App Review Scriptor Infection Who You Gonna Call?

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.

cruelsister

Level 43
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,224
The last few Videos showed how AMSI on Windows 10 is beneficial in preventing infection by a common Scriptor class. But if you don't use Win10 and your system is infected by them what exactly are your options?

This Video reviews how common second party stack up, as well as a non-scanner solution.

(This Video is heavily edited to cut 60 minutes down to 10. I'm sure you understand).

 

security.paranoid

Level 2
Verified
Dec 6, 2014
57
@Umbra with x2 gutmann :p just to be sure then make sure that your hdd firmware is not infected ;) , @cruelsister what do you think about umbra's config he uses SEP beacause i'm doing the same in my pc and what is your config ? and thanks for the video
 

cruelsister

Level 43
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,224
First off, thank you for your kind words! Presenting the Videos is my pleasure, and Jack should get the main Thanks for having this forum and allowing me to do so.

Regarding SEP- It's curious that SEP was mentioned as I've been giving it much thought recently. Norton/Symantec is the one product line that would benefit the most from the Windows 10 AMSI module since they have horrid Scriptor detection ability. This actually makes sense when you consider that on the corporate level scripts are commonly used to automate processes across the Network; and i order to avoid false positives, Symantec made a decision to allow just about any Script to run without any further thought.

This decision has led to a number of severe breaches (those at Home Depot, Target, and a few other places not made public I was personally involved in) caused by simple (although elegantly) coded Scriptors. There are some that may say SEP wasn't set up properly, but as Symantec personnel set up the software themselves this argument is certainly not valid.

But as to using SEP on a Home system, it is a grave mistake to be using an Unmanaged installation, and I'm not at all surprised that Umbra has moved on. There are just too many Tricks and Tweaks to be done to make the protection passable, and even with these SEP falls short. Also, as both Norton and Symantec share essentially the same definition database the Norton Home user also is prone to Scriptor infection.

I'm in the process of coding a Scriptor that I mentioned in passing previously (a worm that that targets files on Removable drives), so perhaps I should run it on a Norton protected system.
 

FleischmannTV

Level 7
Verified
Honorary Member
Well-known
Jun 12, 2014
314
It doesn't speak for the industry that instead of implementing proper AMSI support in their products, the next generation is just going to get more useless crap.
 
  • Like
Reactions: hjlbx and Enju
D

Deleted member 2913

Those scriptors doesn't show up as unknown/malicious/suspicious in KillSwitch?
If Yes... then those could be deleted, right?

CCE - AutoRunAnalyzer - would also show unknown/malicious/suspicious entries & could be deleted, right?

CCE - QuickRepair could detect system modifications & repair them.

I mean... would like to know from you... did you test how effective KillSwitch/QuickRepair/AutoRunAnalyzer i.e CCE cleans the system?
 

cruelsister

Level 43
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,224
YN- The issue with these Scriptors and Killswitch is that the actually Scriptor works through wscript.exe which is a legitimate process, so there are no unknowns as far as KS is concerned (nothing will show up). The same is true with AutoRunAnalyzer and Quick repair. Even running a CCE scan doesn't do very much.

As you know I'm partial to Comodo, but highlighting CCE is pointless in this case.

Umbra- Yes, the SEP firewall is very good, but was helpless in this case. The issue with the Breaches was that the Outbound connections by the Scriptor weren't considered to be malicious, so they were just logged among the hundreds of thousands of other Outbound connections.
 

kiric96

Level 19
Verified
Well-known
Jul 10, 2014
917
good video, personally i was infected by a vbs worm that i got via usb (the main infection started at my university lab)... the worse part of it was the fact that some vendors (eset, bitdefender & norton) refused to add the worm to it database (thet did it after several days later), the amazing part comes from norton, as i was a norton user, i contacted tech support, who told me that file was indeed clean, then i showed the virustotal report, until then they said will analize the sample... to end this norton took 15 days to add the sample, eset 3 days and bitdefender 1 week
 
