vissha Posted April 20, 2016 Share Posted April 20, 2016 How to Prevent ZIP Files from Executing Malicious JavaScript Behind Your Back Protect yourself from JS-boobytrapped ZIP files Quote A problem exists today affecting countless of unsuspecting users, and that's the problem of ZIP files boobytrapped with malicious JavaScript code that can automatically and secretly download and launch malware into execution on their PCs. For some years now, you could add JavaScript code to ZIP, RAR, or other types of archive files. When unzipping the file, the JavaScript file would execute, automating various operations. On Windows, this code would run via the Windows Script Host (WSH), an automation technology for Microsoft Windows operating systems, similar to batch files, but one that can work with JavaScript and JScript (Microsoft's version of JavaScript) code. With such powerful features, you sometimes wonder how come it took malware coders so much time to figure out they could abuse this ability to do bad. But they have now, and it's not rosy. "ZIP files boobytrapped with JavaScript abused to spread malware" We've seen ransomware, banking trojans, and all sorts of nasty malware distributed via this method. Attackers craft a malicious ZIP file, append it to an email, and spam hundreds and thousands of users in short-burst campaigns. When users receive the email, they download the file and unzip it, thinking if there is malware, it's probably packed inside the ZIP as an EXE. Without realizing, the damage has already been done via the JavaScript file that silently executed, and the malware has already taken root. But there's a way to prevent this, according to F-Secure, a Finish cyber-security vendor, who's how-to tutorial we're reproducing down below. To prevent automatic execution of a malicious JavaScript file attached to a ZIP file, you'll have to edit the Windows Registry and disable the automatic connection between the JavaScript/JScript code and the Windows Script Host mentioned above. "Let's disable automatic JavaScript execution via Windows Script Host" Open the Windows Search and type in "Regedit" to open the Windows Registry Editor. On the left you have some folders. Open the folders in the following order (path): "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings" Once you've reached the last folder called "Settings," go to the panel on the right and right-click anywhere on the background. From the new popup menu, select the "New" and then the "DWORD (32 Bit) Value". This will create a new entry, which you'll have to name "Enabled". Once you've done this, double-click it to open a new popup. In this popup, make sure that you have "0" (zero) entered in the Value field, and that the Base setting is set to Hexadecimal. "Testing that everything works" That's it. Close all the Windows and go for a test. To verify that the Windows Script Host won't open any JavaScript files, first, you'll need some JavaScript files. The easiest way is to download this file right here, which is the jQuery Javascript library. Press CTRL+S to save it from your browser to your computer, and then double-click the file. If you've set up your Windows Registry correctly, the following popup will appear, telling you the Windows Script Host has been disabled. Source Link to comment Share on other sites More sharing options...
Reefa Posted April 20, 2016 Share Posted April 20, 2016 Topic moved from Security and Privacy news.. Link to comment Share on other sites More sharing options...
straycat19 Posted April 20, 2016 Share Posted April 20, 2016 40 minutes ago, vissha said: That's it. Close all the Windows and go for a test. To verify that the Windows Script Host won't open any JavaScript files, first, you'll need some JavaScript files. The easiest way is to download this file right here, which is the jQuery Javascript library. Press CTRL+S to save it from your browser to your computer, and then double-click the file. Ran the test without doing anything to the system and it will not run. My systems are locked down so they won't run anything I don't specifically tell them to run, including scripts. Before making any modifications to my system when something like this is posted I always test the system first to see if I really need the 'fix'. Happy to say I have not yet found a 'fix' I needed to apply from my basic security settings I use on all my systems. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.