1# DANGEROUS-CONTENT-PATTERNS.RC 2# 3# Patterns to catch email with attachments that could be 4# a virus or trojan, or with links to content that could 5# be a virus or trojan. 6# 7# Last updated: 10/14/2016 8 9 10# Hidden executables (typical of viruses) 11# 12# This catches those file attachment names like IEEE802WAPTER.doc.pif, 13# hello.doc.bat, and readme.HTML.vbs. 14# 15:0 BH 16* DANGEROUS ?? ^no$ 17* B ?? (^|[^0-9a-z])name[^0-9a-z]*=[^0-9a-z]*([0-9a-z][-_0-9a-z]+\.)+\ 18 [0-9a-z][0-9a-z]?[0-9a-z]?\.(bat|com|cmd|cpl|dll|\ 19 exe|hqx|hta|lnk|pif|scr)([^0-9a-z.]|$) 20{ 21 SPAMTAG=yes 22 DANGEROUS=yes 23 SBLOG="A1S-DANGER! Hidden Executable Attachment" 24 INCLUDERC=${SBDIR}/functions/loglevel.rc 25} 26 27# EXECUTABLE ATTACHMENTS 28# 29# This section contains URLs that link to known or probable 30# trojans, viruses, spyware, or other active content that 31# poses a direct risk to at least some computer users. 32 33# Document Attachments with Scripts Explicitly Enabled 34:0 35* B ?? ([-][-]_com\.android\.email|\ 36 application/vnd\.ms-word\.document\.macroEnabled\.[0-9][0-9];) 37{ 38 SPAMTAG=yes 39 DANGEROUS=yes 40 SBLOG="A1S-DANGER! Malware Attachment (Document w/Scripts Explicity Enabled)" 41 INCLUDERC=${SBDIR}/functions/loglevel.rc 42} 43 44# Trojan URLs 45:0 B 46* DANGEROUS ?? ^no$ 47* -1^0 48* B ?? 2^0 application/vnd\.ms-word\.document\.macroEnabled\.[0-9][0-9] 49* B ?? 2^0 (^|[^0-9a-z])Content-Type: application/vnd\.ms-word\.document\.macroEnabled([^0-9a-z.]|$) 50* B ?? 2^0 (^|[^0-9a-z])(file)?name[^0-9a-z]*=[^0-9a-z]*([0-9a-z][-_0-9a-z]+\.)+\ 51 (bat|com|cmd|cpl|dll|exe|hqx|hta|jar|lnk|pif|scr)([^0-9a-z.]|$) 52{ 53 SPAMTAG=yes 54 DANGEROUS=yes 55 SBLOG="A1S-DANGER! Probable Malware Attachment (Pattern Match)" 56 INCLUDERC=${SBDIR}/functions/loglevel.rc 57} 58 59 60# GENERIC DANGEROUS CONTENT 61 62# Embedded IFRAME 63# 64# This catches email with embedded IFRAMEs, which can run remote 65# executable content on some email programs and are therefore 66# dangerous. 67# 68:0 BH 69* DANGEROUS ?? ^no$ 70* IFRAMECHECKING ?? ^yes$ 71* -1000^0 72* 1100^1 ()<iframe.*src=.*height=.*width= 73* 1100^1 iframe> 74{ 75 SPAMTAG=yes 76 DANGEROUS=yes 77 SBLOG="A1S-DANGER! Embedded iframe" 78 INCLUDERC=${SBDIR}/functions/loglevel.rc 79} 80 81 82# Embedded Scripts 83# 84# This catches HTML-based email with embedded Scripting code, 85# Javascript or others. 86# 87:0 BH 88* DANGEROUS ?? ^no$ 89* SCRIPTCHECKING ?? ^yes$ 90* -1000^0 91* 600^1 ()<SCRIPT language= 92* 600^1 ()</SCRIPT> 93* 500^0 ()<object 94* 300^0 codebase 95* 300^0 data 96* 300^0 (file:/)?.*[a-z]?:/ 97* 100^0 classid 98* 100^0 clsid:[-0-9a-f]+ 99{ 100 SPAMTAG=yes 101 DANGEROUS=yes 102 SBLOG="A1S-DANGER! Embedded Script" 103 INCLUDERC=${SBDIR}/functions/loglevel.rc 104} 105 106 107# Help.chm exploit 108# 109# This catches email with a URL that downloads a help.chm file, 110# which on Microsoft Windows computers running IE, in turn exploits 111# a known bug. Email with this type of URL is rarely, if ever, 112# legitimate. 113# 114:0 B 115* DANGEROUS ?? ^no$ 116* CHMEXPLOITCHECKING ?? ^yes$ 117* (^|[^-_0-9a-z])https?://[0-9a-z][-_0-9a-z.]