Remove Obfuscated Code [20081221b]

[Kye-U]

Code:

[Patterns]
Name = "<script>: Remove Obfuscated Code [20081221b]"
Active = TRUE
URL = "($TYPE(htm)|$TYPE(js)|$TYPE(vbs))"
Limit = 32767
Match = "(($TYPE(js)|$TYPE(vbs))$SET(sOpen=1)|(^($TYPE(js)|$TYPE(vbs)))< (script$SET(sOpen=1)|/ script$SET(sOpen=)))PrxFail"
        "|"
        "$TST(sOpen=1)"
        "("
        "(=| \( | , )\0(\"|\')\1"
        "("
        "("
        "(\\([0-7]+{1,3}&&[#000:377]))"
        "|((%|\\x)([a-f0-9])+{2})"
        "|((%|\\)u([a-f0-9])+{4})"
        ")"
        ")+{10,*}$SET(2=$ALERT(Obfuscated code detected and removed/broken on:\r\n\r\n\u))"
        "|"
        "String.fromCharCode \($SET(0=foo)$SET(1=\()"
        "|(\s|;|>)\9unescape \( [_a-z0-9]+.replace \($SET(0=\9foo\()$SET(1=bar\()"
        "|(\s|;|>)\9eval \( ("
        "     (([_a-Z0-9]+)(\+|))+{3,*}$SET(0=\9foo)$SET(1=\()"
        "     |(function|unescape) \($SET(0=\9foo\()$SET(1=bar\()"
        "     )$SET(2=$ALERT(Obfuscation function detected and removed/broken on:\r\n\r\n\u))"
        ")"
Replace = "\0\1"
          "\2"

Test page: http://prxbx.com/test/IEXMLPoC.html (warning, may crash your IE-based browser)


edit by admin: inserted missing " after the ) in the second-to-last line of the Match Code...

Old Versions:

Code:

[Patterns]
Name = "<script>: Remove Obfuscated Code [20081221a]"
Active = TRUE
URL = "($TYPE(htm)|$TYPE(js)|$TYPE(vbs))"
Limit = 32767
Match = "(($TYPE(js)|$TYPE(vbs))$SET(sOpen=1)|(^($TYPE(js)|$TYPE(vbs)))< (script$SET(sOpen=1)|/ script$SET(sOpen=)))PrxFail"
        "|"
        "$TST(sOpen=1)"
        "("
        "(=| \( | , )\0(\"|\')\1(^((.(.|)|)/|http(s|)://))( [^"'<>%\\]+ |)"
        "("
        "("
        "(\\([0-7]+{1,3}&&[#000:377]))"
        "|((%|\\x)([a-f0-9])+{2})"
        "|((%|\\)u([a-f0-9])+{4})"
        ")"
        "( [^"'<>%\\]+ |)"
        ")+{10,*}$SET(2=$ALERT(Obfuscated code detected and removed/broken on:\r\n\r\n\u))"
        "|"
        "String.fromCharCode \($SET(0=foo)$SET(1=\()"
        "|(\s|;|>)\9unescape \( [_a-z0-9]+.replace \($SET(0=\9foo\()$SET(1=bar\()"
        "|(\s|;|>)\9eval \( ("
        "     (([_a-Z0-9]+)(\+|))+{3,*}$SET(0=\9foo)$SET(1=\()"
        "     |(function|unescape) \($SET(0=\9foo\()$SET(1=bar\()"
        "     )"
        ")"
Replace = "\0\1"
          "\2"

[DarthTrader]

Thanks, KyeU, for this filter. Looks like it replaces the PoC code with this:

Code:

var shellcode = unescape["%u0066%u006F%u006F%u0062%u0061%u0072

^ change [ to (
This seems cause Avira to quarantine the whole thing even with WebGuard disabled. Just thought I'd let you know.

Thanks again,
DarthTrader.

**Edited by Kye-U: the filter is matching the code in this post**

[lnminente]

DarthTrader, try deleting \1 in the replacement code

[DarthTrader]

(Dec. 17, 2008 05:10 PM)lnminente Wrote:  DarthTrader, try deleting \1 in the replacement code

Now I get this:

Code:

var shellcode = unescape("

And it still gets quarantined by Avira. If I remove both the \1 and \k, IE8 beta 2 crashes.

[lnminente]

Maybe the text wich Avira matches for detecting this exploit is still present, but it wouldn't bad after this filter deactivated it...

[Kye-U]

I'd highly recommend keeping the \k in the Replacement Text (and also the $ALERT, so you'll know if it's producing any false positives).

I think the content is loaded through Avira before it reaches Proxomitron, so that's why you still get the message.

