The Un-Official Proxomitron Forum
Catch Suspicious Extensions [January 11, 2009] - Printable Version

+- The Un-Official Proxomitron Forum (https://www.prxbx.com/forums)
+-- Forum: Proxomitron Filters (/forumdisplay.php?fid=38)
+--- Forum: Privacy/Security/Spam (/forumdisplay.php?fid=10)
+--- Thread: Catch Suspicious Extensions [January 11, 2009] (/showthread.php?tid=1029)

Pages: 1 2


Catch Suspicious Extensions [January 11, 2009] - Kye-U - Apr. 21, 2008 11:49 PM

Code:
[HTTP headers]
In = TRUE
Out = FALSE
Key = "!-URL-Killer: Catch Suspicious Extensions [ku] 20090111 (In)"
URL = "(^$LST(KBSP))(^$IHDR(Content-Type:*text/(html|javascript)*))"
Match = "$URL(http://*.(^([a-z]+{2,4})(^/))*.(hta|e(ml|xe)|hlp|jse|lnk|url|ba(s|t)|c(om|md)|vb(e|s|)|s(cr|hs)|p(if|cd)|a(d(e|  p)|nr)|c(hm|pl|rt)|i(ns|sp)|m(d(b|e)|s(c|i|p|t))|ws(f|h|c))(^?))$CONFIRM(SUSPICIOUS FILE EXTENSION FOUND\n\nBlock connection to the URL below?\n\n\u\n)"
Replace = "\k"

In = TRUE
Out = FALSE
Key = "Content-Disposition: Catch Suspicious Extensions [ku] (In)"
URL = "(^$LST(KBSP))"
Match = "(*filename=$AV(\1.((hta|e(ml|xe)|hlp|jse|lnk|url|ba(s|t)|c(om|md)|vb(e|s|)|s(cr|hs)|p(if|cd)|a(d(e |p)|nr)|c(hm|pl|rt)|i(ns|sp)|m(d(b|e)|s(c|i|p|t))|ws(f|h|c))\2)))$CONFIRM(SUSPICIOUS FILE EXTENSION FOUND\n\nBlock connection to the file below?\n\n\1.\2\n\nHost:\n\h\n\nPath:\n\p\n)"
Replace = "\k"

This will catch any attempt to download files with the following extensions:

hta, eml, exe, hlp, jse, lnk, url, bas, bat, com, cmd, vb, vbe, vbs, scr, shs, pif, pcd, ade, adp, anr, chm, cpl, crt, ins, isp, mdb, mde, msc, msi, msp, mst, wsf, wsh, wsc

I think this will prove valuable against malicious iframe advertisements and any other method of "drive-by downloads". Previously I did not have a Content-Disposition filter. Hopefully all methods of downloading a file are now detected and "caught" with the above two filters! Smile!

Screenshots:

[attachment=117]
Prompt for standard, direct-link downloads

[attachment=118]
Prompt for "content-disposition"-redirected downloads


RE: Catch Suspicious Extensions [April 21, 2008] - Toppy - Apr. 24, 2008 11:02 PM

Hi Kye-U,

Does this mean we will have to bypass Proxo if we want to download some frequently served installation files ending in .EXE ?


RE: Catch Suspicious Extensions [April 21, 2008] - Kye-U - Apr. 24, 2008 11:14 PM

Nope, this filter will allow you to select whether or not you want to allow a download. I'll take a screenshot of the window and add it to the first post Smile!


RE: Catch Suspicious Extensions [April 21, 2008] - Toppy - Apr. 24, 2008 11:23 PM

Thanks a lot !! Smile!


RE: Catch Suspicious Extensions [April 21, 2008] - Guest - Aug. 27, 2008 09:21 PM

Hello Kye-U,
I want to thank you very much for the second filter (content-disposition) that I just discovered today. In fact you're right, some downloads DO NOT trigger your good old Url-killer (suspicious ext.) that I've been using for years and I can say it has saved me a lot of times, many crap sites trying to fool people whith hidden .exe!

But your example (webroot) showed me that crapfiles could come in without triggering the UrlKiller, and be dowloaded by mistake or lack of attention!

So thanks again for that filter and for all the good job you're doing.


RE: Catch Suspicious Extensions [April 21, 2008] - Kye-U - Aug. 28, 2008 03:46 AM

I'm glad you're finding it helpful! I can see how it would prove useful against the new "XP antivirus 2008/9" malware that's floating around Smile! Thank you for your comment!


RE: Catch Suspicious Extensions [April 21, 2008] - lnminente - Sep. 23, 2008 08:19 PM

Very good filters Kye-U! But sometimes they have false positives, here an example:
http://userstyles.org/styles/site/facebook.com

I don't know about header filters, could we improve these filters to not matching html files?

Thanks in advance!


