Non-executable malware

Ask your beginner questions here.

Non-executable malware

Postby waffles2.0 » Tue Apr 04, 2017 11:50 am

I am looking into ransomware that isn't an executable, mainly file types you can attach to emails. Am I correct in assuming that all the JavaScript and documents relating to ransomware are just downloading executables for urls?

Or is there any ransomware that is contained completely within Javascript and doesn't need to pull down from a website?
waffles2.0
 
Posts: 22
Joined: Mon Aug 01, 2016 9:49 am
Reputation point: 7

Re: Non-executable malware

Postby zerosum0x0 » Tue Apr 04, 2017 1:48 pm

MS JScript does not have direct access to the Windows API (although it is possible in indirect ways). It generally requires COM (ActiveXObjects) to do anything interesting.

There is a "Scripting.FileSystemObject" (FSO) ActiveXObject. I don't know if there is a COM object for direct crypto, but there are implementations of crypto libraries written in JavaScript, including asymmetric public key cryptography.

So with a little creativity, yes it is possible. FSO is off limits in the default IE security zone, but if someone double clicks a .js email attachment it will run.

In the wild, however, most of the .js malware I've come across are just droppers to download normal binaries. I can't personally name a pure JS ransomware strain.
User avatar
zerosum0x0
 
Posts: 11
Joined: Fri Mar 31, 2017 1:52 pm
Location: USA
Reputation point: 5

Re: Non-executable malware

Postby EP_X0FF » Thu Apr 06, 2017 2:53 pm

Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4750
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562


Return to Newbie Questions

Who is online

Users browsing this forum: No registered users and 2 guests