04-20-2016 , 11:08 PM
A problem exists today affecting countless of unsuspecting users, and that's the problem of ZIP files boobytrapped with malicious JavaScript code that can automatically and secretly download and launch malware into execution on their PCs.
For some years now, you could add JavaScript code to ZIP, RAR, or other types of archive files. When unzipping the file, the JavaScript file would execute, automating various operations.
On Windows, this code would run via the Windows Script Host (WSH), an automation technology for Microsoft Windows operating systems, similar to batch files, but one that can work with JavaScript and JScript (Microsoft's version of JavaScript) code.
With such powerful features, you sometimes wonder how come it took malware coders so much time to figure out they could abuse this ability to do bad. But they have now, and it's not rosy.
ZIP files boobytrapped with JavaScript abused to spread malware
We've seen ransomware, banking trojans, and all sorts of nasty malware distributed via this method. Attackers craft a malicious ZIP file, append it to an email, and spam hundreds and thousands of users in short-burst campaigns.
When users receive the email, they download the file and unzip it, thinking if there is malware, it's probably packed inside the ZIP as an EXE. Without realizing, the damage has already been done via the JavaScript file that silently executed, and the malware has already taken root.
But there's a way to prevent this, according to F-Secure, a Finish cyber-security vendor, who's how-to tutorial we're reproducing down below.
To prevent automatic execution of a malicious JavaScript file attached to a ZIP file, you'll have to edit the Windows Registry and disable the automatic connection between the JavaScript/JScript code and the Windows Script Host mentioned above.
Let's disable automatic JavaScript execution via Windows Script Host
Step 1: Open the Windows Search and type in "Regedit" to open the Windows Registry Editor.
Step 2: On the left you have some folders. Open the folders in the following order (path): "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings"
Step 3: Once you've reached the last folder called "Settings," go to the panel on the right and right-click anywhere on the background.
Step 4: From the new popup menu, select the "New" and then the "DWORD (32 Bit) Value".
Step 5: This will create a new entry, which you'll have to name "Enabled". Once you've done this, double-click it to open a new popup.
Step 6: In this popup, make sure that you have "0" (zero) entered in the Value field, and that the Base setting is set to Hexadecimal.
Testing that everything works
That's it. Close all the Windows and go for a test. To verify that the Windows Script Host won't open any JavaScript files, first, you'll need some JavaScript files.
The easiest way is to download this file right here, which is the jQuery Javascript library. Press CTRL+S to save it from your browser to your computer, and then double-click the file.
If you've set up your Windows Registry correctly, the following popup will appear, telling you the Windows Script Host has been disabled.
source