Malicious scripts

Discussion in 'other security issues & news' started by Osaban, Dec 1, 2007.

Thread Status:
Not open for further replies.
  1. jrmhng
    Offline

    jrmhng Registered Member

    Well for browser based scripts theres always noscript and FF.

    For js and vbs you can just disable WSH right?

    The real problem is scripts embedded into word docs and pdfs. Is there a solution to this?
  2. Rmus
    Offline

    Rmus Exploit Analyst

    It depends on what the script does. Anything is possible, but in all known attacks I've seen documented,
    the payload is a malware executable, which of course is easily blocked.

    This recent Adobe Reader .pdf attack:

    http://isc.sans.org/diary.html?storyid=3958

    A write up last year of an MSWord attack:

    http://www.eweek.com/article2/0,1895,1965042,00.asp

    Here is a nice analysis of how a payload is inserted into a Word document:

    http://www.securityfocus.com/infocus/1874

    It is very difficult to find such attacks to test, because

    1) In case of a .pdf file, the attack is often directed at a particular version of the Reader, and may not work.
    Also, every URL I've seen listed in an analysis has been taken down by the time it's posted.

    2) In case of a Word attack, these are pretty much targeted to companies and organizations as email attacks, and no more information is forthcoming. I asked one Security Vendor for a copy of a malicious Word file they tested, and was told that it was propriatory property of the company.

    Another thing to consider... these attacks require the user to click-to-open a malicious file. Ask yourself, Under what circumstances are you likely to encounter such a file, that is, what social engineering techniques would tempt you to open such a file?

    If you are concerned about opening what you think is a legitimate .pdf or .doc file on a web site, or one received from a known source (the person may not know the document is infected), there are some other solutions:


    1) pdf:

    Alternate PDF readers are not a sure thing any more, as shown in the recent Foxit Reader vulnerability.

    You can disable all but the necessary Plugins (Open and Print) in Acrobat Reader, so that no embedded code will run.

    2) Word.doc:

    ==> using an older version of MSWord that won't run VBS code

    ==> open the documents in a text editor which will not run any code.



    ----
    rich
  3. zopzop
    Offline

    zopzop Registered Member

    what happens if you open the .doc (or .xls or other office document) in open office?
  4. Mrkvonic
    Online

    Mrkvonic Linux Systems Expert

    Hello,
    Nothing happens.
    Mrk
  5. MrBrian
    Offline

    MrBrian Registered Member

    You can disable scripting in both of these programs.
  6. MrBrian
    Offline

    MrBrian Registered Member

    Software Restriction Policies can block standalone scripts. There are a number of extensions in my SRP Designated File Types, including .bat, .chm, .cmd, .hta, and .vb. You can add file extensions to this list.
  7. MrBrian
    Offline

    MrBrian Registered Member

    A VBScript script embedded in a program document, such as a Word document, has the capability to create a .DLL that is then loaded into the program. Thus, you might wish to make sure your anti-executable solution can also deal with DLLs. SRP can handle this by using an Enforcement setting of 'All software files'. I have read that this may slow down your system though.

    Source: http://blog.didierstevens.com/2008/06/09/quickpost-embedding-an-executable-in-a-vbscript/
  8. jrmhng
    Offline

    jrmhng Registered Member

    Will this solution disable all malicious js and vbs scripts even in pdf and word?

    Found at Microsoft Technet

    Also what are the potential side effects?
  9. MrBrian
    Offline

    MrBrian Registered Member

    I don't believe doing this will affect pdf or office scripts, because they don't depend on WSH. If you don't wish to disable scripting in these programs, I believe that HIPS settings for Adobe Reader and the Office products could constrain what the embedded scripts can do, but I didn't personally test this.
    Last edited: Jun 16, 2008
  10. Pedro
    Offline

    Pedro Registered Member

    Yes. The script will instruct what the program (office/adobe) should do.
  11. jrmhng
    Offline

    jrmhng Registered Member

    I've found the JS options in adobe.

    It is under Edit --> Preferences --> Javascript

    However what about other scipts like vbs in PDFs? Is that possible?

    What about in office 2007? Where are the settings?
  12. MrBrian
    Offline

    MrBrian Registered Member

    Not that I know of.

    If you get .chm files from untrusted sources, there are steps that can be taken to mitigate possible damage from opening them. Let me know if you want more details....

    For Word, you can look at Tools->Macros->Security. This is for Word 2003 however.
Thread Status:
Not open for further replies.