From: "Joe Stocker" <joe@xxxxxxxxxxxxxxxxxxxxxxxxxx>
To: <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: Microsoft AntiSpyware Beta and Windows Scripting Host
Date: Thu, 3 Mar 2005 08:41:37 -0800
The Scripting Guys wrote a good article on Technet yesterday summarizing
how System Administrators can work around the script-blocking feature of
Microsoft AntiSpyware. After reading the article it is also evident that it
would be just as easy for Spyware to take the same hints to dodge the MS
AntiSpyware Beta software.
The final release of this product needs to overcome the challenge of safely
blocking harmful scripts while at the same time providing a manageable way
for System Administrators to remotely manage workstations.
The article points out that you can bypass the script blocker by simply
calling cscript or wscript in front of the script, ex: cscript myscript.vbs
would avoid the script blocker from blocking a potentially harmful script.
Also, a spyware program could simply take the name of a valid script and
then antispyware would never prompt the user: example:
c:\mydir\myValidScript.vbs could be renamed to myValidScript.old, then
c:\mydir\myHarmfulScript.vbs could be renamed to MyValidScript.vbs and
executed without prompting the user. This assumes that the malicious
program would have access to the proprietary database that antispyware
stores its acceptable programs, which are located in the .GCD files in the
AntiSpyware installation root directory. The proprietary database could
possibly be replaced with a tampered .GCD file containing an entry for the
harmful script, ex: c:\run.vbs.
http://www.microsoft.com/technet/scriptcenter/resources/articles/antispy.mspx
Joe Stocker, CISSP
iNet Security Consulting
www.iNetSecurityConsulting.com
<< smime.p7s >>