The Scripting Guys wrote a good article on
Technet yesterday summarizing how System Administrators can work around the
script-blocking feature of Microsoft AntiSpyware. After reading the article it
is also evident that it would be just as easy for Spyware to take the same
hints to dodge the MS AntiSpyware Beta software.
The final release of this product needs to
overcome the challenge of safely blocking harmful scripts while at the
same time providing a manageable way for System Administrators to remotely
manage workstations.
The article points out that you can bypass the
script blocker by simply calling cscript or wscript in front of the script, ex:
cscript myscript.vbs would avoid the script blocker from blocking a potentially
harmful script.
Also, a spyware program could simply take the name
of a valid script and then antispyware would never prompt the user: example:
c:\mydir\myValidScript.vbs could be renamed to myValidScript.old, then
c:\mydir\myHarmfulScript.vbs could be renamed to MyValidScript.vbs and executed
without prompting the user. This assumes that the malicious program would have
access to the proprietary database that antispyware stores its acceptable
programs, which are located in the .GCD files in the AntiSpyware installation
root directory. The proprietary database could possibly be replaced with a
tampered .GCD file containing an entry for the harmful script, ex: c:\run.vbs.
Joe Stocker, CISSP
iNet Security Consulting
