Windows PowerShell and the “PowerShell Worm”

Clarification on the Windows Powershell Worm

Rod Trent at myITforum.com — Fri, 04 Aug 2006 00:12:03 GMT

A&nbsp;&ldquo;PowerShell Worm&rdquo; has recently been reported by several antivirus companies and some...

re: Windows PowerShell and the “PowerShell Worm”

Vinicius Canto — Fri, 04 Aug 2006 05:13:30 GMT

Great post Leonard... I wrote a post in my blog about the same topic, but in Portuguese. I believe that's the only content avaliable in my language...

Congratulations!

--
Vinicius Canto <scripterbratgmaildotcom>
MVP Visual Developer - Scripting
Blog: http://viniciuscanto.blogspot.com

Interesting Finds: August 2

Jason Haley — Fri, 04 Aug 2006 06:26:18 GMT

re: Windows PowerShell and the “PowerShell Worm”

rei — Sat, 05 Aug 2006 09:56:13 GMT

Cool... can't wait to see how many arms and legs the press is going to break to try to find a way to insinuate that Microsoft's in trouble again :)

re: Windows PowerShell and the “PowerShell Worm”

swrdfghtr — Sat, 05 Aug 2006 20:54:22 GMT

And bravo for the PSH team - good job of thinking through, in advance, how these "viruses" would work and making sure PSH, by default, wouldn't make it easy for them. This is one case where MS may have done a bad thing (with VBScript, in this regard), but has CERTAINLY learned from those mistakes and done a much better job.

re: Windows PowerShell and the “PowerShell Worm”

Nikita — Mon, 07 Aug 2006 18:16:25 GMT

Great Response.

My blood boils when ppl accuse MSFT and my AD based systems as cause of viruses and "holes" - when they download blond16yo.avi.exe and run it!!!

Windows PowerShell and the PowerShell Worm

Microsoft Most Valuable Professional — Mon, 07 Aug 2006 22:53:28 GMT

On&nbsp;July 29,&nbsp;2006, a new worm&nbsp;MSH/Cibyz.A&nbsp;surfaced which uses Microsoft's new&nbsp;XP...

re: Windows PowerShell and the “PowerShell Worm”

Karl Levinson, MS MVP — Tue, 08 Aug 2006 00:06:41 GMT

I am SO glad that the default action for .PS1 script files is Edit rather than Execute. I hope that Microsoft will finally repeat this countermeasure for other dangerous script extensions as well.

re: Windows PowerShell and the “PowerShell Worm”

ajdotnet — Tue, 08 Aug 2006 11:48:47 GMT

Unfortunatelly I cannot totally agree with most of your assumptions:

#1: "The user must download the worm to their local machine": This is just the way this "worm" is being distributed. But it could be sent by email, linked from the web or whatever. Stating "The user must download ..." strikes me as a little short-sighted.
#2: "file extension": OK, they used an outdated version of PowerShell. Who expects them to stay outdated?
#3: ".ps1 file extension cannot be executed directly from Explorer": I can agree with that, Yet if I worked extensively with .ps1 files I would tell the explorer to treat them like .cmd files, i.e. run them on double-click. I somehow don't think I would be the only one.
#4: "user must set their execution policy": Yes, they must and they will. The most feasible setting would probably be RemoteSigned, yet according to your post this depends on the support of "popular applications" - in other words not all popular applications and certainly not the unpopular ones implement to that feature.
#5: "user must explicitly execute the script using its relative or absolute path". This may prevent the user from accidentially executing it but does not help intended (even if imprudent) excution or double-clicks in explorer (see #3)

All these things help and make it harder for malicous code. I also agree that on the average users machine it will actually be very helpfull and this is a good thing. But for people actively using scripts (i.e administrators, developers, and "power users") only #5 remains valid. This is OK since in the end the user has to decide, but one should be aware the the saftey nets #1 to #4 are probably not in place and the script *will* run and it *will* fullfill its evil intention.

Anyway, calling this worm a "worm" is simply not correct and if that's all the Microsoft averse community can come up with you've done a pretty good job.

re: Windows PowerShell and the “PowerShell Worm”

PowerShellTeam — Tue, 08 Aug 2006 11:56:16 GMT

>Unfortunatelly I cannot totally agree with most of your assumptions

To be clear, the goal of this is not to prevent savvy users from shooting themselves in the foot. We cannot protect all users from themselves if they're really determined to execute the script.

However, most of the folks who are infected by these types of viruses are not the savvy scripters who use the technology day in, day out but rather novice users who don't notice the differences in file extension or even icon.

Leonard

PowerShell Security « Dmitry’s PowerBlog: PowerShell and beyond

PowerShell Security « Dmitry’s PowerBlog: PowerShell and beyond — Fri, 27 Jul 2007 10:59:26 GMT

PingBack from http://dmitrysotnikov.wordpress.com/2007/07/27/powershell-security/

re: Windows PowerShell and the “PowerShell Worm”

Steve — Mon, 27 Apr 2009 05:06:42 GMT

All I can say is that this FUD is truly some of the most idiotic fear-mongering and ado over nothing that I've ever seen.

I'm more or less in the middle ground when it comes to M$, but they did a DAMNED good job with PowerShell - and it shows. I just don't see why when Microsoft releases a product, it is AUTOMATICALLY bad - I mean, sure, there's been a few stinkers, but 2000 and XP are actually pretty well-coded pieces of software.

Leaves a little to be desired in the form of security here and there, but it would appear that Microsoft is doing what it can to change that - who knows?

All I know is that these tactics, used by bashers, security firms, and anti-virus/firewall vendors, are pretty underhanded, if you ask me. Give things a chance, don't be so quick to shoot when you see the whites of the eyes.