Researchers at Malwarebytes have detected "a particularly interesting method" that coders used to circumvent default restrictions mandated for Powershell scripts, detailed on the blog Malwarebytes UNPACKED.
In a strategy to protect Windows users, Microsoft by default forbids the execution of Powershell scripts. However, "single" commands can be initiated, which opens the path to several workarounds.
Scripts can be encoded so that the entire script becomes a single command, the Malwarebytes researchers explained. In this way, the command string will avoid the execution protection. And, this is what the DNS-changer adware code achieved.
"This adware uses a Scheduled Task with a random name and CLSID to execute the Powershell command," the report stated.
The script then sets a UserAgent and downloads a file from one of a set of predefined domains. The trojan also changes DNS settings by transforming the values “NameServer.”
Mitigation for DNS-changer is available on a Malwarebytes forum.