未加星标

Tweaking WSH helps defend Windows PCs from malicious email attachments

字体大小 | |
[系统(windows) 所属分类 系统(windows) | 发布者 店小二05 | 时间 2016 | 作者 红领巾 ] 0人收藏点击收藏

Bad guys are always looking to abuse overlooked components of a system. On PCs, the windows Script Host (WSH) was one such, often overlooked, component, but it's becoming more popular.

WSH can execute scripts written in many programming languages. Out of the box, it does JScript and VBScript but other languages, such as Perl and python, can also be installed.

JScript is Microsoft's version of javascript. Unlike the JavaScript that runs inside a web browser, JScript runs inside Windows and, compared to browser-based JavaScript, has additional, potentially dangerous, features.

Back in June,I wrote aboutdefending a Windows computer from malicious JScript email attachments that install malware.

JScript files end with .js; VB Script files end with .vbs. Each also comes in an encoded flavor, .jse for JScript and .vbe for VB Script. In addition, WSH supports .wsf files , which contain both JScript and VB Script.

When I wrote about this last time, bad guys were only abusing JScript. Now, they have branched out.

Last month, Trend Micro wrote that they have started seeing malicious VBScript and WSF files:

In June and August, it appears Locky’s operators switched to using JavaScript attachments. However, this type of attachment is also known to download other ransomware families such as CryptoWall 3.0 and TeslaCrypt 4.0. We also noticed Locky employing VBScript attachments, likely because this can be easily obfuscated to evade scanners. Around mid-July to August, we started seeing Locky’s spam campaign using Windows Scripting file (WSF) attachments―which could explain how WSF became the second file type attachment most used by threats.

WSF files are chic and trendy.

Last week, Symantec confirmed the popularity of malicious WSF files.

Symantec has seen a major increase in the number of email-based attacks using malicious Windows Script File (WSF) attachments over the past three months. Ransomware groups in particular have been employing this new tactic ... between October 3 and 4, Symantec blocked more than 1.3 million emails bearing the subject line "Travel Itinerary." The emails purported to come from a major airline and came with an attachment that consisted of a WSF file within a .zip archive. If the WSF file was allowed to run, Locky was installed on the victim's computer ... Over the past number of months, Symantec has noticed a significant increase in the overall numbers of emails being blocked containing malicious WSF attachments. From just over 22,000 in June, the figure shot up to more than 2 million in July. September was a record month, with more than 2.2 million emails blocked.

DEFENSIVE COMPUTING

There are two defensive tactics against malicious script files: disabling the WSH component altogether and configuring Windows to open WSH files with Notepad rather than the Windows Script Host component.

Forcing Windows to open WSH files in Notepad is fairly simple and I described the procedure back in June for Windows 7, 8.1 and 10. If you prefer this option, be sure to do it for all five types of files.

Interestingly, Windows Explorer displays very different information for these file types depending on whether they are processed by Notepad or WSH. Before changing anything, it looks like this:


Tweaking WSH helps defend Windows PCs from malicious email attachments

Windows Explorer when WSH processes the five types of script files

After configuring Notepad to open these files, they are no longer "script" files, they are just files.


Tweaking WSH helps defend Windows PCs from malicious email attachments

Windows Explorer when Notepad processes the five types of script files

This approach assumes, however, that these are the only file types processed by WSH.As noted earlier, other scripting languages may have been installed. And, assorted sources on-line claim that WSH also runs .mod, .bas, .frm, .vb and .wsc files. My very limited testing found this not to be true, but maybe , under some circumstances it might be true.

With that in mind, disabling WSH entirely is a much bigger hammer. Disabling it is the strongest option available as WSH can not be un-installed.

WSH is disabled by adding a new key to the registry(make a restore point first). The location of the new key determines if WSH is disabled system-wide or just for the currently logged in user.

According to Trend Micro , the key is a REG_DWORD called "Enabled", and it needs to be set to zero. To disable WSH for the current Windows user, add the key under

HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\

To disable it system wide, add the key under

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\

You can verify that WSH is disabled from the command prompt with the cscript and wscript commands.


Tweaking WSH helps defend Windows PCs from malicious email attachments

What the wscript command looks like after WSH has been disabled

All this said, is it really worth the trouble? If you read email on a Windows computer, do yourself a favor and use a different operating system, at least for email.

本文系统(windows)相关术语:三级网络技术 计算机三级网络技术 网络技术基础 计算机网络技术

主题: WindowsJavaJavaScriptPerlUTCUPythonTIWindows 7
分页:12
转载请注明
本文标题:Tweaking WSH helps defend Windows PCs from malicious email attachments
本站链接:http://www.codesec.net/view/483922.html
分享请点击:


1.凡CodeSecTeam转载的文章,均出自其它媒体或其他官网介绍,目的在于传递更多的信息,并不代表本站赞同其观点和其真实性负责;
2.转载的文章仅代表原创作者观点,与本站无关。其原创性以及文中陈述文字和内容未经本站证实,本站对该文以及其中全部或者部分内容、文字的真实性、完整性、及时性,不作出任何保证或承若;
3.如本站转载稿涉及版权等问题,请作者及时联系本站,我们会及时处理。
登录后可拥有收藏文章、关注作者等权限...
技术大类 技术大类 | 系统(windows) | 评论(0) | 阅读(87)