Malicious scripts

[jrmhng]

Well for browser based scripts theres always noscript and FF.

For js and vbs you can just disable WSH right?

The real problem is scripts embedded into word docs and pdfs. Is there a solution to this?

[Rmus]

Quote:

Originally Posted by huangker

The real problem is scripts embedded into word docs and pdfs. Is there a solution to this?

It depends on what the script does. Anything is possible, but in all known attacks I've seen documented,
the payload is a malware executable, which of course is easily blocked.

This recent Adobe Reader .pdf attack:

http://isc.sans.org/diary.html?storyid=3958

Quote:

A malicious PDF file served from IP address "85.17.221.2" (not active at this time) contains a malware specimen called Trojan, a variant of Zonebac.

A write up last year of an MSWord attack:

http://www.eweek.com/article2/0,1895,1965042,00.asp

Quote:

The exploit arrives as an ordinary Microsoft Word document attachment to an e-mail. However, when the document is launched by the user the vulnerability is triggered to drop a backdoor with rootkit features to mask itself from anti-virus scanners.

Here is a nice analysis of how a payload is inserted into a Word document:

http://www.securityfocus.com/infocus/1874

Quote:

3. Sample mechanism of an attack

Steps to exploitation:

• Step 1: The targeted victim opens the malicious MS Word document via an email attachment or a web page.
  
• Step 2: The malicious storage component (dropper program) within the OLE Structured Storage gets executed as the Word file is opened.
  
• Step 3: The Trojan is dropped on the victim's system.
  
• Step 4: The trojan operates with a backdoor which allows the remote attacker to collect system information, access the command shell and take screen shots and store them to %System%\Capture.bmp.

It is very difficult to find such attacks to test, because

1) In case of a .pdf file, the attack is often directed at a particular version of the Reader, and may not work.
Also, every URL I've seen listed in an analysis has been taken down by the time it's posted.

2) In case of a Word attack, these are pretty much targeted to companies and organizations as email attacks, and no more information is forthcoming. I asked one Security Vendor for a copy of a malicious Word file they tested, and was told that it was propriatory property of the company.

Another thing to consider... these attacks require the user to click-to-open a malicious file. Ask yourself, Under what circumstances are you likely to encounter such a file, that is, what social engineering techniques would tempt you to open such a file?

If you are concerned about opening what you think is a legitimate .pdf or .doc file on a web site, or one received from a known source (the person may not know the document is infected), there are some other solutions:


1) pdf:

Alternate PDF readers are not a sure thing any more, as shown in the recent Foxit Reader vulnerability.

You can disable all but the necessary Plugins (Open and Print) in Acrobat Reader, so that no embedded code will run.

2) Word.doc:

==> using an older version of MSWord that won't run VBS code

==> open the documents in a text editor which will not run any code.



----
rich

[zopzop]

Quote:

Originally Posted by Rmus

2) Word.doc:

==> using an older version of MSWord that won't run VBS code

==> open the documents in a text editor which will not run any code.

what happens if you open the .doc (or .xls or other office document) in open office?

[Mrkvonic]

Hello,
Nothing happens.
Mrk

[MrBrian]

Quote:

Originally Posted by huangker

The real problem is scripts embedded into word docs and pdfs. Is there a solution to this?

You can disable scripting in both of these programs.

[MrBrian]

Software Restriction Policies can block standalone scripts. There are a number of extensions in my SRP Designated File Types, including .bat, .chm, .cmd, .hta, and .vb. You can add file extensions to this list.

[MrBrian]

A VBScript script embedded in a program document, such as a Word document, has the capability to create a .DLL that is then loaded into the program. Thus, you might wish to make sure your anti-executable solution can also deal with DLLs. SRP can handle this by using an Enforcement setting of 'All software files'. I have read that this may slow down your system though.

Source: http://blog.didierstevens.com/2008/0...in-a-vbscript/

[jrmhng]

Will this solution disable all malicious js and vbs scripts even in pdf and word?

Found at Microsoft Technet

Quote:

In more desperate circumstances, you can disable Windows Script Host; this will prevent users from running any scripts (including VBScript and JScript scripts) that rely on WSH.

To disable Windows Script Host, create one of the following two registry entries (REG_DWORD) and set the value to 0 (you need to create the entry, because it does not exist by default). To disable WSH for a particular user, create this entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\Enabled

To disable WSH for all users of a particular computer, create this entry:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\Enabled

When enforced, the following message will be displayed any time a user attempts to run a WSH script:

Windows Script Host access is disabled on this machine. Contact your administrator for details.

This message box appear even if the user attempts to start the script from a batch file or using a designated script host (for example, by typing cscript.exe c:\scripts\myscript.vbs at the command prompt).

Also what are the potential side effects?

[MrBrian]

Quote:

Originally Posted by huangker

Will this solution disable all malicious js and vbs scripts even in pdf and word?

I don't believe doing this will affect pdf or office scripts, because they don't depend on WSH. If you don't wish to disable scripting in these programs, I believe that HIPS settings for Adobe Reader and the Office products could constrain what the embedded scripts can do, but I didn't personally test this.

[Pedro]

Yes. The script will instruct what the program (office/adobe) should do.

[jrmhng]

Quote:

Originally Posted by MrBrian

You can disable scripting in both of these programs.

I've found the JS options in adobe.

It is under Edit --> Preferences --> Javascript

However what about other scipts like vbs in PDFs? Is that possible?

What about in office 2007? Where are the settings?

[MrBrian]

Quote:

Originally Posted by huangker

I've found the JS options in adobe.

It is under Edit --> Preferences --> Javascript

However what about other scipts like vbs in PDFs? Is that possible?

Not that I know of.

If you get .chm files from untrusted sources, there are steps that can be taken to mitigate possible damage from opening them. Let me know if you want more details....

For Word, you can look at Tools->Macros->Security. This is for Word 2003 however.