Tag Archives: Windows PowerShell

先日、Microsoft のスクリプト言語、Windows PowerShell がマルウェア作成者によって不正な目的に利用されていると報じられました。シマンテックは、さらに多くの PowerShell スクリプトが、悪質な目的で攻撃に使われていることを特定しています。これまでに確認された他の PowerShell スクリプトとは違って、今回のスクリプト（シマンテックは Backdoor.Trojan として検出します）は、さまざまな層の不明瞭化の機能を備えており、悪質なコードを rundll32.exe にインジェクトして、コンピュータの内部に潜伏しながら、バックドアのように動作し続けることができるのです。

図 1. 元の Microsoft Windows PowerShell スクリプト

上の画像を見るとわかるように、このスクリプトは平文でユーザーの目に触れないように不明瞭化されています。ところが、攻撃者はスクリプト全体を base64 でエンコードするために、-EncodedCommand というパラメータを使っていました。デコードしてもスクリプトは不明瞭化されたままで、次の図のように見えます。

図 2. PowerShell スクリプトの最初の復号層

次に、このスクリプトは自身の一部を base64 から平文に再度デコードし、デコードされた部分を圧縮解除の機能によって渡します。圧縮解除されたデータは、不明瞭化を解除した PowerShell スクリプトの最新段階であり、Invoke-Expression コマンドによって実行されます。

図 3. 不明瞭化を解除された PowerShell スクリプト

攻撃者は、コンピュータに潜伏するために埋め込まれたコードを処理中にコンパイルし、実行できるように、CompileAssemblyFromSource というコマンドを使います。コンパイルされたコードは次に、保留状態で rundll32.exe を実行し、新しく作成されたプロセスに悪質なコードをインジェクトして、rundll32 のスレッドを再開します。これが、コンピュータ上で検出をすり抜けるための手口です。

インジェクトされたコードは次にリモートコンピュータへの接続を試み、リモートコンピュータは命令のバッファが受信されるのを待ちます。続いてこのコードが、EXECUTE_READWRITE 許可を持つ命令を格納し、その命令がステルス状態で実行されます。

インジェクトされたコードがメモリを割り当て、命令を受信して後で実行する過程を次の図に示します。

図 4. rundll32.exe にインジェクトされた悪質なコード

シマンテック製品をお使いのお客様は、Backdoor.Trojan という検出定義により、この攻撃から保護されています。感染を防ぐために、シマンテックの最新技術を使い、ウイルス対策を更新することをお勧めします。不明な PowerShell スクリプトは実行しないよう心がけるとともに、悪質なスクリプトの実行を防ぐために、PowerShell のデフォルトの実行設定は低くしないようにしてください。

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/ja にアクセスしてください。

Windows PowerShell, the Microsoft scripting language, has made the headlines recently due to malware authors leveraging it for malicious purposes. Symantec has identified more PowerShell scripts being used for nefarious purposes in attacks. Unlike other PowerShell scripts that we have identified previously, the new script, which Symantec detects as Backdoor.Trojan, has different layers of obfuscation and is able to inject malicious code into “rundll32.exe” so that it can hide itself in the computer while still running and acting like a back door.

Figure 1. The original Microsoft Windows PowerShell script

As seen from the previous image, the script is obfuscated to prevent users from seeing the clear text. However, the attacker has used the parameter “-EncodedCommand” in order to encode the entire script in base64. Once decoded, the script is still obfuscated and it looks like the following:

Figure 2. PowerShell script’s first layer of decryption

After this, the script will again decode a portion of itself from base64 to plain text and the decoded part of the script is passed through a decompression function. The decompressed data is the latest stage of the deobfuscated PowerShell script, which will be executed through the “Invoke-Expression” command.

Figure 3. A deobfuscated PowerShell script

The attacker uses the command “CompileAssemblyFromSource” so that they can compile and execute on-the-fly embedded code which hides itself on the computer. The compiled code will then try to execute “rundll32.exe” in a suspended state, inject malicious code into the newly created process and restart the “rundll32” thread. This method is used to prevent detection on the computer.

The injected code will then try to connect to a remote computer and it then waits to receive a buffer of instructions. The code will subsequently store these instructions with EXECUTE_READWRITE permissions, so that they can be executed in a stealthy way.

The following picture shows how the injected code allocates the memory and receives the instructions that are later executed.

Figure 4. Malicious code injected into rundll32.exe

Symantec customers are currently protected from this attack with the detection Backdoor.Trojan. To avoid being infected, we recommend that customers should use the latest Symantec technologies and update their virus definitions. Users should avoid running unknown PowerShell scripts and should not lower PowerShell’s  default execution settings in order to prevent potential malicious scripts from executing.

Windows PowerShell, the Microsoft scripting language, has made the headlines recently due to malware authors leveraging it for malicious purposes. Symantec has identified more PowerShell scripts being used for nefarious purposes in attacks. Unlike other PowerShell scripts that we have identified previously, the new script, which Symantec detects as Backdoor.Trojan, has different layers of obfuscation and is able to inject malicious code into “rundll32.exe” so that it can hide itself in the computer while still running and acting like a back door.

Figure 1. The original Microsoft Windows PowerShell script

As seen from the previous image, the script is obfuscated to prevent users from seeing the clear text. However, the attacker has used the parameter “-EncodedCommand” in order to encode the entire script in base64. Once decoded, the script is still obfuscated and it looks like the following:

Figure 2. PowerShell script’s first layer of decryption

After this, the script will again decode a portion of itself from base64 to plain text and the decoded part of the script is passed through a decompression function. The decompressed data is the latest stage of the deobfuscated PowerShell script, which will be executed through the “Invoke-Expression” command.

Figure 3. A deobfuscated PowerShell script

The attacker uses the command “CompileAssemblyFromSource” so that they can compile and execute on-the-fly embedded code which hides itself on the computer. The compiled code will then try to execute “rundll32.exe” in a suspended state, inject malicious code into the newly created process and restart the “rundll32” thread. This method is used to prevent detection on the computer.

The injected code will then try to connect to a remote computer and it then waits to receive a buffer of instructions. The code will subsequently store these instructions with EXECUTE_READWRITE permissions, so that they can be executed in a stealthy way.

The following picture shows how the injected code allocates the memory and receives the instructions that are later executed.

Figure 4. Malicious code injected into rundll32.exe

Symantec customers are currently protected from this attack with the detection Backdoor.Trojan. To avoid being infected, we recommend that customers should use the latest Symantec technologies and update their virus definitions. Users should avoid running unknown PowerShell scripts and should not lower PowerShell’s  default execution settings in order to prevent potential malicious scripts from executing.