Trojan.DNSChanger circumvents Powershell restrictions

Share this…

In recent variants of the infamous DNS-changer adware we have found that the coders use a particularly interesting method to bypass the default restrictions imposed for executing Powershell scripts.

Execution restrictions

To protect Windows users, Microsoft has chosen not to allow the execution of Powershell scripts by default. The default setting for the ExecutionPolicy is “Restricted” which does not load configuration files or run scripts. But it does allow the execution of “single” commands which opens up a number of possibilities to circumvent the restriction.

Encoding

One of the ways to bypass the restriction is to encode your script, which basically allows you to turn your entire script into a single command. Which will then execute without paying mind to the execution protection. The examples we saw for the DNS-changer adware looked like this:

powershell.exe -nologo -executionpolicy bypass -noninteractive -windowstyle hidden –EncodedCommand {very long string}

The “very long string” will be Base64 encoded as that is what Powershell uses by default. I created my own script to decode and format the encoded command but the decoding can easily be doneonline.unraveled

A piece of the decoded and formatted script

Method in use

This adware uses a Scheduled Task with a random name and CLSID to execute the Powershell command.

{821B49C2-8DEC-DD5B-FEA9-891E01C29F09}   18/01/2016 22:36:00    Ready
Task: {68DD3F41-1B59-4DCF-82E7-451FBB71491B} - System32\Tasks\{821B49C2-8DEC-DD5B-FEA9-891E01C29F09} => powershell.exe -windowstyle hidden -noninteractive -ExecutionPolicy bypass –EncodedCommand {very long string}

One of the things the Powershell script does is set a UserAgent and download a file from one of a set of pre-defined domains.

unraveledUserAgent

The domains it tries to contact will be blocked by Malwarebytes Anti-Malware Premium.

protection2

The trojan also changes the DNS settings by altering the values “NameServer” under the registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{interfaceGUID}

In this example the DNS servers were changed to “82.163.142.3 95.211.158.130” Note that the values were separated by a space and not comma-separated as defined by Microsoft. It works nonetheless.

How to restore the default settings for the Powershell execution policy

If you want to check the current setting of your execution policy, you can run Powershell and use the command Get-ExecutionPolicy to find out. If you are using the default settings the answer should be Restricted.

GetPolicy

If you want to change your settings you can use the Set-Execution Cmdlet. Please note that you will have to run Powershell as Administrator for this to work. The command to return the settings to the default for example would be Set-ExecutionPolicy Restricted. You will be prompted to confirm the action.

 SetPolicy

Removal guide and protection

The removal guide for DNS-changer can be found on our forums. Malwarebytes Anti-Malware Premium users are protected against this threat. The installer is detected as Trojan.Agent.DRS.

protection1

Besides blocking the malware ourselves, we have contacted the host of the domains that we found to be contacted by the scripts. They were all hosted by the same company at the same IP and we requested them to take action against their customer, to which they have responded that the “issue has been resolved”.

Summary  

We have looked at the functionality of a new variant of the DNS-changer adware family. Especially the use of encoded scripts as a way to bypass the Powershell execution protection.

Source:https://blog.malwarebytes.org