App Review Windows Script Host, PowerShell, and Scriptors

[cruelsister]

This video is expressly for those that believe that disabling Windows Script Host and PowerShell will afford protection against Scriptors. Nothing earthshaking here, but it did give me the opportunity to play something by the Be Good Tanyas.

However (when I get a chance) I will follow this up with a Windows 10 video that highlights the new Windows Defender and its use of the new Antimalware Scan Interface that included with Win10. I just need to decide if another Trend Micro hatchet job is indicated.

 

[hjlbx]

Removing powershell and disabling wscript is not enough.

One has to realize that some apps include script hosting built-in - like Internet Explorer; such apps, if they are running, will allow scripts to run dependent upon what script shell they have incorporated ! VBS can also be a bit tricky because of msscript.ocx and mshta.exe, but the typical user need not be particularly OCD about nor monkey with those. Listen ! - if you start messing about with them you are going to break something ! Leave it alone ! Just be aware of them - that's all I'm suggesting...

You have to alert\block execution of all interpreters by default to protect against scriptors: cmd.exe, powershell.exe, powershell_ISE.exe, python.exe, cscript.exe, wscript.exe, java.exe, javaw.exe, javaws.exe, etc, etc, etc.

That can all be handled very easily and reliably using NoVirusThanks Exe Radar Pro. Simple enough...

Alternatively, one can use CIS which can be configured to alert\block execution of any interpreter. More importantly - and conveniently for the typical user - CIS will treat the script as an Unrecognized file in its own right by default and auto-sandbox the interpreter(s); in CIS no custom interpreter HIPS rules are required by default... just let CIS do its job.

Much of the time the scriptor will die-off in the sandbox since registry and file system access will be redirected to the virtual container, plus suspicious activities such as raw disk, raw memory, COM manipulation, etc will be blocked by default.

 

[Malware Man]

Thank you for the video! It was interesting. For this reason I have blocked PowerShell from even being opened. Whenever I try to run a script, I just end up getting this error:

I'm not sure if I'm protected against this type of malware or not, but to me it looks like it should get blocked.

I would be more than happy to test samples of malicious scripts, but I however cannot seem to find any.

Do these scritpors need admin rights? Or does it just bypass it altogether?

 

[hjlbx]

I would be more than happy to test samples of malicious scripts, but I however cannot seem to find any.

@Malware Man

WARNING !!!

Use a virtual machine, Shadow Defender, Sandboxie or Comodo Internet Security !

Without investigating a scriptor very thoroughly you will not know precisely what it does. Investigation typically involves using a Cuckoo sandbox and one needs to know how to interpret the infos to understand what the scriptor will do.

If you happen to test a scriptor ransomware with a robust screenlock you will be locked out of your system ! The most capable screenlocks will even prevent any system access when booting into Safe Mode !!!

If you happen to test a script cryptor your files can be permanently encrypted = unrecoverable !

Make sure you know what you are doing...

 

[Malware Man]

@Malware Man

WARNING !!!

Use a virtual machine, Shadow Defender, Sandboxie or Comodo Internet Security !

Without investigating a scriptor very thoroughly you will not know precisely what it does. Investigation typically involves using a Cuckoo sandbox and one needs to know how to interpret the infos to understand what the scriptor will do.

If you happen to test a scriptor ransomware with a robust screenlock you will be locked out of your system ! The most capable screenlocks will even prevent any system access when booting into Safe Mode !!!

If you happen to test a script cryptor your files can be permanently encrypted = unrecoverable !

Make sure you know what you are doing...

Malware doesn't scare me, I'm quite capable of removing them. I don't even save anything important on here. It's either in the cloud or on a USB HDD. Plus I just installed this installation a few days ago after putting the wrong Applocker rules in. So, even if something did get through, I am not that concerned cause it wouldn't take long to revert back to a system image I made after I set everything up.

I got rid of Sandboxie cause it was no good to me, I happen to have a license for Shadow Defender if I need it. I don't use Comodo either anymore since I am struggling to even get anything passed Applocker, which is why I'm looking for scirptors to see if they can get passed it.

