Windows Vista Tool Targeted By Virus Writers

An anonymous reader writes "Five proof-of-concept viruses that target Monad, the next version of Vista's command prompt, have been published on the web. Monad is a command line interface and scripting language that is similar to Unix shells such as bash, but is based on object-oriented programming and the .Net framework. The viruses' only action is to infect other shell scripts on the host's operating system. They would cause little harm in the wild, but would be relatively easy to modify using the information from the article, said Mikko Hyppönen, the director of antivirus research at F-Secure."

Short on Details

There are always virus writers who want to be the first to write a virus for a new platform.

I don't see what a big deal being the first person to write a virus for Vista is. Oh, first post!

But seriously, this article is very light on the details. I assume that these virus writers found a way to gain administrative rights using Monad, but the article makes it sound like these are just malicious scripts. It might as well be a advanced batch script that can spread it self then del /s /q.

Re:Short on Details

[Leeji]

You got it right when you said "it might as well be a batch script." These are just Monad scripts running on the system, just like batch files, perl scripts, Cygwin bash scripts, Ruby scripts, etc.

There is nothing intrinsic in Monad that enables these attacks, aside from it being a new language. In fact, Monad implements several features that help mitigate the dangers of traditional script viruses, as I outline here.

Re:Short on Details

[Owndapan]

I believe Monad/MSH is no longer even a part of the Longhorn release, so it is a bit unfair have everyone jump on it as a Windows Vista exploit. From Wikipedia:

MSH was originally slated to be shipped with Windows Vista, but has since assumed its own release schedule. Microsoft sources have confirmed MSH's first public release will most likely precede the release of Vista and be part of the next edition of Microsoft Exchange, due in the second half of 2006.

Re:Short on Details

[Coryoth]

You got it right when you said "it might as well be a batch script." These are just Monad scripts running on the system, just like batch files, perl scripts, Cygwin bash scripts, Ruby scripts, etc.

Yes but you must remember that F-Secure are a bunch of alarmist gits who will jump at any opportunity to seed panic with regard to threats of viruses, hackers, "cyberterrorists" (if such a thing even exists), and whatever else they can dream up. Read through a decent sampling of their past press releases and you'll get the idea.

Certainly there are potential issues, but I don't think there's really anything to panic about yet.

Jedidiah.

Re:Short on Details

[Negatif]

Nope, FRISK Software makes F-Prot. Not sure if you're trolling or just being misinformed.

Re:Short on Details

[IdleTime]

Wow! MS apologistrs are out in force today!

I honestly chuckled when I read the article. Not that I hate MS in any ways, in fact I dual boot and tend to use Windows more than linux due to work. But honestlt, did ANYONE really believe that the next product out of MS would be ANY safer than previous products? I know that is what MS themselves claim they are focusing on, security that is, but with their trackrecord, I'd be surprised if we see less than 250 viruses over the first year or so after they release Vista.

Anyhow, Vista is a product that will never get close to my PC anyway. XP will be the last MS product to find their way to my harddrives. The more I read about Vista, the more convinced I become in regards to how this product is designed to lock you down and let everyone else but you control how YOUR PC work at all time.

Re:Short on Details

[Owndapan]

WinFS was in the early builds of Longhorn as well, and that's been dropped too. You'd have to ask MS as to their motivation.

What? Say it isn't so!

[CypherXero]

Microsoft Windows is insecure! More details later, movie at 10.

Re:What? Say it isn't so!

[patio11]

This just in! Running arbitrary code from an untrusted source not a security best-practice!

Comments from a Monad developer

[Leeji]

The fact that MSH is used as the execution vehicle is really a side-note, as it does not exploit any vulnerabilities in Monad. The guidance on shell script viruses is the same as the guidance on all viruses and malware: protect yourself against the point of entry, and limit the amount of damage that the malicious code can do.

That's not to belittle the dangers of script viruses, though.

I wrote a blog entry about it here, in relation to Monad.

Re:Comments from a Monad developer

[stratjakt]

They've stated that they dont care if legacy apps break, and they proved it (somewhat) with XP SP2, and an anti-spyware tool which kicks the crap out of a lot of old code.

I'm sure I'm not the only developer out there who's had to rewrite some stuff to keep XP happy. And, despite the extra work, I see it as a good thing.

Re:Comments from a Monad developer

that's five solid kicks in the monads of vista

Re:Comments from a Monad developer

[jest3r]

Believe it or not but "Monad" wasn't their first choice. Other names which were seriously considered include: Mesticle, Menis, Magina and Mitoris ...

Re:Comments from a Monad developer

[Osty]

The real question is why the heck they decided to call it "Monad"?!

The short answer: It's a codename. It won't ship with that name. Most likely it'll go with the less interesting "Microsoft Shell" or "msh".

