The Anti-virus Times

Tuesday, March 16, 2021

We are devoting today's issue to a short journey into the world of malicious scripts, a conversation about how Dr.Web resists them and tips on how to avoid them.

On social media, one of our readers asked about malicious scripts and general security when working on the Internet. In particular, the reader was interested in avoiding threats in JavaScript and other scripts placed by attackers on web pages, and they also asked for a few tips on how to properly configure the Dr.Web HTTP monitor. Thank you for the relevant question—it's a perfect opportunity to get down to the nitty gritty!

If we were to talk about all the malicious scripts that our virus experts ever detected, this article would come close to being a textbook and obviously wouldn’t fit into the format of the Anti-virus Times. You have probably guessed that this type of malicious program is very diverse and, therefore, very popular.

What is a malicious script?

In a broad sense, every script is a software code written in different interpreted languages. All scripts are executed with the help of external programs—interpreters. Unlike executable files, most scripts exist in the form of text files, and users can read them. For example, it is almost impossible to bring the source code of a compiled file to its original state, but scripts, on the contrary, always contain the source code. According to functional principles, the "bad" scripts look like the "good" ones.

Malicious scripts can be divided into two groups.

1. Scripts embedded into webpages are interpreted by the browser and execute actions written by hackers.
2. Scripts that are designed to run on the user's computer. They are executed by operating system components and have access to the API (file system, processes, etc.).

With regards to working on the Internet, we often mean the first group. Usually, such scripts are written in JavaScript and PHP. They are located in the code page of unscrupulous or compromised sites, and they try to mine cryptocurrency in the user's browser, display ads to increase traffic for a site, and redirect users to other sites, often fraudulent and dangerous ones. Web scripts can also include PHP infector that infect "good" scripts on the server. In addition, malicious code can be incorporated into browser extensions.

Theoretically, a webpage script can be used as an exploit—a data set erroneously interpreted by the browser that allows access to the targeted system. Currently, however, such exploits are becoming increasingly rare due to the evolution of browsers, which limit access to OS functions, so malicious code on a site is unlikely to harm the computer in general. But despite this, the aforementioned destructive functions can ruin the life of any user. Advertising, fraud, phishing, browser slowdown, even hacking sites—web scripts can do many things. In addition, they are cross-platform and very popular because hackers frequently use them to infect pages and web servers.

But the danger lies not only on websites. Another type of malicious script is scripts that are launched by operating system components. They can be written in different script languages: JScript, VBS, PowerShell, Perl, Python and many others. Such scripts are much more functional and dangerous since they directly address API objects. Despite the fact that scripts rarely provide basic functionality, they are often used either for the initial download of other malicious modules to infected systems or for intermediate steps or additional operations. For example, Windows often includes PowerShell scripts containing exploits or utilities to infiltrate a system/network. Although, scripts are considered to be cross-platform tools, some of them operate only in designated OSs since they require certain system APIs. PowerShell, BAT and JScript scripts run in Windows; AppleScript is designed for macOS; and malware for Linux is often represented as a bash script.

System scripts for OSs are most often spread via email, distributed on compromised and malicious sites, downloaded by other programs, and proliferated independently via removable media and network resources.

Also note that almost all malicious (and not only) scripts are obfuscated. This means that technologies other than the traditional comparison with signatures are often required for their detection.

To neutralise system scripts in Windows, we use machine-learning algorithms embedded in the basic anti-virus engine. This approach allows us to successfully detect malicious code regardless of its complexity, something that is not possible when using signature-based analysis.

To block web scripts, we use our heuristic analyser and the SpIDer Gate HTTP monitor. Note that for reliable protection, users do not need to make additional adjustments to any of the Dr.Web components because the default settings are optimal.

Thus, today we learned that scripts can carry very different malicious payloads—they can be exploits, miners, various auxiliary utilities, adware trojans and even encryption ransomware. To protect yourself and your computer, you need to use reliable protection.