22

Recently it seems there has been a big outbreak of zip files being emailed to people with a .js file containing code that downloads and executes cryptoware.

How does the .js actually get executed though? Do users have to execute the javascript file itself after extracting it or is it somehow possible to make the javascript file execute upon extraction? I am rather confused on how this causes so many infections.

Anders
  • 64,406
  • 24
  • 178
  • 215
Austin
  • 733
  • 6
  • 14
  • 11
    The JS is named something like "list of employees to be fired" and human stupidity does the rest. ;) – André Borie Mar 28 '16 at 22:11
  • I'm curious if there is a way that it is self-executing once extracted. Another analyst once claimed that he didn't open the js in a locky variant but it detonated. – nyxgeek Mar 29 '16 at 01:32
  • 4
    @paulburkeland seems unlikely. Code execution exploits are common in complex applications like web browsers but I would assume basic stuff like file/archive managers are now robust enough. In this case I'm suspecting they're lying as they don't want to end up on the now real "list of employees to be fired". – André Borie Mar 29 '16 at 02:30
  • 1
    completely off topic, but wouldn't "cryptomalware" better express what is happening? Wouldn't it be disturbing to see spreading use of a legitimate-sounding word like "cryptoware" for something that is bound to be associated with something wrong like malware? I'm not comfortable with the literature but this is wrong. – n611x007 Mar 29 '16 at 07:14
  • 4
    Very often, the file will be named `Something Tempting.jpg.js`. The default in Windows (the stupidest ever decision by Microsoft) is to hide extensions ("_they're too techie_") so the user sees `Something Tempting.jpg`, thinks it's just an image, and opens it, not realising they're really running some Javascript. – TripeHound Mar 29 '16 at 12:57
  • @AndréBorie There should be at least something (apart from the hidden extension) to give up that it's not a text file - e.g. the icon. But yeah, people are naïve. – Kamen Minkov Mar 29 '16 at 13:15
  • @KamenMinkov but a .exe executable can have an icon embedded in it, mimicking the default icon for the file type it pretends to be. – Chris H Mar 29 '16 at 14:47
  • 1
    @ChrisH Yeah, there is an enormous amount of ways to fool an unsuspecting user. I guess there's also some luck involved in the user actually taking the bait. – Kamen Minkov Mar 29 '16 at 15:26
  • `.js`? How is that getting executed with user-level privileges? Are all the targeted users Node developers? Or does Windows have some default JavaScript engine that I'm unaware of? – Ajedi32 Mar 29 '16 at 17:55
  • 2
    @AndréBorie "list of employees to be fired.js" - malware, or a good way of populating the list? – Jon Bentley Mar 29 '16 at 19:37
  • @Ajedi32 Windows has JScript, which is different from JavaScript mostly in name only. –  Mar 30 '16 at 01:30

4 Answers4

25

Do you remember "I love you" ?

Human curiosity often does the trick, unarchiving the zip and then executing the JS (via the windows scripting host that does not follow the same restrictions as a browsers JS engine)

There are more than enough people that do want to be sure they didn't miss a payment and will be cut off their mobile phone soon.

A fundamental unawareness of how email works is another great factor here:

The email comes from Tom! And he says I should have a look. Tom always shares funny images on facebook, let's see!

Completely unaware of email-sender spoofing (which shouldn't be a problem with DKIM, SPF, S/MIME and PGP around, but that's another story), those users just trust the sender and open the files.

INORITE? But that's just human curiosity bundled with fatal lack of knowledge.

Tobi Nary
  • 14,302
  • 8
  • 43
  • 58
15

The same user who clicks on the ZIP-file to extract the JS-file also clicks the JS-file.

This will launch the Windows Script Host to execute the script (it runs both JScript (JS and JSE) and VBScript (VBS and VBE)). The scripts run by WSH are not sandboxed in the way they would be in a browser.

Launching a JS in this manner is pretty much the same as launching an EXE.

tlund
  • 364
  • 1
  • 8
  • 1
    But what does that do, open it in a web browser? Where... it's still sandboxed in the browser sandbox? – Michael Mar 29 '16 at 01:43
  • 7
    @Michael Windows has its own JS runtime that is by default associated with .js files and has different rules in terms of sandboxing. I haven't looked into that in depth but from having seen some malicious .js files in the wild I can assume they're at least able to do file I/O and call other binaries. – André Borie Mar 29 '16 at 02:32
  • 1
    @AndréBorie I don't think there is a sandbox in Windows Script Host. It's really for automation, akin to running an untrusted cmd, PowerShell, sh, bash, AppleScript, etc., script. There are ways to lock it down some, but that's not default. – Bob Mar 29 '16 at 02:40
  • Ah, I wasn't aware of Windows Script Host. Interesting... – Ajedi32 Mar 29 '16 at 18:01
10

Windows Script Host is an automation technology that provides scripting abilities. It is language-independent in that it can make use of different Active Scripting language engines.

By default, Windows interprets and runs JScript (.js and .jse files) and VBScript (.vbs and .vbe files).

Clicking a .js file will make wscript.exe interpret it and the script can do anything. For example, this pops up calc:

var shell = WScript.CreateObject("WScript.Shell");
shell.Run("calc");

There have been methods or vulnerabilities that allowed automatic execution without (directly) opening the malicious file, like DLL hijacking and sideloading. But, to my knowledge, there is no new method or vulnerability actively exploited in the wild. Such a method would be very effective at spreading malware and would quickly get public notice.

Cristian Dobre
  • 9,797
  • 1
  • 30
  • 50
0

IIRC you can't make the files auto-execute easily (There may be ways, but most of these attacks do not rely on them).

Very uninformed people (the majority of pc users) have no issues clicking files though usually, and doing so with a .js file will on most pcs (unless sufficiently locked down) run them in the default Windows JS RE.

Magisch
  • 293
  • 2
  • 9
  • 2
    "*IIRC you can't make the files auto-execute.*" - I advise you to be very careful before saying "**you can't** when talking about security. There were and still are many hideous ways of tricking computers to auto execute malicious code. This question wasn't the case, but that doesn't mean you can say "**you can't**". – Tomáš Zato - Reinstate Monica Mar 29 '16 at 08:18
  • @TomášZato good point, I edited the answer to reflect that. – Magisch Mar 29 '16 at 08:19