The long answer: Monad and Monads in functional programming (long answer has been diverted to Wikipedia, because I'm lazy).

The non-answer: Get your mind of the gutter, you pervert. Not everything ending in "-nad" refers to genitalia.

Re:Comments from a Monad developer

[starling]

Yabbut if they'd chosen one of those other names the GNU version wouldn't end up being called Gonad.

Sneaky, huh?

Re:Comments from a Monad developer

[dedazo]

The real question is why the heck they decided to call it "Monad"?!

Would you have preferred "Warthy Warthog" or "Sweaty Weasel"?

Re:Comments from a Monad developer

[kfg]

Missing option:

Moobs.

KFG

Re:Comments from a Monad developer

[shmlco]

I don't see why they can't lock it down firewall-style. When XYZ application runs and tries to hit a reserved directory or section of the registry, popup a window saying so and ask if you want to allow it.

You might not even need the popup. My firewall on a couple of machines has a database it can go out to search and see if this application is "known" and should have access.

It might be less secure than a total limited-account-lockdown, but it would be better than nothing. In fact, I think the latest version of ZoneAlarm already has this sort of "inner firewall".

Re:Comments from a Monad developer

[Hadlock]

They'll end up naming the GNU port "mash"

Re:Comments from a Monad developer

[Oscar_Wilde]

The guidance on shell script viruses is the same as the guidance on all viruses and malware: protect yourself against the point of entry, and limit the amount of damage that the malicious code can do.
 
For those of you who still don't get it: stop logging in as an administrator you idiots.

Re:Comments from a Monad developer

[NickFortune]

Yabbut if they'd chosen one of those other names the GNU version wouldn't end up being called Gonad.

Looking at the syntax, I think the GPL version is called Perl 6

Re:Comments from a Monad developer

[timmarhy]

becuase people are retards and would click "no don't allow access" then proceed to whinge to tech support that their internet is broken, nothing works, blah blah...

Re:Comments from a Monad developer

becuase people are retards and would click "no don't allow access" then proceed to whinge to tech support that their internet is broken, nothing works, blah blah...

OTOH, people are retards and would click "yes do allow access" then proceed to whinge to tech support that their computer is broken, nothing works, blah blah

Re:What's the motivation

So l337 h4x0rz c4n pwn j00!!!!

Doesn't bode well...

[confusion]

For MS.

But seriously, this is like tipping over someone in a wheelchair. It's a BETA of WINDOWS. Hopefully MS will learn from this before the release, though. I'm not up for a whole new vector of threats against my windows boxen.

Jerry
http://www.cyvin.org/

Nothing serious i must say

Something which requires you to execute a script on the computer is not a virus. Think if you execute a bash script in Linux and it goes on and put itself in all your bash scripts, would you call it a virus?

This is actually nothing, it simply prepends/appends or put itself in the middle of existing MSH scripts. It is equivalent to, if you run a binary on your machine, it can attach itself to all the binaries on your machine.

On top of that, MSH by default on let digitally signed scripts to execute hence once infected scripts on execute. This is not really a threat at all.

Re:What's the motivation

[Spacejock]

Maybe it's because they pound their chests and declare they're the most secure, cheapest, bestest, fastest, etc, etc, even when there's overwhelming evidence to the contrary. When someone gets big-headed it's only natural to poke fun at them, or in a more sinister way, to want to exploit holes & make a big noise about it. It's like throwing cream pies at famous people, to embarass them in public. (Disclaimer: I'm a programmer, not a cracker or virus writer. I've never chucked a cream pie at a Personage before, either.)

On the other hand, if their next marketing campaign had a slogan like 'This OS is almost as polished as OS/X' or 'Vista is almost as secure as Linux' I can see how it might impact sales. However, perhaps if they stopped making outlandish claims in marketing, cracking would be left to the crimanals trying to steal your ID, rather than script kiddies hurling virtual cream pies.

Truth vs marketing. I wonder which will come out on top?

How is this different from *NIX shell scripts?

[MagikSlinger]

How is this different than writing a ksh or bash script virus? Ksh and bash script viruses can be just as bad. Heck, remember the Morris worm?

I like bashing M$ just as much as the next ./er, but this might not be their bad just yet.

Re:How is this different from *NIX shell scripts?

[Antique+Geekmeister]

I remember it too. There's a good chance it could happen again: it would have to spread via HTTP, SMTP, and SSH vulnerabilities to use ports that aren't blocked on gateway systems, rather than telnet and rsh, and woould perhaps also require probing VPN setups to gain access from infected machines to corporate networks. But a better built package more aimed at damage could easily replicate its password guessing and replation capability and cause quite a lot more damage today. People should be concerned about this stuff. It's amazing how Morris never spent a day in jail, but instead is now a professor at MIT ( http://pdos.csail.mit.edu/~rtm/ ). Gee, writing destructive worms that ruined systems worldwide, and help ruin your father's career as head of the NSA must really be work which MIT wants to foster as part of their "ubiquitous computing" developments. That's just what I'd look for as part of the computing in my home!

