Nohack.Net

Information

>Trojan Horses

>Anti-Virus Precautions

>System Security

>Port Numbers & Services

>Windows Start-Up Methods

Tools & Instructions

>GT-Bot Removal

>VBS/Karma Worm Removal

>Aplore Worm Removal

>Nkie Worm Removal

>Blaster Worm Removal

Guides

>Recovering from a Security Breach

>Detecting & Removing Trojans

>Securing Your Network

>Identifying Malicious Scripts

 

W3C Validated CSS W3C Validated as HTML 4.01

Malicious Scripts

Some time ago, this page contained a list of scripts which we had determined through examination to contain malicious code. That list could never be exhaustive, new scripts (often nothing more than trivially editied copies of older versions) appeared every day and, despite many warnings not to, some users took the fact that a particular script was not listed as an assurance it was safe. As a result, we have removed the malicious scripts list and replaced it with a set of guidelines which should help users determine for themselves whether or not a script is malicious.

Identifying Malicious Code

While it's neither possible nor desirable to list all the ways to write malicious code here, the following pointers should help you steer clear of most malicious scripts in circulation today.

  • Scripts should never ask for nickname or channel passwords.
  • Scripts distributed as executable files (.exe) are often malicious and may contain trojan horse code. There is NO need for a script to be distributed in this way.
  • Be especially cautious of any script with a 'remotes' section, these can often contain backdoors allowing access to your files.
  • Watch for any attempt to alias standard services commands as this is a common way to steal nick or channel passwords. NO alias for services should still use MSG commands, the secure alternatives (/nickserv, /chanserv etc.) should be used instead.
  • Scripts which contain long strings of 'junk' (like Chr$(123) $+ chr$(32) $+ chr$(45) for example) or make use of things like $decode are trying to hide something from you. These must be treated with extreme suspicion.
  • Scripts which make use of sockets (/sockopen, /sockclose etc.) can pose a security risk, you should fully understand what the socket code does before running the script.
  • Look for any channels or nicknames which have been hard-coded into the script, good scripts should not have any!
  • NEVER, EVER download any script that's being advertised on IRC, these are almost always malicious.
  • DO NOT trust a script just because it's available from a popular site. Most sites go to great lengths to keep malicious scripts off of their servers but some occasionally do get through. Always check for yourself!

Above all, there is no substitute for learning how to write your own script, it's not that difficult and you'll always know exactly what it's supposed to do!