Windows Scripting Host and Fake Antivirus
As a follow up to my previous post about the Windows Scripting Host (WSH), I should mention that I have seen a bunch of fake antivirus website pop-ups attempt to load a file called
setup.exe.vbe by downloading the file via the browser and attempting to get
wscript.exe to execute the malicious script. I have noticed that not all of these attempts have been caught by antivirus and virtually none of them by vendor-supplied network-based IPS signatures.
If you monitor change activity on your hosts, look for attempts by
wscript.exe to execute a file called
setup.exe.vbe and ensure that it was not successful.