RE: Worms and CScript/WScript

From: verbalat_private
Date: Tue May 21 2002 - 15:17:37 PDT

  • Next message: Michael Wright: "RE: Worms and CScript/WScript"

    Sure you could, but if they get that far, you're in trouble as it is.
    You could adjust the ntfs perms on the files listed below to
    explicitly allow rights only to certain users; however, who knows
    what ill effects that could have in future application
    installation/use.
    
    Ultimately, once they're in, they're in.  A person can't just execute
    arbitrary code on a remote host without the availability of some
    exploit on the perimeter.  Why not stop them there first?  (hardening
    in the event of perimeter penetration is advised additionally as well)
    
    Wscript.exe and Cscript.exe 	
    	The host.
    Wshom.ocx
     	The WSH Shell Object.
    Scrrun.dll
     	The Scripting Runtime- contains the FileSystemObject and the
    powerful Dictionary Object. 
    VBScript.dll
     	Contains the Global Modules, Classes, and the Regular Expression
    Object
    Wshext.dll
     	New with WSH 5.6, handles the new authenticity and certification
    methods for scripts. 
    Shdocvw.dll
     	Contains numerous Shell Extensions that are accessible from WSH. 
    JScript.dll
     	This is the Microsoft port of JavaScript, originally built by
    Netscape. With only a few exceptions it looks and behaves like
    JavaScript.
    
    
    -----Original Message-----
    From: Blake Frantz [mailto:blakeat_private]
    Sent: Tuesday, May 21, 2002 4:45 PM
    To: incidentsat_private
    Subject: Worms and CScript/WScript
    
    Hello,
    
    A majority of the worms (even SQLsnake) that have been going around
    lately take advantage of cscript and wscript.  What ramifications
    would
    be felt on vanilla installs of common services (MS SQL, Exchange, IIS,
    etc.) if these two files were moved or deleted?  It seems like a
    fairly
    easy way to help mitigate the 'success' of Internet worms.  Any
    thoughts?
    
    Blake Frantz  A+, CNA, CCNA, MCSE
    Network Security Analyst
    mc.net
    720 Industrial Drive #121
    Cary, IL 60013
    phn: (847)-594-5111 x5734
    fax: (847)-639-0097
    mailto:blakeat_private
    http://www.mc.net
    
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Tue May 21 2002 - 15:25:12 PDT