Script Defender Remake?

Discussion in 'other anti-malware software' started by EASTER, Jul 24, 2008.

Thread Status:
Not open for further replies.
  1. muf

    muf Registered Member

    Joined:
    Dec 30, 2003
    Posts:
    926
    Location:
    Manchester, England
    I also let it auto run from a cd i burned the files to.
     

    Attached Files:

  2. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    I forgot about RegRun. RunGuard+WG+Script Sentry :p

    Last time i tried i couldn't make it autorun. Now it does, and i see Runguard's alert as well.

    If i open cmd, and type 'wscript start.vbs' i get no alert, calc executed.
    So it's not the same thing.

    The thing about Runguard is that it comes with RegRun. I never got along with that. From installation it's window after window opening non-stop. All kinds of settings and options.
    He should make a standalone.
     
  3. muf

    muf Registered Member

    Joined:
    Dec 30, 2003
    Posts:
    926
    Location:
    Manchester, England
    I concur. Initializing the command this way does in fact open calc without RunGuard stopping it. Although if you add cmd.exe to the blacklist within RunGuard then the cmd can not run in the first place.

    muf
     
  4. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,994
    Location:
    California
    Thanks, muf, for confirming about the command prompt.

    Can you post the contents of the autorun file you used?

    ---
     
    Last edited: Jul 29, 2008
  5. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,731
    Location:
    U.S.A. (South)
    Thanks muf for filling us in on that, but is this a totally separate app, or is integrated into Greatis entire anti program?

    All that site shows as a headliner is...............
    RegGuard protects Windows startup registry keys from changing.



    My question is just how many it can cover, theres over time been a pletora of invasion into scripts like CHM, HLP, etc. to name a few. And from what i seen theres a definite limit to how many associations/extensions that they can cover.

    Then lists registry entries it covers, any HIPS can do that and cover much more. (Curious)

    EASTER
     
    Last edited: Jul 29, 2008
  6. muf

    muf Registered Member

    Joined:
    Dec 30, 2003
    Posts:
    926
    Location:
    Manchester, England
    Here's a screenie of the contents of the cd and each of the files open in notepad.
     

    Attached Files:

  7. muf

    muf Registered Member

    Joined:
    Dec 30, 2003
    Posts:
    926
    Location:
    Manchester, England
    It is integrated within Regrun as part of the suite. http://www.greatis.com/security/detail.htm#FULL
    It appears that RunGuard is only available on Gold and Platinum version's.

    It has set file types it monitors, but you can add more to the blacklist. As far as I can see, you could put any number of files types in the blacklist. Doesn't appear to be a limit.

    See these screenies.
     

    Attached Files:

    Last edited: Jul 31, 2008
  8. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,994
    Location:
    California
    Hello muf,

    It doesn't make sense to me that RegRun alerts to the autorun command using

    shellexecute=wscript.exe,

    yet does not alert when wscript.exe is run from a command prompt.

    Can you change the filename start.vbs to start.jnk and run again from your CD using this autorun.inf file:

    ------------------------------
    [AutoRun]
    wscript /e:vbscript "start.jnk"
    ------------------------------

    thanks,


    ----
    rich
     
  9. muf

    muf Registered Member

    Joined:
    Dec 30, 2003
    Posts:
    926
    Location:
    Manchester, England
    Ok, I did what you said but that makes no sense really as Regrun is not designed to stop .jnk files. I popped the disc in and it opened the folder up that contains both files. It didn't run the start.jnk file. Not sure what result you were hoping for tbh.

    muf
     

    Attached Files:

  10. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,994
    Location:
    California
    Sorry, muf,

    I gave you the wrong syntax for the Autorun.inf file. It should be

    --------------------------------------------------------
    [Autorun]
    shellexecute=wscript.exe /e:vbscript "start.jnk"
    --------------------------------------------------------


    Would you also test with start.vbs again using:


    ----------------------------------------------
    [autorun]
    open=wscript.exe /e:vbscript "start.vbs"
    ----------------------------------------------


    I'll explain when I see these results!


    thanks,


    ----
    rich
     
    Last edited: Jul 31, 2008
  11. muf

    muf Registered Member

    Joined:
    Dec 30, 2003
    Posts:
    926
    Location:
    Manchester, England
    Rich,

    I tried both methods as you requested. Pleased to let you know that with this particular script the calculator ran and RunGuard did not alert. 'Pleased' may not be the term I mean, but I suspect this result will give you some satisfactory information.

    muf
     
  12. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,994
    Location:
    California
    Thanks, muf.

    Here are the results and comments about the different Autorun.inf commands:

    1)
    ----------------------------------------------
    Alert from RunGuard:
    shellexecute=wscript.exe start.vbs

    No Alert:
    shellexecute=wscript.exe /e:vbscript "start.jnk"
    -------------------------------------------------

    This confirms what you said about RegRun watching for .vbs files. A spoofed scripting file will run because the script engine command with correct parameters is not concerned about file extensions.

    But "open=start.jnk" will not work because that command uses Windows to associate the file extension with a program, and of course, there is nothing associated with .jnk.

    2)
    ------------------------------------------------
    Alert:
    shellexecute=wscript.exe start.vbs

    No Alert:
    open=wscript.exe /e:vbscript "start.vbs"
    ------------------------------------------------

    This is interesting, because Script Defender does not alert to the command, shellexecute=
    Shellexecute is a Windows API command, so perhaps RegRun is looking deeper than the other script blocking programs? This would be an interesting question for greatis.com.

    The command open=wscript.exe
    passes directly to the script engine, in the same way cmd.exe does (not using Windows file associations),
    and none of the script blocking programs will alert.

    The solution, as you surmised, is to block or black list cmd.exe, and by deduction, also wscript.exe

    Should one be concerned about this? Analyses of some recent USB pen drive and picture frame exploits where the autorun.inf file is listed do not show a .vbs file.

    Typical autorun.inf file seen in security analyses:
    Code:
    [autorun]
    open=kwjkpww.exe
    shell\open=Open
    shell\open\Command=kwjkpww.exe
    shell\explore=Explore
    shell\explore\Command=kwjkpww.exe
    
    However, the Switchblade and Hacksaw USB exploits did use a .vbs file, and their autorun.inf files showed:
    Code:
    [autorun]
    open=wscript go.vbs
    
    This would bypass script blocking programs.

    Some other exploits also use autorun.inf and .vbs files, but unfortunately, the analyses do not list the contents of the autorun.inf file so we don't know the commands used. Here is one:

    Worm:VBS/AutoRun.B
    http://www.f-secure.com/v-descs/worm_vbs_autorun_b.shtml
    Other preventative measures for this type of exploit include:

    ==> disabling AutoRun;

    ==> having a policy of not permitting other people's USB devices on your computer;

    ==> avoiding U3-type USB flash drives (autorun doesn't work on non-U3 types). If you used your non-U3 type flash drive to copy some files from another person's computer which was infected with a USB virus, the virus would install on your flash drive but would not run on your computer. To confirm, I put a USB exploit on my non-U3 flash drive and the Autorun.inf file does not run when I plug it into my computer.

    ==> others _______________?

    Some References

    infections on pendrive
    http://www.computing.net/answers/security/infections-on-pendrive/19560.html

    Security Watch Island Hopping
    http://technet.microsoft.com/en-us/magazine/cc137730.aspx

    CES Risk: Free USB Flash Drives
    http://www.informationweek.com/news/security/cybercrime/showArticle.jhtml?articleID=205210426


    ---
     
    Last edited: Aug 1, 2008
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.