Windows PowerShell - Heading Off Malicious Code

Remember back when Windows Vista was still in beta and there was buzz about a very early version of a new command-line shell code-named "Monad"? (This, of course, would eventually come to be known as Windows PowerShell.) At the time, there were many mainstream media reports about the "first Windows Vista virus." In

reality, the "virus" was just a proof-of-concept malware script that targeted "Monad." In order to run the script, "Monad" itself would have had to have been specially configured—the script wouldn't work under default settings. Moreover, by the time those reports surfaced, Microsoft had already announced that "Monad" would not ship as part of Windows Vista®. In short, the whole situation was much ado about nothing (or, at least, about very little).

As Windows PowerShellTM becomes more popular, though—it has already been downloaded more than a million times—the odds increase that someone will use it to create a malicious script. The ability to write a potentially damaging script in Windows PowerShell is a given; any admin tool—including Windows PowerShell, cmd.exe, and VBScript—can be used maliciously. So you can't just assume a given PS1 file is harmless.

Fortunately, Windows PowerShell is configured by default not to run any scripts, so that malicious script needs help from you if it is going to run. This month, I'd like to predict how this will probably happen. This isn't to make Windows PowerShell look bad—I think Microsoft has done a good job designing a scripting shell that avoids many of the risks. However, this is a discussion worth having just to help you prepare and be ready to head off this potential attack.