Other issues in this category (31)
About malicious scripts: How they work, why they are dangerous and how to avoid them
Tuesday, March 16, 2021
We are devoting today's issue to a short journey into the world of malicious scripts, a conversation about how Dr.Web resists them and tips on how to avoid them.
If we were to talk about all the malicious scripts that our virus experts ever detected, this article would come close to being a textbook and obviously wouldn’t fit into the format of the Anti-virus Times. You have probably guessed that this type of malicious program is very diverse and, therefore, very popular.
What is a malicious script?
In a broad sense, every script is a software code written in different interpreted languages. All scripts are executed with the help of external programs—interpreters. Unlike executable files, most scripts exist in the form of text files, and users can read them. For example, it is almost impossible to bring the source code of a compiled file to its original state, but scripts, on the contrary, always contain the source code. According to functional principles, the "bad" scripts look like the "good" ones.
Malicious scripts can be divided into two groups.
- Scripts embedded into webpages are interpreted by the browser and execute actions written by hackers.
- Scripts that are designed to run on the user's computer. They are executed by operating system components and have access to the API (file system, processes, etc.).
Theoretically, a webpage script can be used as an exploit—a data set erroneously interpreted by the browser that allows access to the targeted system. Currently, however, such exploits are becoming increasingly rare due to the evolution of browsers, which limit access to OS functions, so malicious code on a site is unlikely to harm the computer in general. But despite this, the aforementioned destructive functions can ruin the life of any user. Advertising, fraud, phishing, browser slowdown, even hacking sites—web scripts can do many things. In addition, they are cross-platform and very popular because hackers frequently use them to infect pages and web servers.
But the danger lies not only on websites. Another type of malicious script is scripts that are launched by operating system components. They can be written in different script languages: JScript, VBS, PowerShell, Perl, Python and many others. Such scripts are much more functional and dangerous since they directly address API objects. Despite the fact that scripts rarely provide basic functionality, they are often used either for the initial download of other malicious modules to infected systems or for intermediate steps or additional operations. For example, Windows often includes PowerShell scripts containing exploits or utilities to infiltrate a system/network. Although, scripts are considered to be cross-platform tools, some of them operate only in designated OSs since they require certain system APIs. PowerShell, BAT and JScript scripts run in Windows; AppleScript is designed for macOS; and malware for Linux is often represented as a bash script.
System scripts for OSs are most often spread via email, distributed on compromised and malicious sites, downloaded by other programs, and proliferated independently via removable media and network resources.
Also note that almost all malicious (and not only) scripts are obfuscated. This means that technologies other than the traditional comparison with signatures are often required for their detection.
To neutralise system scripts in Windows, we use machine-learning algorithms embedded in the basic anti-virus engine. This approach allows us to successfully detect malicious code regardless of its complexity, something that is not possible when using signature-based analysis.
To block web scripts, we use our heuristic analyser and the SpIDer Gate HTTP monitor. Note that for reliable protection, users do not need to make additional adjustments to any of the Dr.Web components because the default settings are optimal.
Thus, today we learned that scripts can carry very different malicious payloads—they can be exploits, miners, various auxiliary utilities, adware trojans and even encryption ransomware. To protect yourself and your computer, you need to use reliable protection.
The Anti-virus Times recommends
- Use the comprehensive protection product Dr.Web Security Space, which includes signature, heuristic and machine analysis technologies, HTTP traffic control, the anti-spam, and regularly updated databases of dangerous and non-recommended sites.
- Follow the settings recommended by the software developer and do not disable individual anti-virus protection components.
- Do not ignore security warnings issued by the anti-virus, the browser, search engines and the operating system.
- Regularly update your operating system, the anti-virus, and programs you use when working on the Internet.
- Do not install dubious browser extensions and plugins.
- For website owners and administrators: use firewalls for web applications, keep CMS and server software up to date, and regularly create back-up copies of your site.