i have excerpted items 2 thru 6 from fred langa's "SPECIAL EXPANDED SECURITY COVERAGE!" mailing on 5/11/00, having to do with scripts....
2) Speaking of Free: ZoneAlarm Adds "MailSafe"
3) Free Tool To Disable Several Script Types At Once
4) Manually Deactivating *Any* Script Type
5) A Free Scripting "WatchDog"
6) OK, But What About Online Scripting?
2) Speaking of Free: ZoneAlarm 2.1.25 Adds "MailSafe"
In the wake of the "Luv Bug" email worm/virus that went around last week,
ZoneLabs has cranked out a new version of ZoneAlarm, their free-for-
personal-use Firewall.
ZoneAlarm 2.1.25 builds on the improved security of 2.1.18 and adds
"MailSafe," which is ZoneLabs' term for the ability to intercept Visual
Basic Script attachments in e-mail:
"ZoneAlarm MailSafe detects Visual Basic Script attachments and
alerts the user to their presence. At that point, the user can
choose to open the attachment, to delete the email or to check
further on the validity of the email and the attachment. Since
most users have no need for receiving attachments in the form of
Visual Basic scripts, users should be suspicious of such
attachments. Examples of recent high profile, and highly
damaging, email-borne viruses written in Visual Basic Script
include the 'Love Bug' virus and its multiple variants"
In the new version of ZoneAlarm, MailSafe is active by default; you can
toggle it on and off via a check box in the Security Panel.
You can grab a copy of the new version at zonelabs.com
IMPORTANT NOTE: MailSafe only detects VBScript (.vbs) attachments and not
other types of script attachments. As such, it's a useful but incomplete
solution to the problem of hostile attached scripts. We'll show you how to
handle other kinds of scripts in the next few items in this issue; one or
more of these items should be just right for providing the level of
security you want against hostile scripts.
Please read this issue all the way through before you decide what to use.
3) Free Tool To Disable Several Script Types At Once
Windows uses file "associations" in order to know what applications to use
with various file types. Almost all file types have an association. For
example, DOC files are associated with your word processor; TXT files are
associated with NotePad or your simple text processor, HTM files are
associated with your web browser, and so on.
Similarly, scripts that run locally on your PC (like the Luv Bug script)
are associated with a specific application to run them---often the
"Windows Scripting Host," but there are other script-running apps, too.
The Cerberus Security Team in the UK (see cerberus-infosec.co.uk )
has developed a quick-and-dirty way to "un-associate" the
most common script types (VBS, VBE, WSF, WSH, JS and JSE) in the Windows
registry. This leaves the scripts unchanged, but prevents Windows from
knowing which application to use to run them so Windows can't do anything
with the scripts. If you or a malicious app tries to run a script, you'll
simply get the "Open With?" dialog. You can then can use something like
NotePad to see what a script is going to do before you delete it or
manually tell Windows how to run it (e.g. with the Windows Scripting
Host).
You can get Cerebus' tool for free at cerberus-infosec.co.uk .
But note that it has three major limitations: First, file associations can
change, so unassociating script file types today may not mean they'll
still be unassociated the next time you try to run a script--- it's not a
permanent fix. Second, it's specific to just the file types listed above
(VBS, VBE, WSF, WSH, JS and JSE). And third, it's quite heavy-handed, just
whacking a bunch of associations, wholesale.
The next items help address those deficiencies.
4) Manually Unassociating/Deactivating *Any* Script Type
I was going to write out this process myself, but reader Hal Adam beat me
to it:
Hi Fred: If you are concerned about viruses (actually worms)
like the recent "I love you" worm or the so called mutants of
this worm then there is a way to protect yourself against all
the mutants and any other file attachments which have file
extensions of .vbs or .vbe EVEN if you accidentally "open" the
attachment.
This is even more important since this worm was sent in source
form. That means many people may have saved a copy of the actual
text of the computer instructions (like yours truly :) ). The
text instructions are Visual Basic Source code and thus are
easily modifiable and thus many so called "mutants" may be
easily created. So here is my suggestion about how to protect
yourself from file attachments of this type:
1) Double click on the "My computer" icon.
2) Click on View followed by "Folder Options.." (NT has options
only).
3) Click on the "File Types" tab.
4) Scroll down the "Registered file types" to 'VBScript file"
and click on it (to select it).
5) Click the "Edit" button.
6) Click on action "Edit" (to select it)
7) Click on "Set Default" button. Edit should now be in bold
print.
8) Click on action "Open" (to select it)
9) Click on "Edit .." button.
10) The field "Application used to perform action:" should be
selected (ie text highlighted by blue).
