Post Reply 
Catch Suspicious Extensions [January 11, 2009]
Apr. 21, 2008, 11:49 PM
Post: #1
Catch Suspicious Extensions [January 11, 2009]
Code:
[HTTP headers]
In = TRUE
Out = FALSE
Key = "!-URL-Killer: Catch Suspicious Extensions [ku] 20090111 (In)"
URL = "(^$LST(KBSP))(^$IHDR(Content-Type:*text/(html|javascript)*))"
Match = "$URL(http://*.(^([a-z]+{2,4})(^/))*.(hta|e(ml|xe)|hlp|jse|lnk|url|ba(s|t)|c(om|md)|vb(e|s|)|s(cr|hs)|p(if|cd)|a(d(e|  p)|nr)|c(hm|pl|rt)|i(ns|sp)|m(d(b|e)|s(c|i|p|t))|ws(f|h|c))(^?))$CONFIRM(SUSPICIOUS FILE EXTENSION FOUND\n\nBlock connection to the URL below?\n\n\u\n)"
Replace = "\k"

In = TRUE
Out = FALSE
Key = "Content-Disposition: Catch Suspicious Extensions [ku] (In)"
URL = "(^$LST(KBSP))"
Match = "(*filename=$AV(\1.((hta|e(ml|xe)|hlp|jse|lnk|url|ba(s|t)|c(om|md)|vb(e|s|)|s(cr|hs)|p(if|cd)|a(d(e |p)|nr)|c(hm|pl|rt)|i(ns|sp)|m(d(b|e)|s(c|i|p|t))|ws(f|h|c))\2)))$CONFIRM(SUSPICIOUS FILE EXTENSION FOUND\n\nBlock connection to the file below?\n\n\1.\2\n\nHost:\n\h\n\nPath:\n\p\n)"
Replace = "\k"

This will catch any attempt to download files with the following extensions:

hta, eml, exe, hlp, jse, lnk, url, bas, bat, com, cmd, vb, vbe, vbs, scr, shs, pif, pcd, ade, adp, anr, chm, cpl, crt, ins, isp, mdb, mde, msc, msi, msp, mst, wsf, wsh, wsc

I think this will prove valuable against malicious iframe advertisements and any other method of "drive-by downloads". Previously I did not have a Content-Disposition filter. Hopefully all methods of downloading a file are now detected and "caught" with the above two filters! Smile!

Screenshots:


.jpg  filter.jpg (Size: 230.93 KB / Downloads: 777)
Prompt for standard, direct-link downloads


.jpg  f2.jpg (Size: 45.75 KB / Downloads: 753)
Prompt for "content-disposition"-redirected downloads
Visit this user's website
Add Thank You Quote this message in a reply
[-] The following 1 user says Thank You to Kye-U for this post:
TheScaryGuy
Post Reply 


Messages In This Thread
Catch Suspicious Extensions [January 11, 2009] - Kye-U - Apr. 21, 2008 11:49 PM
RE: Catch Suspicious Extensions [April 21, 2008] - Guest - Aug. 27, 2008, 09:21 PM

Forum Jump: