Remove Obfuscated Code [20081221b]
|
Dec. 17, 2008, 03:30 AM
Post: #1
|
|||
|
|||
Remove Obfuscated Code [20081221b]
Code: [Patterns] Test page: http://prxbx.com/test/IEXMLPoC.html (warning, may crash your IE-based browser) edit by admin: inserted missing " after the ) in the second-to-last line of the Match Code... Old Versions: Code: [Patterns] |
|||
Dec. 17, 2008, 04:22 PM
Post: #2
|
|||
|
|||
RE: Remove Obfuscated Code [20081216]
Thanks, KyeU, for this filter. Looks like it replaces the PoC code with this:
Code: var shellcode = unescape["%u0066%u006F%u006F%u0062%u0061%u0072 This seems cause Avira to quarantine the whole thing even with WebGuard disabled. Just thought I'd let you know. Thanks again, DarthTrader. **Edited by Kye-U: the filter is matching the code in this post** |
|||
Dec. 17, 2008, 05:10 PM
Post: #3
|
|||
|
|||
RE: Remove Obfuscated Code [20081216]
DarthTrader, try deleting \1 in the replacement code
|
|||
Dec. 17, 2008, 05:55 PM
Post: #4
|
|||
|
|||
RE: Remove Obfuscated Code [20081216] | |||
Dec. 17, 2008, 06:09 PM
Post: #5
|
|||
|
|||
RE: Remove Obfuscated Code [20081216]
Maybe the text wich Avira matches for detecting this exploit is still present, but it wouldn't bad after this filter deactivated it...
|
|||
Dec. 17, 2008, 06:11 PM
Post: #6
|
|||
|
|||
RE: Remove Obfuscated Code [20081216]
I'd highly recommend keeping the \k in the Replacement Text (and also the $ALERT, so you'll know if it's producing any false positives).
I think the content is loaded through Avira before it reaches Proxomitron, so that's why you still get the message. |
|||
Dec. 17, 2008, 06:56 PM
(This post was last modified: Dec. 17, 2008 07:49 PM by DarthTrader.)
Post: #7
|
|||
|
|||
RE: Remove Obfuscated Code [20081216]
(Dec. 17, 2008 06:11 PM)Kye-U Wrote: I'd highly recommend keeping the \k in the Replacement Text (and also the $ALERT, so you'll know if it's producing any false positives). Okay, I will keep both of them. Quote:I think the content is loaded through Avira before it reaches Proxomitron, so that's why you still get the message. I think this is only true if WebGuard is enabled. The quarantined page I am seeing has all the Prox code inserted. DarthTrader Oops, now I am seeing FPs on this page: http://www.dslreports.com/forum/security |
|||
Dec. 19, 2008, 02:41 PM
Post: #8
|
|||
|
|||
RE: Remove Obfuscated Code [20081216]
Here is a modified version (please don't laugh!)
Code: [Patterns] Comments and corrections welcome! DarthTrader |
|||
Dec. 19, 2008, 05:31 PM
Post: #9
|
|||
|
|||
RE: Remove Obfuscated Code [20081216] | |||
Dec. 19, 2008, 06:04 PM
Post: #10
|
|||
|
|||
RE: Remove Obfuscated Code [20081216]
i've not messed much with the "speed" of filters...
so let me ask, which of these would be faster? 1) *(bla1*|bla2*) 2) *(bla1|bla2)* |
|||
Dec. 19, 2008, 06:33 PM
Post: #11
|
|||
|
|||
RE: Remove Obfuscated Code [20081216]
I'm not sure in these two, maybe the first. I think the second could not match very well sometimes, can't give you examples, but maybe in some header filters the second code could not match while first yes...
|
|||
Dec. 19, 2008, 06:47 PM
Post: #12
|
|||
|
|||
RE: Remove Obfuscated Code [20081216]
(Dec. 19, 2008 06:04 PM)ProxRocks Wrote: i've not messed much with the "speed" of filters... This seems to work and should be better: Code: *((\\[#000:255])+{15} Thanks for the help! DarthTrader |
|||
Dec. 20, 2008, 12:53 PM
Post: #13
|
|||
|
|||
RE: Remove Obfuscated Code [20081216]
Seems that this:
Code: ([a-f]|[0-9]) could be simplified to this: Code: [a-f0-9] which could then reduce to to this: Code: ((%|\\x)\0[a-f0-9]+{2})+{15}$SET(1=\066\06F\06F\062\061\072\000) If this is the octal match, strictly speaking, it doesn't limit matching to octal: Code: (\\[#000:255])+{3} But for matching exploit code, maybe it doesn't matter, as there shouldn't be any 8 or 9 present. For the heck of it, here's an octal character only match: Code: (\\([0-7][0-7]+&&[#000:377]))+{3} But for this filter, maybe the inner numeric match should be limited to 3 numbers though. Code: [0-7]+{1,3} foobar !!! z12 |
|||
Dec. 20, 2008, 06:39 PM
Post: #14
|
|||
|
|||
RE: Remove Obfuscated Code [20081216]
The trailing \000 in one of the replacements would become a binary zero by unescape(). Is that what's desired??
$SET(1=\066\06F\06F\062\061\072\000) |
|||
Dec. 20, 2008, 07:06 PM
Post: #15
|
|||
|
|||
RE: Remove Obfuscated Code [20081216]
That's not intentional; that simply translates to "foobar" (or so I'd hope so).
I'll be revising the filter today; I came across some false positives, and I'll implement z12's ideas into the filter to make it more readable. Thanks! EDIT: Updated. Got rid of the "foobar" replacement texts, updated the octal and hex matching expressions (thanks z12), and I also added $TYPE(vbs). I should have fixed most/all false positives by simply ensuring there is a double/single quote at the beginning (I had to increase the byte size to 91 to accommodate for this additional byte). |
|||
« Next Oldest | Next Newest »
|