11) Press both the Control and C keys to copy the selected text
to the clipboard.
12) Press the "Cancel" button.
13) Press the "New.." button.
14) Click your mouse pointer in the "Action:" field and type in
"Run" (without quotes)
15) Click your mouse pointer in the "Application to perform
action" field and press both the Control and V keys to paste the
contents of the previously copied clipboard item into the field.
16) Click on the "OK" button.
17) Click on action "Open" (to select it)
18) Click on the "Remove" button.
19) If you are asked if you are sure, reply yes.
20) Click on "Close" button. [Before closing the dialog box,
make sure the "Confirm Open After Download" and "Always show
extension" boxes are checked.---FL]
Steps 5 to 20 may be repeated for Registered file type of
"VBSCript Encoded File". [or other types of script files, too---
FL]
Thanks, Hal! What the above does is first set the default action for these
scripts to "edit," so if you click on (say) a VBS file, it opens in
NotePad instead of running. You can thus automatically view the script
contents to see if it's something you really want to run. If it's OK, you
can then RIGHT CLICK on the script file and manually select the RUN
command you created in steps 13-16; and the script will then run normally.
But, as Hal pointed out in his email to me, "This is NOT 100% foolproof
however, since some software installations may add an OPEN Action for .VBS
files...so one needs to check the above settings once in a while to see if
they are still correct. If you have not installed any additional software
however, then you are totally protected against file attachments which end
in a file extension of .vbs or .vbe [or other extensions you process this
way---FL]."
I like Hal's approach because it gives you total control. However, it can
be a lot of work to alter many file types manually; and seeing the
script's contents in NotePad is useful only if you have some idea of
script programming. (Scripts aren't hard to figure out, but can be
confusing if you've never seen one before.)
The next item shows you an easier, more automated method of accomplishing
much the same thing.
5) A Free Scripting "WatchDog"
Within a few days of the Luv Bug outbreak, the folks at WinMag posted
"WatchDog," a free app that automatically does much of what Russ' manual
method accomplishes (see item above).
"Watchdog will, with your consent, become the default program
for Visual Basic Script (VBS) and other scripting files. When
you launch one of these files, WatchDog will look it over and
warn you of any possible security risks. You can then determine
whether the program is supposed to be taking these actions and
how to proceed. An install script that copies files to a
specified location and makes a few Registry edits, for example,
might raise some flags for file copying and Registry writing,
but it could still be legitimate. Alternately, if WatchDog
reports that that `love letter' you just received in your e-mail
inbox will overwrite files and access Microsoft Outlook, you
might want to steer clear."
It's cool, free, and effortless to use; you can configure it (with just a
couple clicks) to monitor any or all of the following file types: VBS,
VBE, WSF, WSH, JS and JSE.
I have Watchdog on my system; coupled with Hal's manual method, I can now
easily monitor and control the actions of just about any script that runs
locally.
Grab a copy of Watchdog at winmag.com
6) OK, But What About Online Scripting?
All the above are geared towards the specific case of a hostile script
running on your local system--- the Luv Bug scenario. What about scripts
that run from the web, such as from within web sites you visit? Unlike the
Luv Bug, these aren't downloaded as separate, stand-alone files; and you
don't click on them because they run themselves.
Registry guru John Woram (see langa.com )
cooked up a couple of Registry patches that let you easily toggle
scripting on or off in Internet Explorer's "Internet Zone"--- or in any
other zone. Placing these tiny files on your desktop and clicking them as
needed is far simpler than the manual way to turn IE's scripting on or off
by hand: Without John's cool tools, you have to click to File then Tools
then Internet Options then Security then Custom, then scroll down to find
Scripting, and then click Enable or Disable. John's trick is much easier.
There are two ways to get John's files. You can download them from
langa.com , or you can create them on your system by
opening NotePad and copying/pasting (or typing) the following four lines
of text (line two is blank) between the "----". Don't copy the "----"
because they're simply to show you where the files start and end.
To DISABLE scripting in the Internet Zone:
-----------------------
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\3]
"1400"=dword:00000003
-----------------------
To ENABLE scripting in the Internet Zone:
-----------------------
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\3]
"1400"=dword:00000000
-----------------------
In each case, save the file with a REG file extension--- ENABLE.REG and
DISABLE.REG, for example.
John points out that if you also want to toggle scripting in other Zones,
simply create new files exactly as above, except that you change the
reference to "...\Zones\3]" as follows
For your Local Intranet, use "...\Zones\1]"
For your Trusted Sites, use "...\Zones\2]"
For the Internet Zone, use "...\Zones\3]"
For your Restricted Sites, use "...\Zones\4]"
Thanks, John!
|