RE: Catch Suspicious Extensions [January 10, 2009] - Kye-U - Jan. 11, 2009 03:26 AM

Thanks Inminente, I've updated the first filter to match all content types other than HTML Wink


RE: Catch Suspicious Extensions [January 11, 2009] - Kye-U - Jan. 12, 2009 01:01 AM

Updated again to not match text/javascript, as I was getting a false positive on WildersSecurity (with Google API).


RE: Catch Suspicious Extensions [January 11, 2009] - traviscn - Jan. 12, 2009 12:32 PM

Is your following filter still needed ?
Code:
[HTTP headers]
In = FALSE
Out = TRUE
Key = "!-URL-Killer: Catch Suspicious Extensions [ku] (Out)"
URL = "(^$LST(KBSP))(^*=(^http://*.(^([a-z]+{2,4})(^/))))*.(hta|e(ml|xe)|hlp|jse|lnk|url|ba(s|t)|c(om|md)|vb(e
|s|)|s(cr|hs)|p(if|cd)|a(d(e| p)|nr)|c(hm|pl|rt)|i(ns|sp)|m(d(b|e)|s(c|i|p|t))|ws(f|h|c))(^?)$CONFIRM(
SUSPICIOUS FILE EXTENSION FOUND\n\nBlock connection to the URL below?\n\n\u\n)"
Replace = "\k"



RE: Catch Suspicious Extensions [January 11, 2009] - ProxRocks - Jan. 12, 2009 12:40 PM

are these "drive-by downloads" merely theoretical, or has anyone seen one of these mythical beasts in the wild?

just curious - with .js dis'd by default (by Proxo, not at the browser-level), i've not seen any...


RE: Catch Suspicious Extensions [January 11, 2009] - lnminente - Jan. 12, 2009 05:50 PM

I like these filters Kye-U, many thanks for them Wink And now lets try to improve them Big Teeth

Analyzing the code of the first filter:
- "$URL(http://" is ftp covered by the other filter?
- *.(^([a-z]+{2,4})(^/))*. looking for a extension of only letters (no numbers) between 2 and 4 chars.

The detection of the extension gives false positives in links like http://host1/clear.gif?url=host2/cbs.com
Example here: http://www.cbs.com/primetime/big_bang_theory/video/video.php?pid=dRhXrjQBhUMUx9_iWocpdl_GXO5it9KW&play=true&cc=2
I recomend some code like (\1\?*|\1) or using \p for taking the real extension and later test it

One modification for the first filter:
Code:
Match = "$SET(url=\p)$TST(url=*.(hta|e(ml|xe)|hlp|jse|lnk|url|ba(s|t)|c(om|md)|vb(e|s|)|s(cr|hs)|p(if|cd)|a(d(e|    p)|nr)|c(hm|pl|rt)|i(ns|sp)|m(d(b|e)|s(c|i|p|t))|ws(f|h|c)))$LOG(R$DTM(c): Suspicious extension in \h\p)$CONFIRM(SUSPICIOUS FILE EXTENSION FOUND\n\nBlock connection to the URL below?\n\n\u\n)"

And one question, now both filters are for incoming connections, why do we use 2 filters? Could we join them?


RE: Catch Suspicious Extensions [January 11, 2009] - lnminente - Jan. 13, 2009 11:44 PM

Idea!! I think would be great for the framework to write a filter wich sets a variable with the extension of the file we are downloading, it would be very useful for many other filters.
Just waiting some recomends from your experience with this filter to start writing any code Wink

Here is a good link to test your both filters: http://prdownload.berlios.de/avidemux/avidemux_2.4.3_win32.exe


RE: Catch Suspicious Extensions [January 11, 2009] - Kye-U - Jan. 15, 2009 05:31 AM

Thanks for that, I'll have to find time to work on this filter. The work/labs/assignments are slowly piling up!


RE: Catch Suspicious Extensions [January 11, 2009] - lnminente - Jan. 15, 2009 11:21 AM

The filter for taking extensions is done:
Code:
[HTTP headers]
In = FALSE
Out = TRUE
Key = "! : Take extension {ln}090116 (out)"
URL = "$SET(path=\p)$TST(path=([^/]+/)+([^.]+.([^.]+)\1)+)$SET(path=)$SET(Extension=\1)$LOG(w$DTM(c): Extension: $GET(Extension))"

I think your above filters could be resumed to the following matching code working together with the taking extension filter
Code:
$TST(extension=(hta|e(ml|xe)|hlp|jse|lnk|url|ba(s|t)|c(om|md)|vb(e|s|)|s(cr|hs)|p(if|cd)|a(d(e|      p)|nr)|c(hm|pl|rt)|i(ns|sp)|m(d(b|e)|s(c|i|p|t))|ws(f|h|c)))$LOG(R$DTM(c): Suspicious extension in \h\p)$CONFIRM(SUSPICIOUS FILE EXTENSION FOUND\n\nBlock connection to the URL below?\n\n\u\n)