Merge branch 'v0.2_GuLoader'

README.md

@@ -4,15 +4,25 @@
 #### Description  
 Not all things are seen as equal until you stare at it long enough!  
 
-With malware causing havoc across the globe, this browser extension is a PoC for blocking Emotet downloads using just the response headers. The research can be found in this thread: https://twitter.com/ecstatic_nobel/status/1176267975537713152?s=19.   
+With malware causing havoc across the globe, this browser extension is a PoC for blocking malware downloads using just the response headers. The research for Emotet can be found in this thread: https://twitter.com/ecstatic_nobel/status/1176267975537713152?s=19.   
+
+#### Demonstration blocking GuLoader:  
+- Connect to URLhaus  
+- Open three (3) database entries for recent and active GuLoader URLs that contain the word "encrypted"  
+- Hightlight and open the URL in a new tab  
+- Not AV detects it, file download is blocked, and the browser is redirected to 127.0.0.1  
 
 #### Demonstration blocking Emotet:  
 - Connect to URLhaus  
 - Open three (3) database entries for recent and active Emotet URLs  
 - Hightlight and open the URL in a new tab  
 - Not AV detects it, file download is blocked, and the browser is redirected to 127.0.0.1  
 
-**NOTE: Out of the box, this will block the majority of Emotet (or other file download) that has a cookie name built with the PHP uniqid function (or something similar) in the Set-Cookie header. This PoC can be strengthened by adding other indicators found in the response (or request) headers to avoid false-positives.**  
+>NOTE: Out of the box, this will block the majority of:
+>  - GuLoader malware that contains the word "encrypted"
+>  - Emotet (or other file download) that has a cookie name built with the PHP uniqid function (or something similar) in the Set-Cookie header
+>
+>This PoC can be strengthened by adding other indicators found in the response (or request) headers to avoid false-positives.  
 
 ![Not Anti-Virus](https://raw.githubusercontent.com/ecstatic-nobel/Not-Anti-virus/master/notav.gif)  
 

background.js

@@ -1,14 +1,29 @@
 var match = false
 
-function blockRequest(d) {
-  if (d.statusCode == 200) {
-    if (d.method == "GET" || d.method == "POST") {
-      var headers = d.responseHeaders;
+var content_disposition = /attachment;(\s+)?filename=\"\w+_encrypted_([0-9]|[a-f]|[0-9a-f])+\.bin\".*/gi
+var set_cookie = /(^|\n)5[a-z][a-f0-9].*/gi
+var uri = /\w+_encrypted_([0-9]|[a-f]|[0-9a-f])+\.bin.*/gi
 
-      for (var i = 0, l = headers.length; i < l; ++i) {
+function blockRequest(r) {
+  if (r.url.match(uri)) {
+    return {
+      redirectUrl: "http://127.0.0.1/"
+    }
+  }
+};
+
+function blockResponse(rr) {
+  if (rr.statusCode == 200) {
+    if (rr.method == "GET" || rr.method == "POST") {
+      var resp_headers = rr.responseHeaders;
+
+      for (var i = 0, l = resp_headers.length; i < l; ++i) {
         if (
-          headers[i].name.toLowerCase() == "set-cookie" &&
-          headers[i].value.match(/((^|\n)5[a-z][a-f0-9].*)/gi)
+          (resp_headers[i].name.toLowerCase() == "set-cookie" &&
+          resp_headers[i].value.match(set_cookie))
+          ||
+          (resp_headers[i].name.toLowerCase() == "content-disposition" &&
+          resp_headers[i].value.match(content_disposition))
         ) {
           return {
             redirectUrl: "http://127.0.0.1/"
@@ -25,25 +40,27 @@ var _this = this;
 try {
   if (chrome[api]) {
     _this[api] = chrome[api];
-
-    _this[api].onHeadersReceived.addListener(
-      blockRequest, {
-        urls: ["*://*/*"]
-      },
-      ['blocking', 'responseHeaders', 'extraHeaders']
-    );
+    params = ['blocking', 'responseHeaders', 'extraHeaders']
+  } else if (browser[api]) {
+    _this[api] = browser[api];
+    params = ['blocking', 'responseHeaders']
   }
 } catch (e) {}
 
 try {
-  if (browser[api]) {
-    _this[api] = browser[api];
+  _this[api].onBeforeRequest.addListener(
+    blockRequest, {
+      urls: ["<all_urls>"]
+    },
+    ['blocking']
+  );
+} catch (e) {}
 
-    _this[api].onHeadersReceived.addListener(
-      blockRequest, {
-        urls: ["*://*/*"]
-      },
-      ['blocking', 'responseHeaders']
-    );
-  }
+try {
+  _this[api].onHeadersReceived.addListener(
+    blockResponse, {
+      urls: ["<all_urls>"]
+    },
+    params
+  );
 } catch (e) {}

manifest.json

@@ -1,13 +1,14 @@
 {
-  "name": "Not Anti-virus",
+  "name": "Not Anti-Virus",
   "author": "ecstatic-nobel",
-  "version": "1.0",
+  "version": "0.2",
   "manifest_version": 2,
   "description": "An attmept to block malware before AV scans it.",
   "homepage_url": "https://github.com/ecstatic-nobel/Not-Anti-Virus",
   "background": {
     "scripts": [
-      "background.js"
+      "background.js",
+      "background.min.js"
     ],
     "persistent": true
   },