About malicious scripts: How they work, why they are dangerous and how to avoid them
Tuesday, March 16, 2021
We are devoting today's issue to a short journey into the world of malicious scripts, a conversation about how Dr.Web resists them and tips on how to avoid them.
On social media, one of our readers asked about malicious scripts and general security when working on the Internet. In particular, the reader was interested in avoiding threats in JavaScript and other scripts placed by attackers on web pages, and they also asked for a few tips on how to properly configure the Dr.Web HTTP monitor. Thank you for the relevant question—it's a perfect opportunity to get down to the nitty gritty!
If we were to talk about all the malicious scripts that our virus experts ever detected, this article would come close to being a textbook and obviously wouldn’t fit into the format of the Anti-virus Times. You have probably guessed that this type of malicious program is very diverse and, therefore, very popular.
What is a malicious script?
In a broad sense, every script is a software code written in different interpreted languages. All scripts are executed with the help of external programs—interpreters. Unlike executable files, most scripts exist in the form of text files, and users can read them. For example, it is almost impossible to bring the source code of a compiled file to its original state, but scripts, on the contrary, always contain the source code. According to functional principles, the "bad" scripts look like the "good" ones.
Malicious scripts can be divided into two groups.
- Scripts embedded into webpages are interpreted by the browser and execute actions written by hackers.
- Scripts that are designed to run on the user's computer. They are executed by operating system components and have access to the API (file system, processes, etc.).
With regards to working on the Internet, we often mean the first group. Usually, such scripts are written in JavaScript and PHP. They are located in the code page of unscrupulous or compromised sites, and they try to mine cryptocurrency in the user's browser, display ads to increase traffic for a site, and redirect users to other sites, often fraudulent and dangerous ones. Web scripts can also include PHP infector that infect "good" scripts on the server. In addition, malicious code can be incorporated into browser extensions.
Theoretically, a webpage script can be used as an exploit—a data set erroneously interpreted by the browser that allows access to the targeted system. Currently, however, such exploits are becoming increasingly rare due to the evolution of browsers, which limit access to OS functions, so malicious code on a site is unlikely to harm the computer in general. But despite this, the aforementioned destructive functions can ruin the life of any user. Advertising, fraud, phishing, browser slowdown, even hacking sites—web scripts can do many things. In addition, they are cross-platform and very popular because hackers frequently use them to infect pages and web servers.
But the danger lies not only on websites. Another type of malicious script is scripts that are launched by operating system components. They can be written in different script languages: JScript, VBS, PowerShell, Perl, Python and many others. Such scripts are much more functional and dangerous since they directly address API objects. Despite the fact that scripts rarely provide basic functionality, they are often used either for the initial download of other malicious modules to infected systems or for intermediate steps or additional operations. For example, Windows often includes PowerShell scripts containing exploits or utilities to infiltrate a system/network. Although, scripts are considered to be cross-platform tools, some of them operate only in designated OSs since they require certain system APIs. PowerShell, BAT and JScript scripts run in Windows; AppleScript is designed for macOS; and malware for Linux is often represented as a bash script.
System scripts for OSs are most often spread via email, distributed on compromised and malicious sites, downloaded by other programs, and proliferated independently via removable media and network resources.
Also note that almost all malicious (and not only) scripts are obfuscated. This means that technologies other than the traditional comparison with signatures are often required for their detection.
To neutralise system scripts in Windows, we use machine-learning algorithms embedded in the basic anti-virus engine. This approach allows us to successfully detect malicious code regardless of its complexity, something that is not possible when using signature-based analysis.
To block web scripts, we use our heuristic analyser and the SpIDer Gate HTTP monitor. Note that for reliable protection, users do not need to make additional adjustments to any of the Dr.Web components because the default settings are optimal.
Thus, today we learned that scripts can carry very different malicious payloads—they can be exploits, miners, various auxiliary utilities, adware trojans and even encryption ransomware. To protect yourself and your computer, you need to use reliable protection.
The Anti-virus Times recommends
- Use the comprehensive protection product Dr.Web Security Space, which includes signature, heuristic and machine analysis technologies, HTTP traffic control, the anti-spam, and regularly updated databases of dangerous and non-recommended sites.
- Follow the settings recommended by the software developer and do not disable individual anti-virus protection components.
- Do not ignore security warnings issued by the anti-virus, the browser, search engines and the operating system.
- Regularly update your operating system, the anti-virus, and programs you use when working on the Internet.
- Do not install dubious browser extensions and plugins.
- For website owners and administrators: use firewalls for web applications, keep CMS and server software up to date, and regularly create back-up copies of your site.
#JavaScript #SpIDer_Gate #browser #names #non-recommended_sites #link_checking #Dr.Web_technologies
Tell us what you think
To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.
Comments
Niuxin
01:32:32 2021-04-15
Пaвeл
15:21:18 2021-03-16
Philip
11:40:31 2021-03-16
Suppose torrent was under heavy load and 5 o'clock in the morning U.K. time and cloud connected Dr.Web went down could it bring a Linux system down with it.
Let us say I began receiving warning alerts at five in the morning and the Linux system was constantly trying to reboot and giving out a message media failure.
And I logged into iLO 4 and there was no such media failure hardware failure everything was A-OK good working order.
Then let us say I reset boot and did a history command and no commands had been issued by any outsider. I then did a log command and the last known activity was from Dr.Web for Linux Xfce desktop GUI. There was one other IP address from an old Turkish click click script amateur forum hacking group website which may have been downloading a torrent file from me before the crash? Could Dr.Web for Linux if attacked bring down a complete Linux system.
If Doctor Web, got nosy seeing lots of traffic on my Linux system for a number of years could their nosiness poking around bring down a Linux system by accident.
Would Doctor Web attempt to have a look around on somebody else's system and accidentally break security bringing down a Linux system.
Does not require an answer. This is what happened and that was all i could find. this is not a forum for answers.
From the land beyond beyond,
From the world past hope and fear
I bid you Genie, now appear!