Blocking malicious Java Script Web Attacks

Reply
Highlighted
L0 Member

Blocking malicious Java Script Web Attacks

I am seeing too many java script web attacks which are caught  by Symantec Endpoint Protection on my end users Workstations. Some of them are listed below.

 

Web Attack: Malicious Injected JavaScript 14
Web Attack: Fake Jquery Injection 2
Web Attack: Mass Injection Website 19
Web Attack: W32.Ramnit Attack 4

 

What worries me is why doesn't our Firewall prevent such attacks at the perimeter itself instead of allowing such malicious traffic into the network? Is there some configuration settings I need to do? or setup some special policies? I have a PA3020 firmware version 7.1.7. Any help would be greatly appreciated.

L4 Transporter

Re: Blocking malicious Java Script Web Attacks

@arnold.dsilva

Just wanted to highlight a couple of new useful IPS signatures and a new File Type that was released last year to help customers with files that are used for malware/ransomware. Some of these are potentially malicious payloads as well.

 

1) Detection of .js files sent over email. Malware and Ransomware is often sent by these methods. Both of these are set to informational, so the customer should look at selectively enabling/blocking. 39002 looks for a plain .js file sent over email. 39003 looks for a .js inside of a .zip. This is currently PAN-OS 7.0 min version due to decoder changes only available in 7.0+ but we will look at bringing that to more PAN-OS versions. We are looking at .wsf files next. 

 

2) There is also another signature, "HTML MIME Entities Masquerading As Word Documents” that is also good at detecting malware/ransomware campaigns that include MS Office documents stored as MIME files to bypass detection. MIME docs can have embedded malicious payloads or they can call out for payload. This signature simply looks at the file extension and the existence of HTML MIME objects. This kind of file may not be malicious, so the severity is set to informational. 

 

3) New filetype for VBScript for file blocking that you should look to block.

 

I have customers who have already enabled the .js signatures in blocking mode. 

Examples for .js files :

https://isc.sans.edu/forums/diary/Malicious+spam+with+zip+attachments+containing+js+files/20153/

https://isc.sans.edu/forums/diary/TeslaCrypt+ransomware+sent+using+malicious+spam/20507/

 

informational

39002

Javascript Sent in Email

alert

5.0.0

informational

39003

Javascript Sent in Email

alert

7.0.0

 

Content 557

Severity

ID

Attack Name

CVE ID

Vendor ID

Default Action

Minimum PAN-OS Version

informational

38508

HTML MIME Entities Masquerading As Word Documents

 

 

alert

5.0.0

New File Type (1)

Severity

ID

File Type

Minimum PAN-OS Version

low

52114

VBScript Encoded File

5.0.0

 

I hope this helps.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!