 

[hjlbx]

Malware doesn't scare me, I'm quite capable of removing them. I don't even save anything important on here. It's either in the cloud or on a USB HDD. Plus I just installed this installation a few days ago after putting the wrong Applocker rules in. So, even if something did get through, I am not that concerned cause it wouldn't take long to revert back to a system image I made after I set everything up.

I got rid of Sandboxie cause it was no good to me, I happen to have a license for Shadow Defender if I need it. I don't use Comodo either anymore since I am struggling to even get anything passed Applocker, which is why I'm looking for scirptors to see if they can get passed it.

At least use Shadow Defender. It will save you from having to do a post-infection clean install...

I know, I know... nothing seems to be getting past AppLocker. That's great, but SD is added insurance against that "worst-case" scenario...

 

[Malware Man]

At least use Shadow Defender. It will save you from having to do a post-infection clean install...

I know, I know... nothing seems to be getting past AppLocker. That's great, but SD is added insurance against that "worst-case" scenario...

Adding Shadow Defender seems to just make me look way too paranoid

Well with Shadow Defender it is a hassle. I have to add all the folders I want to exclude, all my website passwords aren't remembered. Got to keep logging back into them, Windows updates cannot be installed. Got to exit shadow mode and then get back into it. Windows 10 updates often. Even though I have a high level of control over my updates since I am running a higher Windows version, it still becomes a hassle.

I'll considering adding at least a AV beside Applocker so it doesn't have to do all the work!

Throwing in Shadow Defender and Sandboxie would just make it seem crazy. I mean there's no way something would get in but my God, it would be a challenge just to allow something to install.

 

[Deleted member 178]

and even the malware get in , isn't a clean install a real joy?

 

[hjlbx]

Adding Shadow Defender seems to just make me look way too paranoid

Well with Shadow Defender it is a hassle. I have to add all the folders I want to exclude, all my website passwords aren't remembered. Got to keep logging back into them, Windows updates cannot be installed. Got to exit shadow mode and then get back into it. Windows 10 updates often. Even though I have a high level of control over my updates since I am running a higher Windows version, it still becomes a hassle.

I'll considering adding at least a AV beside Applocker so it doesn't have to do all the work!

Throwing in Shadow Defender and Sandboxie would just make it seem crazy. I mean there's no way something would get in but my God, it would be a challenge just to allow something to install.

Just use Shadow Defender on-demand during malware testing only;in my earlier post I did not mean to suggest that you boot into Shadow Mode permanently. Shadow Defender can be used that way, but that is not necessary for malware testing.

When testing against scriptors you rarely will run across one that requires an installation restart... I would think that malware authors that use scriptors would not like a required system reboot as it alerts even those that do not pay attention to anything that something just happened on system. More aware user will get that something is amiss...

 

[Malware Man]

and even the malware get in , isn't a clean install a real joy?

Not really. I don't use many programs so it takes maybe a half hour to set everything back up. Maybe shorter.

Just use Shadow Defender on-demand during malware testing only;in my earlier post I did not mean to suggest that you boot into Shadow Mode permanently. Shadow Defender can be used that way, but that is not necessary for malware testing.

When testing against scriptors you rarely will run across one that requires an installation restart... I would think that malware authors that use scriptors would not like a required system reboot as it alerts even those that do not pay attention to anything that something just happened on system. More aware user will get that something is amiss...

Okay, I get what you're saying. It makes sense now. I thought you were telling me to use Shadow Defender permanently. You basically mean for me to use it when testing malware samples encase something gets through Applocker, to avoid a clean install. I cannot wait until I find something that does lol.

Well exe files aren't a worry. They get blocked pretty easily. I'm trying to find scriptors samples to test them, I have no idea where to get them. Google is no help. Google most likely took most malware sites out of their search index to avoid people going to them on purpose.

