One Article Review
| Source |  SANS Institute |
|---|---|
| Identifiant | 3064 |
| Date de publication | 2016-06-18 02:56:19 (vue: 2016-06-18 02:56:19) |
| Titre | Controlling JavaScript Malware Before it Runs, (Sat, Jun 18th) |
| Texte | Weve posted a number of stories lately about various exploit kits and the malware they post. What Im seeing lately is a bit of an uptick in the use of Javascript by these exploit kits.Why might this be, you ask? Isnt Javascript contained and hopefully secured within the browser sandbox? Arent we protected by the combined security smarts of Microsoft, Mozilla and Google, right? We-e-e-e-l, the short answer is NO. If the Javascript arrives in an inbound email, and one of your windows based users clicks it, it doesnt execute in the browser, it executes inside of the windows shell (the same shell used by cscript.exe or wscript.exe)! So as Brad Duncan (another of the ISC Handlers) pointed out, this isnt really a Javascript *exploit*, it"> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.js\OpenWithProgidsand youll find jsfile"> computer\hkey_classes_root\.js = jsfile computer\hkey_classes_root\jsfile = wshext.dllOr, when you check the file extension in explorer, Shazam!, it" width="273" />Not only that, cscript.exe is meant as an admin tool, so all of the Javascript protections that we take for granted in our browser are ABSOLUTELY NOT in play. All kinds of new (or rather old) features that arent allowed in the browser now work again. For instance, javascript executed in cscript can create a tcp client or a tcp server. Like perhaps to pull malware, maybe crypto-malware down, then install it. Or to create a basic tcp backdoor or a reverse-shell backdoor.Worse yet, when you receive a JS file in an email, youll see an icon that makes it look like its a text or document file of some kind. On top of all of that, what were seeing as a common SPAM practice that makes this more confusing for the folks reading their mail is a double extension approach - so these are arriving as corporate layoffs.doc.js, bonus Q2.xls.js or ups shipping notice.pdf.js - when this shows up in your mail client, by default Windows (not so helpfully) wont display the known file extension of js, so your folks will see these as docs, excel sheets or pdf files..png) So how can we as system administrators protect our users? Out of the gate we should strip out attachments of type .JS in emails at the SPAM gateway - theres no good reason to be emailing javascript files in and out of the organization (in almost all cases)In the spirit of defense in depth though, lets assume that one of our trusted business partners (who might be whitelisted in the spam filter) or one of our internal users (internal mail doesnt typically go through the spam filter) is already compromised. How do we protect our users in those scenarios? Lets re-associated .JS file with something that wont actually execute the file - how about notepad?To do this for a single workstation, right-click on a .js file, and open it with notepad, be sure to click the always use the selected program to open this kind of file radio box when you do that.For an entire organization, you can force the file association in Group Policy, at Computer Configuration / Preferences / Control Panel Settings / Folder Options, then add New / File Type.PNG) You can see here that we can change how the file opens, and even change the icon thats being displayed. Now when we receive some malicious javascript in our inbox, itll look very different. And when your folks click on the file, that advanced persistent malicious hello.js" />So if youre walking around the office, you can look for the screen that has 10 or 12 notepad files of code open, and feel good that theres one that didnt get infected! Or more likely (and sadly), check that machine to see how *else* they found to get i |
| Envoyé | Oui |
| Condensat | *else* *exploit* />not />so 18th 273 ===============rob about absolutely actually add admin administrators advanced again all allowed almost already always another answer approach are arent around arrives arriving ask associated association assume attachments attribution backdoor based basic before being bit bonus box brad browser business can cases center change check classes click clicks client code combined common commons compromised computer configuration confusing contained control controlling corporate create creative crypto cscript current currentversion default defense depth didnt different display displayed dllor doc docs document doesnt double down duncan edu email emailing emails entire even excel exe execute executed executes exploit explorer extension features feel file fileexts files filter find folder folks force found gate gateway get good google granted group handlers has hello helpfully here hkey hopefully how https://isc icon inbound inbox infected inside install instance internal internet isc isnt itll its javascript jsfile jun kind kinds kits known lately layoffs lets license like likely look machine mail makes malicious malware maybe meant microsoft might more mozilla new noncommercial not notepad notice now number office old one only open opens openwithprogidsand options organization out panel partners pdf perhaps persistent play pointed policy post posted practice preferences program protect protected protections pull radio rather reading really reason receive reverse right root runs sadly same sandbox sans sat scenarios screen secured security see seeing selected server settings shazam sheets shell shipping short should shows single smarts software some something spam spirit states stories storm strip sure system take tcp text thats then theres these those though through tool top trusted type typeyou typically united ups uptick use used user users vandenbrinkcompugen various very walking weve what when whitelisted who why width= will windows within wont work workstation worse wscript wshext xls yet youll your youre |
| Tags | |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.