Windows Vista Tool Targeted By Virus Writers

An anonymous reader writes "Five proof-of-concept viruses that target Monad, the next version of Vista's command prompt, have been published on the web. Monad is a command line interface and scripting language that is similar to Unix shells such as bash, but is based on object-oriented programming and the .Net framework. The viruses' only action is to infect other shell scripts on the host's operating system. They would cause little harm in the wild, but would be relatively easy to modify using the information from the article, said Mikko Hyppönen, the director of antivirus research at F-Secure."

Short on Details

There are always virus writers who want to be the first to write a virus for a new platform.

I don't see what a big deal being the first person to write a virus for Vista is. Oh, first post!

But seriously, this article is very light on the details. I assume that these virus writers found a way to gain administrative rights using Monad, but the article makes it sound like these are just malicious scripts. It might as well be a advanced batch script that can spread it self then del /s /q.

Re:Short on Details

[Coryoth]

You got it right when you said "it might as well be a batch script." These are just Monad scripts running on the system, just like batch files, perl scripts, Cygwin bash scripts, Ruby scripts, etc.

Yes but you must remember that F-Secure are a bunch of alarmist gits who will jump at any opportunity to seed panic with regard to threats of viruses, hackers, "cyberterrorists" (if such a thing even exists), and whatever else they can dream up. Read through a decent sampling of their past press releases and you'll get the idea.

Certainly there are potential issues, but I don't think there's really anything to panic about yet.

Jedidiah.

Comments from a Monad developer

[Leeji]

The fact that MSH is used as the execution vehicle is really a side-note, as it does not exploit any vulnerabilities in Monad. The guidance on shell script viruses is the same as the guidance on all viruses and malware: protect yourself against the point of entry, and limit the amount of damage that the malicious code can do.

That's not to belittle the dangers of script viruses, though.

I wrote a blog entry about it here, in relation to Monad.

Re:Comments from a Monad developer

[shmlco]

I don't see why they can't lock it down firewall-style. When XYZ application runs and tries to hit a reserved directory or section of the registry, popup a window saying so and ask if you want to allow it.

You might not even need the popup. My firewall on a couple of machines has a database it can go out to search and see if this application is "known" and should have access.

It might be less secure than a total limited-account-lockdown, but it would be better than nothing. In fact, I think the latest version of ZoneAlarm already has this sort of "inner firewall".

Nothing serious i must say

Something which requires you to execute a script on the computer is not a virus. Think if you execute a bash script in Linux and it goes on and put itself in all your bash scripts, would you call it a virus?

This is actually nothing, it simply prepends/appends or put itself in the middle of existing MSH scripts. It is equivalent to, if you run a binary on your machine, it can attach itself to all the binaries on your machine.

On top of that, MSH by default on let digitally signed scripts to execute hence once infected scripts on execute. This is not really a threat at all.

Re:Oopsie!

[jmking1]

That's exactly the reasoning people used in support of Firefox before 1.0 was released. I don't see why it can't be used for any beta software.

Oh, and just for completeness, vulnerabilities have been found in Firefox since 1.0, so the argument that only Microsoft releases "beta" (read: vulnerable/insecure) code as production-level software doesn't work either.

Leibnitz is rolling is his grave

[calculadoru]

Quoth the wise man in his treatise Monadology (1714):
"There is also no way of explaining how a monad can be altered or changed in its inner being by any other created thing, since there is no possibility of transposition within it, nor can we conceive of any internal movement which can be produced, directed, increased or diminished within it, such as can take place in the case of compounds where a change can occur among the parts. The monads have no windows through which anything may come in or go out. The Attributes cannot detach themselves or go forth from the substances, as could sensible species of the Schoolmen. In the same way neither substance nor attribute can enter from without into a monad."

And they they've managed to attack them??? Oh, the humanity...

Re:What's the motivation

[dedazo]

Maybe it's because they pound their chests and declare they're the most secure, cheapest, bestest, fastest, etc, etc, even when there's overwhelming evidence to the contrary.

Yeah, it sucks when that happens.

Of course you can always "embargo" all your vulnerability details (see for example bug #294795) - and feel comfortable in your superior position!