In recent variants of the infamous DNS-changer adware we have found that the coders use a particularly interesting method to bypass the default restrictions imposed for executing Powershell scripts.
Execution restrictions
To protect Windows users, Microsoft has chosen not to allow the execution of Powershell scripts by default. The default setting for the ExecutionPolicy is “Restricted” which does not load configuration files or run scripts. But it does allow the execution of “single” commands which opens up a number of possibilities to circumvent the restriction.
Encoding
One of the ways to bypass the restriction is to encode your script, which basically allows you to turn your entire script into a single command. Which will then execute without paying mind to the execution protection. The examples we saw for the DNS-changer adware looked like this:
powershell.exe -nologo -executionpolicy bypass -noninteractive -windowstyle hidden –EncodedCommand {very long string}
The “very long string” will be Base64 encoded as that is what Powershell uses by default. I created my own script to decode and format the encoded command but the decoding can easily be done online.
A piece of the decoded and formatted script
Method in use
This adware uses a Scheduled Task with a random name and CLSID to execute the Powershell command.
{821B49C2-8DEC-DD5B-FEA9-891E01C29F09} 18/01/2016 22:36:00 Ready Task: {68DD3F41-1B59-4DCF-82E7-451FBB71491B} - System32Tasks{821B49C2-8DEC-DD5B-FEA9-891E01C29F09} => powershell.exe -windowstyle hidden -noninteractive -ExecutionPolicy bypass –EncodedCommand {very long string}
One of the things the Powershell script does is set a UserAgent and download a file from one of a set of pre-defined domains.
The domains it tries to contact will be blocked by Malwarebytes Anti-Malware Premium.
The trojan also changes the DNS settings by altering the values “NameServer” under the registry keys:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesTcpipParameters HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesTcpipParametersInterfaces{interfaceGUID}
In this example the DNS servers were changed to “82.163.142.3 95.211.158.130” Note that the values were separated by a space and not comma-separated as defined by Microsoft. It works nonetheless.
How to restore the default settings for the Powershell execution policy
If you want to check the current setting of your execution policy, you can run Powershell and use the command Get-ExecutionPolicy to find out. If you are using the default settings the answer should be Restricted.
If you want to change your settings you can use the Set-Execution Cmdlet. Please note that you will have to run Powershell as Administrator for this to work. The command to return the settings to the default for example would be Set-ExecutionPolicy Restricted. You will be prompted to confirm the action.
Removal guide and protection
The removal guide for DNS-changer can be found on our forums. Malwarebytes Anti-Malware Premium users are protected against this threat. The installer is detected as Trojan.Agent.DRS.
Besides blocking the malware ourselves, we have contacted the host of the domains that we found to be contacted by the scripts. They were all hosted by the same company at the same IP and we requested them to take action against their customer, to which they have responded that the “issue has been resolved”.
Summary
We have looked at the functionality of a new variant of the DNS-changer adware family. Especially the use of encoded scripts as a way to bypass the Powershell execution protection.
Links
15 Ways to Bypass the PowerShell Execution Policy
Technet Powershell Set-ExecutionPolicy
Pieter Arntz