Worm Targets Microsoft Powershell

Just a week away from Patch Tuesday, Microsoft is target of a proof-of-concept worm and an email phishing exploit

Dark Reading logo in a gray background | Dark Reading

A group of Austrian virus writers has used an old technique to launch an attack on a new, as-yet unreleased Microsoft product, the Powershell scripting tool.

The proof-of-concept worm, dubbed MSH/Cibyz!p2p or MSH/Cibyz, is the second such proof-of-concept malware written against Powershell by the group -- the first coming nearly a year ago. The difference this time: The proof-of-concept worm is a parasitic infector that places its own code into clean files so it can run malware. And unlike most proof-of-concept malware for Microsoft software, it doesn't exploit a vulnerability in the software, so it won't get a patch from the software company.

"The malicious worm does not exploit a vulnerability in Microsoft's software," says a Microsoft spokesman. "Microsoft recommends consumers do not accept files from untrusted sources and should use up-to-date third-party AV products to scan Kazaa-shared folders."

What's more interesting is this type of worm is one that could be customized to target a particular organization, says David Aitel, CTO for ImmunitySec. "We're seeing a trend of people writing worms that are customizable for an organization," he says. "Imagine the damage if a custom worm shuts down your organization for one day, especially if it's Christmas and you're an online retailer."

Aitel says custom worm attacks are tough to counter. "The research dollars haven't gone into this yet, so we don't have a picture of how to defend against attacks like this."

The MSH/Cibyz worm uses the Powershell scripting language, a command-line shell tool for systems administrators. So while the bad news is there's no actual patch to protect a scripting language, the good news is it won't be an end-user problem, security researchers say.

Allysa Myers, virus research engineer for McAfee Avert Labs, says the malware doesn't do any damage, but it appears to be more of an experiment by its writers to prove they can exploit Powershell. "It doesn't have a malicious payload per se," says Myers, who notes that McAfee has issued a virus definition for the threat. The best bet is to ensure admins' desktops run their own firewalls and IPS systems, she says. Another feature of the worm is that it changes its look every time it infects a file in an attempt to disguise itself, Myers adds.

This type of worm can masquerade as adware or a Kazaa folder to lure an unsuspecting user to download it, where it then makes its way to Powershell. "It's not super-sexy other than it targets Powershell," says Dave Cole, director at Symantec Security Response. "The fact that it's going after a newer Microsoft technology makes it interesting."

According to the Microsoft spokesperson, users should avoid these file names to protect themselves against the worm -- AVP -- AntiVirus Key Generator.msh; Ad-aware SE Personal Edition 1.06r1.msh; Allround WinZIP Key Generator.msh; Ashampoo Media Player 2.03 install.msh; Daemon Tools Install + Crack.rar.msh; Kaspersky KeyGen working.msh; Microsoft Windows Vista Cd-Key.txt.msh; Nero Burning Rom 6.6.0.13; Crack.msh; Talisman Desktop 2.99 Crack.msh; and Windows Vista Update.msh.

Meanwhile, in an unrelated Microsoft security development, a phishing email is circulating that poses as a message from [email protected] and offers prize money that a recipient would claim by linking to the "Microsoft Resolution Centre," a malware site that mimics Microsoft's but has malware that then installs a Trojan on the victim's PC. The phish was first spotted by SurfControl in Sydney, Australia over the weekend. "The Trojan will open a backdoor on the PC, allowing a remote intruder to gain access and control over the computer," says Susan Larson, vice president, threat analysis and research at SurfControl, which contacted Microsoft about the phish.

Researchers say it's just another phish aimed at a big target. "It's yet another attack and attempt of social engineering," says Shane Coursen, senior technical consultant for Kaspersky Lab. "Microsoft is [obviously] not going to send out an email like that."

— Kelly Jackson Higgins, Senior Editor, Dark Reading

About the Author

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights