Hackin9

La Nouvelle Tribune

Bénin : pourquoi la grève se poursuit malgré les «avancées» du vendredi dernier
La Nouvelle Tribune
Représentants du gouvernement, responsables syndicaux et facilitateurs se sont retrouvés à l'Infosec, à Cotonou vendredi dernier pour une énième session de négociation sur les grèves dans l'administration publique et dans le secteur éducatif depuis le ...

and more »
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

In the past few years one of the major improvements in the Windows environment was PowerShell. With Unix-style scripting capabilities automating windows administration tasks become possible. One of the major advantages of PowerShell is that it’s support most of Microsoft products from MS Office to Enterprise level applications such as MS SharePoint and MS Exchange.

But is it possible to use PowerShell for malicious purpose? If you remember the Melissa which was written in MS Office macro but that was in 1999 is it still possible?  

According to TrendMicro[1] a new malware has been discovered that written in PowerShell. CRIGENT (aka Power Worm), TrendMicro has detected two malicious files (W97M_CRIGENT.A and X97M_CRIGENT.A) .These files arrived in an infected Word or Excel file.

The malware will download and install tor and Polipo then connect to Command and Control server. The malware collect some information from user’s machine (such as IP address, User account privileges Version, latitude...) and send it to its C&C server. In addition Power worm will infect other Word/Excel files, disable macro alerts and it will downgrade the infected file from Docx/xlsx to Doc/xls.  

The best way to stop such a malware is disabling macro and don’t open any file from untrusted source.



[1] http://blog.trendmicro.com/trendlabs-security-intelligence/word-and-excel-files-infected-using-windows-powershell/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Anti-MalwareBlog+%28Trendlabs+Security+Intelligence+Blog%29

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Internet Storm Center Infocon Status