How to Defeat js Malware etc

Discussion in 'malware problems & news' started by CloneRanger, Jun 22, 2016.

  1. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    For eg, this recent nasty that both encrypts your HD & is a keylogger !

    1 - Disable Wscript.exe & Cscript.exe

    2 - Install a Script blocker

    I downloaded the nasty & double clicked it, knowing i was doubley safe due to my having the above in place since W98SE days. First SD intercepts it, i then click Allow, but due to my already having disabled the above, nothing happens !

    RAA-js.png

    Not only do these methods prevent such nasties, but others too.
     
  2. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,509
    Location:
    Slovakia
  3. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,069
    Yes I also disable Script Hosts completely and also add file extensions to Software Restriction Policies designated file types.
     
  4. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    976
    Location:
    Paris
    You also may want to consider dumping PowerShell.
     
  5. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    I monitor globally, start ups of jscript*.exe, wscript.exe, powershell.exe, cmd.exe, etc. using Eset's HIPS.

    Additionally, I monitor browser execution of any of the following:

    jscript*.exe
    wscriptexe
    telnet.exe
    mshta.exe
    cmd.exe
    ftp.exe
    rundll32.exe
    reg.exe
    at.exe
     
  6. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    1,441
    Browser execution of .js is expected and nothing to worry about.

    This ransomware executes outside the browser when Windows Script Host runs an email .js file attachment's that been opened.

    Just opened - you don't need to double-click on the infected file for it to run and it doesn't need user permission to execute.

    There is no real legitimate need to send someone a .js attachment so if you notice an e-mail that has one, delete it immediately and empty it from your trash.

    Disable WSH (which is enabled by default) to keep Windows secure. It won't affect .js in the browser and if your browser runs sandboxed, nothing can damage your data.
     
  7. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hello Norman,

    This is true for js files in a self-extracting rar attachment.

    Have you seen where a ZIP file attachment can to the same thing? All of the ZIP attachments with a js file that I've seen are normal ZIP files.

    Thanks,

    ----
    rich
     
    Last edited: Jun 23, 2016
  8. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    FYI

    Within the last few days, researchers have discovered a ransomware strain, called RAA, entirely written in JavaScript. In theory, a future HTML5 malvertising campaign would be able to deliver ransomware directly to the user via HTML5. "JavaScript is a general purpose programming language," comments Simon Crosby, CTO at Bromium. "Once one hacker has figured out how to use it to write crypto-malware, any other hacker can simply read the source code and use it elsewhere. So I expect to see rapid re-use and many variants of this attack." The only way to prevent such breaches, he suggests, "is to use an endpoint isolation technology like micro-virtualization that hardware isolates each tab of the browser from the OS - so that crypto-malware cannot impact the endpoint."

    Ref.: http://www.securityweek.com/html5-wont-stop-malvertising-brings-new-threats

    -EDIT- Here's a ref. to HTML5 attack vectors: http://heideri.ch/jso/
     
    Last edited: Jun 24, 2016
Loading...