av(-|)xp|(av|xp)(-|)200(8|9)|(ad|spy)ware|trojan)([a-z0-9-]++|).[^/]+\8($TST(\8=*(\&|\?)prx_trust=1)$SET(prx_trust=1)|$TST(\8=*\?*)$SET(sep=\q\&)|(^$TST(\8=*\?*))$SET(sep=\?)|)"
Limit = 16
Match = "(?)\0(^$TST(prx_trust=1))(^$TST(topmatched=1))$SET(topmatched=1)$SET(9="
        "<div style="position: absolute; top: 0; left: 0; z-index: 500; width: 100%; color: red; background-color: yellow; font-weight: bold; font-size: 16px;"
        " border-bottom: 2px solid black; height: 25px; vertical-align: middle; text-align: left; line-height: 20px; padding-left: 5px;">"
        "Possible Malware Site: All SCRIPTs, IFRAMEs, OBJECTs, APPLETs, EMBEDs, Links disabled. <a href="http://\h\p$GET(sep)prx_trust=1" onclick="return confirm('Bypassing filtering on this site may introduce false information and allow dangerous scripts to run. Are you sure you want to continue?');">Bypass</a></div>\0)"
        "|"
        "(^$TST(prx_trust=1))"
        "("
        "< (script|iframe|object|applet|embed)\1$SET(9=<textarea style="display: none !important;")"
        "|(<a(rea|))\6$SET(a_area=1)$SET(9=\6)"
        "|([^a-z]on[a-z]+|action|href$TST(a_area=1)$SET(a_area=))=$SET(9= foo=)"
        "|</ (script|iframe|object|applet|embed) >$SET(9=</textarea>)"
        ")"
Replace = "\9"

Take a look at Malware Database's list of Malicious Domains for August 2008: http://malwaredatabase.net/blog/index.ph...the-month/

See anything that's RegEx-able? Wink (aka, see any patterns?)
Visit this user's website
Add Thank You Quote this message in a reply
Aug. 29, 2008, 02:43 PM
Post: #2
RE: Kill Drive-By Malware-Installing Pages
For additional security, I'd recommend importing the two Header filters in this topic:

http://prxbx.com/forums/showthread.php?tid=1029
Visit this user's website
Add Thank You Quote this message in a reply
Sep. 05, 2008, 12:00 AM
Post: #3
RE: Kill Drive-By Malware-Installing Pages
Thanks for the filters.
Add Thank You Quote this message in a reply
Sep. 11, 2008, 03:28 PM
Post: #4
RE: Kill Drive-By Malware-Installing Pages
Fearless Leader;

Instead of Kill Drive-By Malware-Installing Pages, shouldn't that be Kill Surf-By Malware-Installing Pages?

Big Teeth



Oddysey

I'm no longer in the rat race - the rats won't have me!
Add Thank You Quote this message in a reply
Post Reply 


Forum Jump: