Scripting and Script Protection Programs

Discussion in 'other security issues & news' started by RCGuy, Aug 13, 2006.

Thread Status:
Not open for further replies.
  1. RCGuy

    RCGuy Registered Member

    Joined:
    Aug 7, 2005
    Posts:
    541
    I know that this may sound like a stupid question, but could someone explain to me what a script or scripting is and how or why there is a security risk associated with it and how script protection programs protect computers from that risk? Also, keep in mind that you will be explaining your answers to someone who doesn't know a whole lot about the technical stuff about computers. Plus, I want to mention that the only program that I have for script protection is Javacool's WMPscriptfix, and to be quite honest with you, I really don't understand what it does.
     
  2. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,509
    Location:
    Slovakia
    Simply put, script is like an exe file, which will download into a PC (via browser or software like WMP), it will run and then it can do anything, it wants. Security software like AV is trying to find out, if that script contains malicious code. If an AV does not recognize malicious code, the PC gets infected. So the best way of protection is the prevention, to disable scripts and allow it only when needed. WMP Scripting Fix disables scripts in WMP, so they can not run at will.
     
  3. herbalist

    herbalist Guest

    AVs are always going to have trouble with scripts. They can be anything from the spellchecker to a few lines that open another webpage. Some of the hardest to defend against are ones delivered from the web, called "hypertext applications" or .hta files. They are literally miniature programs contained on a webpage. The problem for AVs is that there's no way of knowing what that page will be. It could be an exploit site or be changing regularly. The file itself could be completely harmless, but the web pages it opens could be incredibly nasty. Scripts serve many purposes and are used to perform a wide variety of tasks. They can be placed in a wide variety of files, including web pages, text and office documents, and e-mail. Scripts can be written to perform a wide variety of tasks, including:
    Reading, writing, or deleting registry files
    Creating, copying, deleting, or moving files and folders
    Accessing your mail handler
    Executing other programs, including system components.
    Changing files and hiding file types
    Scripts are written or can be inserted into files with the following extensions. This is by no means a complete list, but names the more common ones:
    .vbs .vbe .js
    .jse .wsh .wsf
    .shs .shb .hta
    .reg .doc .xls
    I use Script Sentry to help protect against malicious scripts. Script sentry is not a process that runs all the time. It works by association, meaning it becomes the application that handles file extensions that normally contain scripts. It gives you the opportunity to view the script harmlessly in Notepad before allowing it to run.
    For more complete into on scripts, mainly the hypertext applications, see:
    http://msdn.microsoft.com/workshop/author/hta/overview/htaoverview.asp
    Quoted from the above article:
    Rick
     
  4. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    A script is a set of commands or instructions that tells the computer what to do.
    It is different from a regular program (executable) because a script needs to be opened by another program (the script host program) before it can carry out the commands. Scripts can enhance the functionality of the script host program and automate many tasks.

    For example, you are viewing this forum in a web browser program (Internet Explorer, FireFox, Opera, or one of the others). JavaScript is a scripting language that is contained in this forum's website. If your browser has JavaScript enabled, your browser is the script host program. Since you opened this website in the browser, the JavaScript within the website will start. In this forum's case, the purpose of the JavaScript is to enhance the function of the forum. When you create a post and want to add a smiley, you can simply click on the smiley buttons and the JavaScript will insert the correct smiley code into your post. When you receive a PM (private message) then a window will pop up in the middle of your monitor telling you have new private messages. Without JavaScript, these useful functions would not be possible.

    Most scripts are good, but they can just as easily be made (programmed) to do bad. For example a JavaScript can be made to redirect you to a hacker website or open up dozens of pop up windows for porn sites (this may or may not be what you want ;) ). It can be used to exploit bugs in the browser or host program so that bad programs (malware) can be downloaded to your computer and executed.

    I only mentioned JavaScript and the web browser, but there are many different scripting languages and many different script host programs.

    Script protection programs usually block scripts altogether or give you the control over whether to allow each individual script to start. This control is usually presented through a popup asking whether to allow or deny the script to start. You end up having to decide if it is good or bad. They can be useful because sometimes a script is hidden within a file (like a macro script) and these programs can alert you to what wants to start.
    Some AntiVirus are able to scan scripts, but it is a moving target because the script kiddies (useless people who have nothing better to do than write bad scripts) can hide it by various methods.

    The only stupid question is the one not asked.
     
  5. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    You can achieve it manually :
    http://support.microsoft.com/?kbid=263568
    But there a number of programs that do the same.
    I would go Scrip Sentry also. (note. while your there have a look around Jasons toolbox)
    I think this is another popular one which I noted from forums :
    http://www.analogx.com/contents/download/system/sdefend.htm

    In Windows 98, you can disable Windows Script Host by removing the component through Control Panel | Add/Remove Programs.
     
  6. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,509
    Location:
    Slovakia
  7. RCGuy

    RCGuy Registered Member

    Joined:
    Aug 7, 2005
    Posts:
    541
    Hey, I just wanted to let you guys know that I've seen your posts, but it's going to take me a minute to learn this stuff. It's almost like a school class lesson where you have to kind of sit down and study this stuff. Thanks guys. :)
     
  8. zapjb

    zapjb Registered Member

    Joined:
    Nov 15, 2005
    Posts:
    3,518
    Location:
    USA - Back in a real State in time for a real Pres
    Thanks. I downloaded this to try.

    But weird, weird thing. On that Symantec page. I tried to "print" it using PDFCreator 0.8.0. PDFCreator always works. Had it for years. On this page it locks up my computer, tried it twice. And just tried PDFCreator on another page, worked perfect as usual.
     
  9. Devil's Advocate

    Devil's Advocate Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    549
    What's the difference if any between javascript and all the other kinds of scripts you are talking about? Is there any difference in the way I should protect myself against them?
     
  10. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Good questions. I'm no expert, but here's how I currently understand it in regards to security...
    There is a big difference between the scripting languages.
    Each scripting language has different sets of capabilities that limit what the script is normally allowed to do on your computer. This limit can sometimes be extended (exploited) by bugs in the language or program that hosts (runs) the script. Even without exploits, the normal features of a scripting language can be enough to cause damage when used for bad purposes.

    Javascript is one of the less dangerous scripting languages because it is more limited in what it normally allows. But since it is so commonly used on websites, the bad guys use it in combination with other exploits and malware.
    It runs in the context of most web browsers. By itself (without using browser, plugin, or OS exploits), I think JavaScript would be limited to redirecting to malicious websites and opening additional windows and frames.

    ActiveX is much more dangerous. It contains a scripting language, but it also includes a lot of other technologies that can do just about anything when it is allowed to run. It's almost the same as if you download a program and run it on your computer in terms of what it is capable of. ActiveX scripting and controls run in the context of the Internet Explorer web browser, but ActiveX can also be run outside of the browser. Add to this IE is so tightly integrated with the Windows XP OS that a simple visit to a bad website ends up with malware automatically downloaded and started on your computer (Drive-by-Downloads).

    Other scripting languages like what Herbalist mentioned: Visual Basic Script, JScript (Microsoft's version of JavaScript), etc. are also dangerous because of their capabilities. They run in the context of the Windows Script Host (wscript.exe) but can also be embedded within a web page and run from IE. What the difference in capabilities are between a Visual Basic Script running within IE and running on the Windows Script Host, I'm not sure. The famous "I Love You" virus was a stand alone .vbs that executed on the Windows Script Host. It arrived on the computer as an email attachment.


    I think the basic strategy should be same, but because each technology is different, the strategy will be implemented differently for each.

    1. Disable what you don't need.
    This is the safest but not necessarily the best in all cases.
    If you don't need any of the automation features of the Windows Script Host, disable it.
    I would not completely disable ActiveX in IE because it is required by Windows Update website, some banking sites, and some online anti-virus scanner sites.
    If none of the websites you need to visit require the use of JavaScript, disable it in the web browser.

    2. Keep your OS, browser, and script host programs updated.
    This will protect you from already known and patched exploits. Visit Windows Update to update all 3. If you use an alternate browser, use its update function or get it from the official browser site.

    3. Control what scripts run on your computer.
    For Windows Script Host this is done with script control programs (like Script Defender, Script Sentry, WormGuard) and common sense. The common sense part is not opening email attachments (that may contain a .vbs, or .js virus or worm). There is also a good article (mostly about certificate signed scripts) here on Windows Script Host Security.

    Controlling ActiveX in IE is done by hardening the browser settings and making good use of the IE Security Zones. This means turning off ActiveX in the Internet and restricted site zone and allowing it only in the trusted sites zone. Then you add *.microsoft.com, your bank site if it needs ActiveX, and the online scanner Anti-Virus sites you want to use. This way ActiveX will be off normally, but on when you need it at your trusted sites.

    Controlling JavaScript in IE can also be done through IE Security Zones, but this is an all or nothing approach. In FireFox, there is a JavaScript whitelist extension called NoScript that lets you control what sites are allowed to run JavaScript. Opera also has this built in function with its Edit site preferences...

    4. Filter out malicious scripts.
    This is done with some Anti-Virus. Keep it updated too.
    You can also use a local web browser proxy program like Proxomitron that can be loaded with filters (like Kye-U's) to screen out some of the bad scripts.
    How effective these are depends on the anti-virus or filters used.


    I'm sure you know all this (and more ;) ), so please correct and improve as needed.
     
    Last edited: Aug 17, 2006
  11. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    The mere fact of just visiting a site like this hxxp://td8eau9td.com/page_new.php with javascript switched on will automatically download and run malware on your computer. With active x switched on further malware can be download and run
     
  12. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Hi CloneRanger,

    JavaScript is usually needed as a starting point for a malicious website to get the ball rolling. But it usually then needs some other browser bug, WMP/plugin bug, OS bug (like WMF or JPG exploit), or something else active like Java to "break out" of the browser to download and execute the malware without user intervention.
    Is this malicious site different?

    Does the malicious site work only on IE? What about firefox or opera with JavaScript on, but Java and plugins off?
    Was the WindowsXP OS SP2 and fully patched?
    Was Java enabled?
    Was Windows Media Player up to date?
     
    Last edited: Aug 18, 2006
  13. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
  14. squinteyes

    squinteyes Registered Member

    Joined:
    Apr 8, 2006
    Posts:
    9
    I have a quick question concerning Script Sentry and Script Defender.
    I installed both to see which I liked better and found ,of course ,that they both passed their own sample test.
    When I used Script Defender it would detect Script Sentry's sample test as well.
    When I used Script Sentry to detect Script Defender's sample test it would pop up saying "No Threat Detected".

    Is Script Sentry faulty or is Script Dfender's sample test faulty?Or is it just my head thats faulty:blink:


    Just curious.....


    Windows ME if that makes a difference
     
  15. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    No I haven't and don't plan to in the near future. Why should I when I can learn from people like TNT who provide an honest objective analysis of the threat?

    According to the answers given by TNT in the above thread, it is not javascript itself that causes the drive-by-downloads, it is the bugs/exploits/vulnerabilities. Javascript is required to make it happen, but it is not the source of the problem. Javascript has some limits on what is allowed. Microsoft's older JS implementation in IE had some exploitable bugs which have now been patched.

     
    Last edited: Aug 18, 2006
  16. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Are you using both at the same time?
     
  17. squinteyes

    squinteyes Registered Member

    Joined:
    Apr 8, 2006
    Posts:
    9
    No.not using both at the same time.

    They were both installed at the same time but I would uncheck(disable) all the file associations in one to run the other and vice versa.Seemed to be no conflicts doing that.

    I'm now using Script Defender only.:)
     
Loading...
Thread Status:
Not open for further replies.