[DarthTrader]

(Dec. 17, 2008 06:11 PM)Kye-U Wrote:  I'd highly recommend keeping the \k in the Replacement Text (and also the $ALERT, so you'll know if it's producing any false positives).

Okay, I will keep both of them.

Quote:I think the content is loaded through Avira before it reaches Proxomitron, so that's why you still get the message.

I think this is only true if WebGuard is enabled. The quarantined page I am seeing has all the Prox code inserted.

DarthTrader

---

Oops, now I am seeing FPs on this page:
http://www.dslreports.com/forum/security

[DarthTrader]

Here is a modified version (please don't laugh!)

Code:

[Patterns]
Name = "<script>: Remove Obfuscated Code [20081219]"
Active = TRUE
URL = "($TYPE(htm)|$TYPE(js)|$TYPE(vbs))"
Bounds = "$NEST(<script,</script*>)"
Limit = 4096
Match = "*(\\[#000:255])+{15}*"
        "|*((%|\\x)\0([a-f]|[0-9])([a-f]|[0-9]))+{15}*"
        "|*(((%|\\)u)\0([a-f]|[0-9])([a-f]|[0-9])([a-f]|[0-9])([a-f]|[0-9]))+{15}*"
        "|*[^_a-Z0-9]eval \( ((([_a-Z0-9]+)(\+|))+{3,*}*)"
Replace = "$ALERT(Obfuscated code detected and removed from:\r\n\r\n\u\r\n\r\n)"

Comments and corrections welcome!
DarthTrader

[lnminente]

(Dec. 19, 2008 02:41 PM)DarthTrader Wrote:  please don't laugh!

Nobody never will

DarthTrader, one recomendation:
If you write (*bla1*|*bla2*) this will be slower than *(bla1*|bla2*)
the reason is when bla1 doesn't match it goes to te beginning again

[ProxRocks]

i've not messed much with the "speed" of filters...

so let me ask, which of these would be faster?
1) *(bla1*|bla2*)
2) *(bla1|bla2)*

[lnminente]

I'm not sure in these two, maybe the first. I think the second could not match very well sometimes, can't give you examples, but maybe in some header filters the second code could not match while first yes...

[DarthTrader]

(Dec. 19, 2008 06:04 PM)ProxRocks Wrote:  i've not messed much with the "speed" of filters...

so let me ask, which of these would be faster?
1) *(bla1*|bla2*)
2) *(bla1|bla2)*

This seems to work and should be better:

Code:

*((\\[#000:255])+{15}
|((%|\\x)\0([a-f]|[0-9])([a-f]|[0-9]))+{15}
|(((%|\\)u)\0([a-f]|[0-9])([a-f]|[0-9])([a-f]|[0-9])([a-f]|[0-9]))+{15}
|[^_a-Z0-9]eval \( ((([_a-Z0-9]+)(\+|))+{3,*}))*

Thanks for the help!
DarthTrader

[z12]

Seems that this:

Code:

([a-f]|[0-9])

could be simplified to this:

Code:

[a-f0-9]

which could then reduce to to this:

Code:

((%|\\x)\0[a-f0-9]+{2})+{15}$SET(1=\066\06F\06F\062\061\072\000)

(((%|\\)u)\0[a-f0-9]+{4})+{15}$SET(1=\00066\0006F\0006F\00062\00061\00072)

But I'm not sure about the speed.

If this is the octal match, strictly speaking, it doesn't limit matching to octal:

Code:

(\\[#000:255])+{3}

as it will match 8 & 9, which are not valid for octal.
But for matching exploit code, maybe it doesn't matter, as there shouldn't be any 8 or 9 present.

For the heck of it, here's an octal character only match:

Code:

(\\([0-7][0-7]+&&[#000:377]))+{3}

But for this filter, maybe the inner numeric match should be limited to 3 numbers though.

Code:

[0-7]+{1,3}

foobar !!!

z12

[Graycode]

The trailing \000 in one of the replacements would become a binary zero by unescape(). Is that what's desired??
$SET(1=\066\06F\06F\062\061\072\000)

[Kye-U]

That's not intentional; that simply translates to "foobar" (or so I'd hope so).
I'll be revising the filter today; I came across some false positives, and I'll implement z12's ideas into the filter to make it more readable.

Thanks!

EDIT: Updated. Got rid of the "foobar" replacement texts, updated the octal and hex matching expressions (thanks z12), and I also added $TYPE(vbs).

I should have fixed most/all false positives by simply ensuring there is a double/single quote at the beginning (I had to increase the byte size to 91 to accommodate for this additional byte).