Non-executable malware

Ask your beginner questions here.
Post Reply
waffles2.0
Posts: 28
Joined: Mon Aug 01, 2016 9:49 am

Non-executable malware

Post by waffles2.0 » Tue Apr 04, 2017 11:50 am

I am looking into ransomware that isn't an executable, mainly file types you can attach to emails. Am I correct in assuming that all the JavaScript and documents relating to ransomware are just downloading executables for urls?

Or is there any ransomware that is contained completely within Javascript and doesn't need to pull down from a website?

User avatar
zerosum0x0
Posts: 11
Joined: Fri Mar 31, 2017 1:52 pm
Location: USA

Re: Non-executable malware

Post by zerosum0x0 » Tue Apr 04, 2017 1:48 pm

MS JScript does not have direct access to the Windows API (although it is possible in indirect ways). It generally requires COM (ActiveXObjects) to do anything interesting.

There is a "Scripting.FileSystemObject" (FSO) ActiveXObject. I don't know if there is a COM object for direct crypto, but there are implementations of crypto libraries written in JavaScript, including asymmetric public key cryptography.

So with a little creativity, yes it is possible. FSO is off limits in the default IE security zone, but if someone double clicks a .js email attachment it will run.

In the wild, however, most of the .js malware I've come across are just droppers to download normal binaries. I can't personally name a pure JS ransomware strain.

User avatar
EP_X0FF
Global Moderator
Posts: 4803
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Non-executable malware

Post by EP_X0FF » Thu Apr 06, 2017 2:53 pm

Ring0 - the source of inspiration

Post Reply