Date: Thu, 3 Mar 2005 08:41:37 -0800
From: "Joe Stocker" <joe@...tsecurityconsulting.com>
To: <bugtraq@...urityfocus.com>
Subject: Microsoft AntiSpyware Beta and Windows Scripting Host

The Scripting Guys wrote a good article on Technet yesterday summarizing how System Administrators can work around the script-blocking feature of Microsoft AntiSpyware. After reading the article it is also evident that it would be just as easy for Spyware to take the same hints to dodge the MS AntiSpyware Beta software.

The final release of this product needs to overcome the challenge of safely blocking harmful scripts while at the same time providing a manageable way for System Administrators to remotely manage workstations. 

The article points out that you can bypass the script blocker by simply calling cscript or wscript in front of the script, ex: cscript myscript.vbs would avoid the script blocker from blocking a potentially harmful script. 

Also, a spyware program could simply take the name of a valid script and then antispyware would never prompt the user: example: c:\mydir\myValidScript.vbs could be renamed to myValidScript.old, then c:\mydir\myHarmfulScript.vbs could be renamed to MyValidScript.vbs and executed without prompting the user. This assumes that the malicious program would have access to the proprietary database that antispyware stores its acceptable programs, which are located in the .GCD files in the AntiSpyware installation root directory. The proprietary database could possibly be replaced with a tampered .GCD file containing an entry for the harmful script, ex: c:\run.vbs. 

http://www.microsoft.com/technet/scriptcenter/resources/articles/antispy.mspx



Joe Stocker, CISSP
iNet Security Consulting
www.iNetSecurityConsulting.com

Content of type "text/html" skipped

Download attachment "iNet logo for email.jpg" of type "image/jpeg" (15326 bytes)

Download attachment "smime.p7s" of type "application/x-pkcs7-signature" (2791 bytes)

Powered by blists - more mailing lists