Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

PowerShell Released

Created: 06 Dec 2006 08:00:00 GMT • Updated: 23 Jan 2014 18:54:42 GMT
Eric Chien's picture
0 0 Votes
Login to vote

In 2004, I spoke at Virus Bulletin about a new technology that at that time was known as Monad. Monad has since received an official name of Microsoft PowerShell and recently has been released for Windows XP and 2003 Server, with Vista versions following in January, 2007. PowerShell is a new command line shell, like cmd.exe, but much more powerful.

In 2004, PowerShell was still in its early beta stages and was originally rumored to be shipping in default with Vista. I examined the robust features of PowerShell and demonstrated that a variety of malicious code types were possible – including viruses, worms, and Trojans – using PowerShell. More worrying was that this new language (and platform) was a scripting language and it had the possibility to follow in the footsteps of Melissa and LoveLetter. In addition to their clever social engineering, those threats spawned a whole new class of threats that were easily created because when you received the threat, you also received the source code, which could be quickly modified into a new variant. PowerShell was potentially headed down the same road. Have we not learned anything from history?

Fortunately, since that presentation PowerShell has added a variety of features that mitigate any huge outbreaks of malicious code written in PowerShell. The first and foremost (and simple) feature is the file association for PowerShell files. When double-clicked, PowerShell files aren't executed, but instead are loaded into Notepad. This will prevent the most common vector of infection where a user receives such a file and double-clicks it. Also, by default, even if you execute PowerShell you can't load and run script files without changing the execution policy to allow non-signed scripts to be executed. Finally, because PowerShell is not going to ship on Vista by default, the number of machines that can be infected is dramatically reduced. Your average home user probably won't need and won't install PowerShell.

Of course, virus writers themselves have already started to create PowerShell threats (Criss-cross, Cibyz), but all of them have been based on the beta version and some barely work. So, while we may see a few proof-of-concept-style threats, for the most part we shouldn't see a return of a LoveLetter-style threat with PowerShell 1.0. I'm glad that we’ve learned something from history, after all.