New ransomware abuses Windows PowerShell, Word document macros

Discussion in 'malware problems & news' started by ronjor, Mar 25, 2016.

  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,722
    Location:
    Texas
  2. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,054
    http://news.softpedia.com/news/powe...d-and-powershell-to-infect-users-502200.shtml
     
  3. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,508
    Location:
    Slovakia
  4. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,054
    I agree. I disabled WSH and blocked PowerShell using SRP and got Powershell blocked from running only once. I don't know what triggered it, but since everything works OK it seems that it wasn't anything important.
     
  5. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,508
    Location:
    Slovakia
    Unfortunately ExecutionPolicy can be easily bypassed, it is safer to remove it, unless you need it of course.

    https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy

    I take ownership and then delete those folders:
    C:\Program Files (x86)\WindowsPowerShell
    C:\Program Files\WindowsPowerShell
    C:\Windows\System32\WindowsPowerShell
    C:\Windows\SysWOW64\WindowsPowerShell
     
  6. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    1,764
    Location:
    Mexico
    Instead of deleting them I added them to Vulnerable Processes in NVT ERP.
     
  7. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,040
    Exactly what I've done
     
  8. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    1,764
    Location:
    Mexico
    Yeah, you never know when they would be needed for anything...

    Now that I remember something, I added powershell to SBIE as well LOL
    To catch anything nasty there too!

    ForceProcess=powershell_ise.exe
    ForceProcess=powers~1.exe
    ForceProcess=powershell.exe

    Into the DefaultBox.
     
  9. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,054
    Yes, but this will bypass powershell's execution policy and not SRP's execution restrictions. If powershell can't run it's execution policies can't be bypassed.
     
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    Good thinking, I forgot to do this.
     
  11. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,103
    Location:
    Southern Rocky Mountains USA
    In some computers, I remove Powershell. It can be uninstalled with the add/remove Windows Components section of the control panel. In most, I just set the ACLs on these folders so only administrators can access them which is a bit stronger than SRP and can be used along with it.
     
  12. Infected

    Infected Registered Member

    Joined:
    Feb 9, 2015
    Posts:
    665
    As what others did with NVT, I've did with AppGuard, just added it to the guarded apps.
     
  13. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,508
    Location:
    Slovakia
    That only uninstalls GUI, but not PowerShell, PS scripts still work afterwards. It is kind of shameful, that MS lies like that, but what is new.
     
  14. rm22

    rm22 Registered Member

    Joined:
    Oct 26, 2014
    Posts:
    326
    Location:
    Canada
    I guess powershell is not installed in Win7 Home Premium by default? I don't see any trace of it.
    EDIT: I shouldn't post after mid-night :) powershell is there - not sure why I didn't see it


    Do any of you use VB scripting in Excel? With WSH disabled do you get a consistent error message trying to run scripts in Excel? I haven't needed to for awhile, but I could see myself forgetting to enable WSH if I need to run scripts. If not, it might be better to block Wscript.exe and Cscript.exe with an anti-executable that notifies of blocks with a pop-up
     
    Last edited: May 11, 2016
  15. hjlbx

    hjlbx Guest

    +1 very well said
     
  16. hjlbx

    hjlbx Guest

    The only time I have ever seen Powershell needed was by the Microsoft GWX Windows 10 Upgrade utility.

    I just add both System32 and SysWOW64 WindowsPowershell directories to User Space in AppGuard.

    If I ever need it for some Windows Update or other functionality it is on my system -- all I have to do is unblock it. Besides AG blocks powershell scripts.

    NOTE: Even if you completely uninstall powershell, C-based programs that use NET Framework can still run powershell scripts. So to more comprehensively protect against powershell scripts it is important to monitor NET Framework objects as well.
     
  17. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,508
    Location:
    Slovakia
    Indeed, uninstalling only removes the GUI, all the files have to be removed manually or at least lock down as you stated. ;)
     
  18. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    748
    Location:
    UK
    so on my desktop if I add a HIPS rule in nod32 to require approval everytime powershell is executed (for all four binaries) is this considered ok? as I dont have any of the software you guys use.

    I use powershell post install to set some windows options, but after that I think its only use is to adjust TCP settings, however they all locked down on consumer windows meaning that only applies to enterprise.

    To get persistent command history in windows 8.1 I have to use a module in powershell which requires dropping shell security down to remotesigned or lower. It will be annoying to lose that, but I will drop it if I have to for the sake of locking down powershell.

    My laptop doesnt have nod32, so thats even harder to deal with, I guess I can put on NVT ERP on that.
     
  19. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    I mentioned this previously but will note again.

    There is malware can download and install Powershell if it detects it is not installed.

    Powershell assemblies can be statically link into a C# program. As such, the malware has all it needs to execute Powershell scripts and commands using .Net even if all traces of Powershell is wiped from the targeted PC. To statically link Powershell assemblies, all that required is the Powershell SDK be downloaded and the assemblies extracted from there.
     
  20. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    748
    Location:
    UK
    I disabled windows script host in registry in addition to HIPS rules and also locked down wscript.exe

    of course its a valid point that a method available to malware authors is to download new binaries, that applies to many mitigation's.

    Although unless these new binaries are modified they would still honour things like disabled WSH.
     
  21. rm22

    rm22 Registered Member

    Joined:
    Oct 26, 2014
    Posts:
    326
    Location:
    Canada
    Are you saying it's better to block rather then remove powershell then? or is a block bypassed in this case as well...
     
  22. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    What I am saying is there is no way to directly stop embedded Powershell code. Your best bet is stopping the process that contains such code. Also a good behavior blocker should detect if the embed code is doing something out of the normal since it would be monitoring the process that contains the code. Ditto for customized HIPS rules that protect system and application processes, files, and registry areas.

    Monitoring of explicit localized instances of Powershell execution is effective but far from bulletproof.
     
    Last edited: May 11, 2016
  23. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    748
    Location:
    UK
    these 2 registry keys to disable WSH

    reg add "HKCU\Software\Microsoft\Windows Script Host\Settings" /v "Enabled" /t REG_DWORD /d "0" /f
    reg add "HKLM\Software\Microsoft\Windows Script Host\Settings" /v "Enabled" /t REG_DWORD /d "0" /f
     
  24. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
  25. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    748
    Location:
    UK
    I have also adjusted the perms on those 2 keys so its hard to make changes to them.
     
Loading...