Bink.nu Services

Subscribe to our feed 

 


Order Now!

Windows 7 for XP Professionals
Updating Support Skills from XP to Windows 7
by Bink.nu's Raymond Comvalius

Who is online

There are 50 guest(s) online.

There are 0 member(s) online.

Sponsors



Popular Tags

Archives

Virus writers target Windows Powershell scripting language
Posted by Steven Bink August 1, 2006 10:42 AM with 2 comment(s)
Filed under:

An Austrian group of virus writers has published new proof-of-concept malware code that targets Microsoft's forthcoming Windows Powershell technology.

The MSH/Cibyz worm does not exploit any vulnerability in the scripting tool. Instead it's similar to batch-type viruses written in Javascript or Visual Basic (VB) that instruct a system to install malware after a user executes the script.

"The moral of the story is that there is no particular file type that is inherently safe. There is the possibility of using vulnerabilities in any software application," Allysa Myers, a virus research engineer with McAfee told vnunet.com.

Powershell malware poses an increased risk over other batch-based threats because enterprises currently do not block Powershell scripts on their network. Malware authors could also be attracted to the tool because it offers a new challenge.

Send via e-mail | Submit to Digg | Add to Live Favorites
8113 Views
Source: www.pcw.co.uk

Comments

 

Sébastien Mouren said:

This is a false analysis from Tom Sanders.

From what McAfee virus report says, I deduced the virus cannot be executed as is by the Powershell RC1 (the current iteration of the product) on a consumer or on a corporate computer and necessitate priviledged rights to duplicate itself.

Powershell requires commandlets (external executed scripts) to be signed by an authorized certificate otherwise they won't execute. This is what I call secure by default.

On a related note Powershell is still in beta nowadays and is not actually delivered with any sold MS product.

August 1, 2006 4:06 PM
 

Leonard Chung said:

I've create an analysis of this "worm" on the PowerShell team blog. As Sébastien notes, this is a poor worm at best.

It is important to note that the "PowerShell Worm" will not work and cannot infect Windows PowerShell in its default configuration.

This is a proof-of-concept virus whose “Worm” replication mode is just a simple file copy and could have been implemented in any language which supports copying files. The fact that the worm is written in PowerShell rather than another scripting language or even as an executable has actually made it even harder for this virus to spread since the additional security features around PowerShell scripts result in many additional steps for the user to perform before an infection can take place.

The full writeup with the steps required for infection is here: http://blogs.msdn.com/powershell/archive/2006/08/03/687838.aspx

August 4, 2006 11:22 PM

About Steven Bink

Founder of Bink.nu
Powered By IIS 7 Powered by ASP.NET
Bink.nu 3.0. Copyright © 1999-2012 Steven Bink. All Rights Reserved.
Microsoft and Microsoft logo's are trademarks of Microsoft Corporation.