Black Hats Leveraging PowerShell

It appears as if Microsoft might have another ActiveX on its hands.

Those with long memories might remember that in 1996, Microsoft added support in the Internet Explorer browser for ActiveX controls. While this greatly expanded the functionality of the Internet, it also made the web a much less safe place, especially for the average user. The trouble was, ActiveX made it simple to download and install software with little or no input from users. Even those not old enough to remember have probably already figured out that this didn't work out well.

According to the security firm Symantec, Redmond has a similar problem on its hands with PowerShell, its best of breed tool for helping administrators manage Windows boxes. The security company has sounded the alarm with a white paper detailing the problem.

Symantec has skin in this game, of course. It wants you to buy its expertise and solutions. But the findings it laid out are sobering -- even if you discount the intended scare factor around the massive number of emails loaded with PowerShell malware it's blocked (466,028 per day) and the somewhat misleading headline that "95.4 percent of analyzed scripts were malicious."

As Symantec threat researcher Candid Wueest pointed out in a blog post on Thursday, PowerShell offers a broad target. "PowerShell is installed by default on most Windows computers, and most organizations do not have extended logging enabled for the framework," he wrote. "These two factors make PowerShell a favored attack tool. Furthermore, scripts can easily be obfuscated and allow for payloads to be executed directly from memory."

The good news is that malware utilizing PowerShell still has to get in the system the old fashioned way, mainly through phishing expeditions involving email. The bad news is that workers -- even IT guys and gals who know better -- continue to sometimes click on email links, even when they shouldn't.

It's no surprise that the bad guys are pulling all sorts of goodies from their bag of tricks when leveraging PowerShell. They use malware that attempts to uninstall security products, look for sandboxed environments, lurk around looking for passwords and the like. "Some of the newest downloader attacks using PowerShell work through multiple stages, where the attached script downloads another script, which in turn downloads the payload," Wueest explained. "Attackers use this convoluted infection method in an attempt to bypass security protections."

In addition to buying a boatload of its security products, Symantec recommends running the latest version of PowerShell, along with enabling extended logging and monitoring. Security personnel might also want to take a gander at Symantec's 36 page white paper to help determine precautions to put in effect.

After that, we wait to see what Microsoft does.