Symantec Says 95.4% of PowerShell Scripts Are Malicious

The security solutions company says that 95.4% of all the PowerShell scripts that they analyzed using the BlueCoat Malware Analysis sandbox, were malicious.





Symantec Says 95.4% of PowerShell Scripts Are Malicious

Microsoft Brings Python Language Update to SQL Server

Microsoft Global Human Rights Statement Gets Updated for Connected World

Microsoft Releases Windows 10 Build 14393.479 to Production Ring

Cortana for Android and iOS Gets New Look along UK Release

The people at Symantec analyzed 4,782 samples and found 111 malware families that use PowerShell commands to plant security breaches. Out of this 111 families, 8% used mixed-case letters aka obfuscation. Attackers use other methods such as Invoke-Command, Enter-PSSession, PsExec, WMI/wmic/Invoke-WMImethod, Profile injection.

Many of the new malware are taking a step by step approach to load malicious content on PCs. For example, one malicious script downloads a new script which then downloads the payload. These payloads are being used to uninstall security solutions, sending passwords and log-in credentials to the creator.

Malicious PowerShell Scripts

According to Symantec, these well-known malware families (listed below) use malicious scripts to perform security breaches:

  • W97M.Downloader (Found in 9.4% of all the analyzed sample).
  • Kovter Trojan (Found in 4.5% of all the analyzed sample).
  • JS.Downloader (Found in 4.0% of all the analyzed sample).

Attackers are using spam e-mails to spread these malware families. Symantec says that on average they have blocked 466,028 e-mails per day, which contained malicious JavaScript. Many of those malicious JavaScripts used PowerShell to download payloads.

PowerShell has been a part of Windows since Windows 7 and will soon replace the old command prompt. Hence, many security-breachers like Odinaff group and the brains behind the “Kovter Trojan” are starting to use malicious PowerShell scripts to perform massive attacks.

Symantec says, in order to prevent yourself from the uprising in threats leveraging PowerShell and security breaches, “We recommend bolstering defenses by upgrading to the latest version of PowerShell and enabling extended logging features.”

Furthermore, they asked to consider PowerShell in attack scenarios and monitor the corresponding log files.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: