App Review Scriptor Infection Who You Gonna Call?

[jamescv7]

Seems they [computer security companies] ever forget that scripts are the first part of evolvement for creation of viruses throughout history; which is simple to construct and hold already massive destruction.

However due to the trends on IT security issue then plans are change.

 

[cruelsister]

T- Wow! I haven't thought of Agent.btz for quite a while; back then it was known as the Silly worm.

This was, of course, a Scriptor; but instead of Buckshotting different malware to various places in the system this one replicated itself to something like 8-10 different directories while hiding itself. And just like what occurred in this video you could delete all but one and on reboot it would populate itself right back (if memory serves it also renamed the worm core and put it in different directories). It also scanned all drives from A:\ to Z:\. They were reduced to reimaging something like a billion hard drives one by one until the Girls from the TAO came to the rescue.

As for other products, I'm not a fan of the traditional AV product at all. Other products like AppGuard and Sandboxie (favorites of Umbra) are effective but as you point out do require a firm hand in order use properly. Comodo is my favorite as it can be set up so that both experienced and novice users can use it with equal effectiveness.

ps- Your mom has VERY good taste! I like her.

M

 

[Tony Cole]

Thank you cruelsister I've learnt a great deal from your posts and video's, you could easily be a teacher - nice to have the advanced info, but easy to understand.

Yes, my mum a x 3 pairs of Jimmy Choo, they are lovely shoe's.

Tony

 

[snnsnn]

@cruelsister
Did you omit creating a custom clean script for Combofix intentionally ?

 

[Behold Eck]

Ghostbusters!!! Sorry i might have had one to many.

The "A-Team" if i knew their number.

Great to see old Scotty the watch dog sorting things out.Also nice to see Emsisoft Emergency Kit catching quite a few nasties.

Regards Eck

 

[Solarquest]

How to stop\defend against scriptors ? = Don't install the interpreter and use an anti-executable (e.g. NVT ERP).

You can use Comodo products - which will sandbox Unrecognized script files, but be forwarned that there are scripts that can "reach outside" the sandbox and make permanent changes to the system - like deleting files (I just submitted one to Comodo Engineering).

Of course, you can set the Comodo sandbox to Block any Unrecognized file - and that will include scripts.

Unless you are an indiscriminate downloader\installer I wouldn't worry about it too much. Plus, you won't be installing Python, perl, AutoIT interpreters and running those type scripts, so the issue really is moot.

You are much more likely to experience a drive-by download of the javascript (.js) variety than anything else - which Comodo will handle either with via the sandbox or HIPS (I use HIPS - but it causes novices more mistakes than anything else since rule creation is not clear in some CIS HIPS alerts).

Comodo does much better at protecting against scriptors than all other suites I have tested. The user can just go with the default sandbox settings = Fully Virtualized or for maximum security set it to Block (all Unrecognized files).

Comodo isn't absolutely perfect, but then, nothing IT ever is... it's got you covered in the vast majority of scriptor cases.

Anti-executable configuration settings are included in CIS because that is an option for the user - as part of the Comodo default-deny protection model.

I can tell you from a lot of testing that it really does work.

Hello Hjlbx,
Did the sample you submittet to Comodo always escape from sandbox or only in some security levels?
Did it also escape from sandboxie? and VM?
Thank you!!!