+:8888/help\.chm::/ 118{ 119 SPAMTAG=yes 120 DANGEROUS=yes 121 SBLOG="A1S-DANGER! Help.CHM Exploit" 122 INCLUDERC=${SBDIR}/functions/loglevel.rc 123} 124 125 126# Hidden CLSID 127# 128# This catches email with hidden CLSID objects. 129# 130:0 BH 131* DANGEROUS ?? ^no$ 132* CLSIDCHECKING ?? yes 133* ^Content-Type[ ]*:.*\(text\) 134* name[ ]*.?[ ]*=.*\.[ ]*\{[-0-9a-f]+\}(\.....?)?"?[ ]*$ 135{ 136 SPAMTAG=yes 137 DANGEROUS=yes 138 SBLOG="A1S-DANGER! Hidden CLSID" 139 INCLUDERC=${SBDIR}/functions/loglevel.rc 140} 141 142# .ZIP, .RAR, and other binary archive attachments 143# 144# This catches any email with an attached binary archive file and puts it 145# in your ${BLOCKFOLDER}. This filter should intercept many new 146# email viruses. 147# 148:0 149* DANGEROUS ?? ^no$ 150* ZIPCHECKING ?? ^yes$ 151* ! H ?? ^Subject:.*${BYPASSWD} 152* B ?? (^|[^0-9a-z])name[^0-9a-z]*=[^0-9a-z]*([0-9a-z][-_0-9a-z]+\.)+(arc|bz2?|\ 153 gz|rar|tar|tbz|tgz|vbe|vbs|Z|zip)([^0-9a-z.]|$) 154{ 155 SPAMTAG=yes 156 DANGEROUS=yes 157 SBLOG="A1S-DANGER! Binary Archive Attachment" 158 INCLUDERC=${SBDIR}/functions/loglevel.rc 159} 160 161 162# Document Files with Executable Code (also too dangerous) 163# 164# This catches any email containing a document file of a type that 165# can contain executable macros, such as most Microsoft Office files 166# can, and puts it in your ${BLOCKFOLDER}. This filter should 167# intercept many new email viruses. 168# 169:0 BH 170* DANGEROUS ?? ^no$ 171* EXEDOCCHECKING ?? ^yes$ 172* !^Subject:.*${BYPASSWD} 173* -1000^0 174* 1100^0 ^Content-Type: application/[0-9a-z][-_0-9az-.]+$\ 175 Content-Disposition: attachment; (file)?name( )*=( )*(\")?[0-9a-z][-_0-9a-z.]+\.\ 176 (cd.|doc|pdf|ppt|prj|vs.|xl.)(\")?$(.*$)+$\ 177 [^ ]+$ 178* 1100^0 ^Content-Transfer-Encoding: base64$Content-Disposition: attachment; \ 179 (file)?name( )*=( )*(\")?[0-9a-z][-_0-9a-z.]+\.\ 180 (cd.|doc|pdf|ppt|prj|vs.|xl.)(\")?$(.*$)+$\ 181 [^ ]+$ 182* 1100^0 ^Content-Type: application/octet-stream;$\ 183 [^0-9a-z]*name=\"[^"]*\.(cd.|doc|pdf|ppt|prj|vs.|xl.)\"$\ 184* 1100^0 ^Content-Transfer-Encoding: base64$\ 185 Content-Disposition: attachment;$\ 186 [^0-9a-z]*filename=\"[^"]*\.(cd.|doc|pdf|ppt|prj|vs.|xl.)\"$ 187* 1100^0 ^Content-Type: application/msword(;|$) 188{ 189 SPAMTAG=yes 190 DANGEROUS=yes 191 SBLOG="A1S-DANGER! Executable Document Type" 192 INCLUDERC=${SBDIR}/functions/loglevel.rc 193} 194 195 196# URL to executable download 197# 198# This catches email with links to an executable download. 199# 200:0 B 201* DANGEROUS ?? ^no$ 202* EXELINKCHECKING ?? ^yes$ 203* -1000^0 204* 1100^0 (^|[^-_0-9a-z])(ftp|https?)://([0-9a-z][-_0-9a-z]+(�|\.|[=%]2E))+\ 205 [a-z][a-z][a-z]?[a-z]?/\ 206 ((~)?[-_0-9a-z.]+/*)*([0-9a-z][-_0-9a-z]+(�|\.|[=%]2E))+\ 207 (hta|vbs|exe|scr|pif|lnk|bat)([^a-z0-9.]|\. |\.$|$) 208* 1100^0 (^|[^-_0-9a-z])(ftp|https?)://[0-9][0-9]?[0-9]?(�|\.|[=%]2E)\ 209 [0-9][0-9]?[0-9]?(�|\.|[=%]2E)[0-9][0-9]?[0-9]?(�|\.|[=%]2E)\ 210 [0-9][0-9]?[0-9]?/\ 211 ((~)?[-_0-9a-z.]+/*)*([0-9a-z][-_0-9a-z]+(�|\.|[=%]2E))+\ 212 (hta|vbs|exe|scr|pif|lnk|bat)([^a-z0-9.]|\. |\.$|$) 213{ 214 SPAMTAG=yes 215 DANGEROUS=yes 216 SBLOG="A1S-DANGER! URL link to executable file" 217 INCLUDERC=${SBDIR}/functions/loglevel.rc 218} 219