Malware writers shift their focus to Microsoft PowerShell

Wave of malware written for PowerShell as Microsoft prepares to make it the replacement for the command line in Windows 10

Malware writers are shifting their focus to Microsoft PowerShell, according to security software company Symantec, which claims that it has seen a 95.4 per cent rise in PowerShell malware instances.

PowerShell is set to become the default replacement for the command line function in Windows when the Creators Edition arrives next year. It has already superseded it in Insider builds.

PowerShell is available to all already and has been for around for about ten years. It is generally activated by default.

The fact that during a sandbox test of 111 threat families, nearly all the analysed scripts were malicious shows what a threat to the enterprise the move could potentially be.

Symantec advises that sysadmins make sure machines are running the latest version of PowerShell and enable extended logging and monitoring options. They also suggest you buy their software to protect yourself.

Among the high-profile cases that have involved PowerShell are the Odinaff Group attacks on financial establishments and the Trojan.Kotver infection, which was created to infect the registry without using any files.

PowerShell can also be used to uninstall security products, detect sandboxes and sniff passwords.

Symantec says: "PowerShell is installed by default on most Windows computers, and most organisations do not have extended logging enabled for the framework. These two factors make PowerShell a favoured attack tool."

It adds: "Furthermore, scripts can easily be obfuscated and allow for payloads to be executed directly from memory."

OpenSSH has been added to bolster security, but because PowerShell is so much more powerful than the old command line, there are a lot more opportunities for mischief. It does, however, form the basis for the interoperability between Linux and Windows that has been increasingly visible over the past year or so.

Back in August, a version of Windows 10 that was automatically rolled out to machines actually borked Powershell altogether, leaving it inaccessible for a week.