I would love somewhere to get scriptor samples. I already tested cryptolocker, fake AVs and ransomware. Those don't do anything. They get blocked right away. I heard scriptor malware is pretty dangerous so I'm looking for samples to test my config and to get it right.

I'd love some suggestions on where to find these, if you have any.

I'll go and add Shadow Defender to my allowed publisher's list and install it for you.

I have also installed a AV to help out with detection and so Applocker don't have to do all the work.

 

[hjlbx]

Not really. I don't use many programs so it takes maybe a half hour to set everything back up. Maybe shorter.



Okay, I get what you're saying. It makes sense now. I thought you were telling me to use Shadow Defender permanently. You basically mean for me to use it when testing malware samples encase something gets through Applocker, to avoid a clean install. I cannot wait until I find something that does lol.

Well exe files aren't a worry. They get blocked pretty easily. I'm trying to find scriptors samples to test them, I have no idea where to get them. Google is no help. Google most likely took most malware sites out of their search index to avoid people going to them on purpose.

I would love somewhere to get scriptor samples. I already tested cryptolocker, fake AVs and ransomware. Those don't do anything. They get blocked right away. I heard scriptor malware is pretty dangerous so I'm looking for samples to test my config and to get it right.

I'd love some suggestions on where to find these, if you have any.

I'll go and add Shadow Defender to my allowed publisher's list and install it for you.

I have also installed a AV to help out with detection and so Applocker don't have to do all the work.

@Malware Man

Check the MT Malware Hub... they appear there occasionally:

.js, .bat, .vbs, etc.

Search the list going back 3 months... you will find them here at MT.

 

[Malware Man]

@Malware Man

Check the MT Malware Hub... they appear there occasionally:

.js, .bat, .vbs, etc.

Search the list going back 3 months... you will find them here at MT.

I have searched but haven't gone back that far. Thanks, I'll have a look.

By default Applocker blocks .js, .ps1, .bat and .vbs , so I'm curious if any will get through. I will give it a go.

EDIT: Unfortunately the samples are so old that the links either give a 404 or are no longer available on the download server.

EDIT2: I just stumbled on some nasty malware funny on Google. It had tons of different stuff. (Cryptowall, Cryptolocker, Zesus, VBS malware, RATs, just about every type you can think of)

I went a happy clicker and went mad trying to run them. Of course the exe's got blocked without a problem. I then moved onto the VBS malware and BAT files. Both of them got blocked as well. They failed to run. Even when I right clicked and selected run as admin.

It's pretty amazing.

 

[cruelsister]

MM- the real interesting malware lately comes in an AutoIT package. They've been using what I call a Failsafer routine- the initial malware file when run on the victims system will spawn a daughter in some random directory and delete itself; the daughter will then spawn a daughter of its own in a different random directory prior to suiciding, etc. Of course all use algorithmic obfuscation to try to hide. Finally (after many steps) the payload is dropped somewhere with a deobfuscating Python script and the intended infection can proceed. It's a real issue for the forensic guys to determine exactly what the original vector was, especially if any of the daughters were on a time-delay.

A detection problem to be sure without any sort of dynamic analysis.

 

[Malware Man]

@cruelsister Thank you for th explanation, that is very interesting. Now, I don't have Python even installed on Windows at least, which means that Pyhton scripts shouldn't run. At least, I hope they won't. I do however, use Python in Linux. But I don't think I really have to worry about much malware at all on there.

You used some big words but I still got it

Yeah, I've seen malware that will delete itself when ran, copy itself to a different directory with a different file name and even extension, and then will hide itself making it difficult for you to find and remove and make you wonder where the source of the infection is coming from.

I'm curious if I install Python on Windows and try to run a .py script will it let me? I may have a go.

 

[cruelsister]

Python malware is self-contained and without dependencies when packaged as an executable. It will run just fine on Windows without Python ever being installed.

 

[Malware Man]

@cruelsister Good to know! Thank you. Do you happen to know where I could get some samples of scriptor malware to test? The malware hub links are so old so the files are no longer on the servers.