  • Like
Reactions: done

Tony Cole

Level 27
Verified
May 11, 2014
1,639
May I ask, being the dumb one. What is a Buckshot trojan - I only ask as I've never heard of scriptor attacks, nor how to stop/defend against them? I am cruelsister watching all your video's and think they are amazing, only wish I had such IT knowledge. Thanks :)
 
R

Rod McCarthy

OK so I concur with you...So what do we use to protect our PC's at home....Is there something or possible 2 or 3 things to install that will protect PC's?

Thanks
 
  • Like
Reactions: done
H

hjlbx

May I ask, being the dumb one. What is a Buckshot trojan - I only ask as I've never heard of scriptor attacks, nor how to stop/defend against them? I am cruelsister watching all your video's and think they are amazing, only wish I had such IT knowledge. Thanks :)

How to stop\defend against scriptors ? = Don't install the interpreter and use an anti-executable (e.g. NVT ERP).

You can use Comodo products - which will sandbox Unrecognized script files, but be forwarned that there are scripts that can "reach outside" the sandbox and make permanent changes to the system - like deleting files (I just submitted one to Comodo Engineering).

Of course, you can set the Comodo sandbox to Block any Unrecognized file - and that will include scripts.

Unless you are an indiscriminate downloader\installer I wouldn't worry about it too much. Plus, you won't be installing Python, perl, AutoIT interpreters and running those type scripts, so the issue really is moot.

You are much more likely to experience a drive-by download of the javascript (.js) variety than anything else - which Comodo will handle either with via the sandbox or HIPS (I use HIPS - but it causes novices more mistakes than anything else since rule creation is not clear in some CIS HIPS alerts).

Comodo does much better at protecting against scriptors than all other suites I have tested. The user can just go with the default sandbox settings = Fully Virtualized or for maximum security set it to Block (all Unrecognized files).

Comodo isn't absolutely perfect, but then, nothing IT ever is... it's got you covered in the vast majority of scriptor cases.

Anti-executable configuration settings are included in CIS because that is an option for the user - as part of the Comodo default-deny protection model.

I can tell you from a lot of testing that it really does work.
 

cruelsister

Level 43
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,224
Tony- not a bad question at all. A Buckshot trojan is really easy to visualize. Consider a typical trojan- once you run it, it will normally spawn a payload or two in a certain directory (normally somewhere is Users\App Data).

A Buckshot will spawn 10 or 12 separate daughters (usually different stuff like downloaders, keyloggers, etc) into random directories throughout the system before suiciding (self-deletion), and all of the daughters will have auto-run functionality. These aren't very common and essentially are the lazy persons way of bypassing traditional AV detection (hoping that one or two will be undetectable). Kind of like flinging slop against a wall and hoping something sticks.

But if the Blackhat wasn't lazy and confirmed all of the daughters were FUD, it is a real pain to remediate.
 
  • Like
Reactions: done
D

Deleted member 178

But if the Blackhat wasn't lazy and confirmed all of the daughters were FUD, it is a real pain to remediate.

It is why i like anti-execs like Appguard or ERP in lockdowm mode; you get notified when any processes try to launch, so manual removal of those malwares is easy.
 

Tony Cole

Level 27
Verified
May 11, 2014
1,639
Thank you cruelsister, makes more sense know. Is that similar to Agent.btz the cyber attack on the United States 2008? I wish I could use software like Appguard but it would brake my system as I wouldn't know what to allow/deny.

Other than Comodo, which antivirus software would you say offers the best protection?

P.S. I've now watched 6 of your video's keep them coming, very interesting, and most important easy to understand. I can hardly email on a train, let alone do a video. :) Reminds me, my mum loves Jimmy Choo - brought a pair for her birthday in November - so no telling!
 
  • Like
Reactions: Behold Eck

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top