NO WAY!

[stiefvater]

never mind the virus-

windows now has a decent shell?!

will wonders never cease?

K.

It still is a beta after all.

[zwilliams07]

Give M$ some time to work its magic, then there will be plenty of holes and viruses for all!

Re:Oopsie!

[jmking1]

That's exactly the reasoning people used in support of Firefox before 1.0 was released. I don't see why it can't be used for any beta software.

Oh, and just for completeness, vulnerabilities have been found in Firefox since 1.0, so the argument that only Microsoft releases "beta" (read: vulnerable/insecure) code as production-level software doesn't work either.

So what?

[IchBinEinPenguin]

All this proves is that Monad can find and modify text files (and that there are idiots out there who will misuse tools).
About the only way around this is code-signing to prevent modification (yeah, like I'm gonna sign every single perl script I ever wrote.....)

It's not like you can't do this in bash, awk, sed, perl, python, REXX etc. etc.

full circle wtf ?

[bxbaser]

I must be getting old when i see the full circles everywhere.

when windows 95 came out the windows zealots where so quick to point out "no more haveing to type in dos windows is better than everything" now they will say "we have a shell windows is better than everything"

Re:Not a vulnerability

[dedazo]

Slashdot has a history of reporting user-executed attachments as "vulnerabilities", to the never ending delight of the peanut gallery, who consider that it's Microsoft's fault if I run something I shouldn't have on my computer, but if I do the same thing on any other OS, it's my fault.

Plus, Hakko Mipponen (or whatever his name is) has to make a living scaring the bejezus out of everyone - what better way to get started than with something that's not even really out of alpha?

Leibnitz is rolling is his grave

[calculadoru]

Quoth the wise man in his treatise Monadology (1714):
"There is also no way of explaining how a monad can be altered or changed in its inner being by any other created thing, since there is no possibility of transposition within it, nor can we conceive of any internal movement which can be produced, directed, increased or diminished within it, such as can take place in the case of compounds where a change can occur among the parts. The monads have no windows through which anything may come in or go out. The Attributes cannot detach themselves or go forth from the substances, as could sensible species of the Schoolmen. In the same way neither substance nor attribute can enter from without into a monad."

And they they've managed to attack them??? Oh, the humanity...

More Windows viruses?

[Lisandro]

Awwww, crap guys. Let it go already. It's a bit like kicking a crippled at this point.

Re:What's the motivation

[dedazo]

Maybe it's because they pound their chests and declare they're the most secure, cheapest, bestest, fastest, etc, etc, even when there's overwhelming evidence to the contrary.

Yeah, it sucks when that happens.

Of course you can always "embargo" all your vulnerability details (see for example bug #294795) - and feel comfortable in your superior position!

An Example of One of the So-Called Viruses

[AdamBa]

This is the verbatim text of one of the five viruses:

$name_array=get-childitem *.msh
foreach ($name in $name_array)
{
if ($name.Length -eq 249)
$my_file=$name.Name
}
}

foreach ($victim in $name_array)
{
if ($name.Length -ne 249)
{
copy-item $my_file $name.Name
}
}

All it does is find every .msh file and replace its contents with itself. That's it. You could do it with a .CMD file in any version of Windows (and of course in any other scripting language).

The other scripts get a bit more complicated (insert at a random spot in the file, etc) but that's basically it. There's no new vulnerability exposed by Monad.

- adam

PC World has the most sensationalized version...

[AdamBa]

Right here. "Microsoft's newest operating system in beta only a week, but already leaky." Eeek!! It claims the viruses "take advantage of a new command shell, code-named Monad, that is included in the Windows Vista beta code". Only problem is, Monad is not included in the Windows Vista beta code. Then it talks about how they "take advantage of security vulnerabilities in the new command shell". Like the ability to run scripts?

- adam

Re:Not a vulnerability

[dedazo]

Mikko Hypponen

Am I suppose to believe you're him?

But very few of the most widespread viruses in the world rely on vulnerabilities.

Right, and assuming you are Hypponen, how does this affect you (or not)? I was making a comment about Slashdot, not you.

OTOH, assuming you are who you say you are, let me just say that I'm hardly the first person in the world to point out that companies like F-Secure tend to be on the unfortunate side of hysteria when it comes to reporting vulnerabilities. So don't be offended by that, we understand how the business works. It's OK.

Cheers.

Misleading topic

[Jugalator]

It should be "Windows XP/2003/Vista Tool Targeted By Virus Writers". It won't just be for Vista. The tool is also still in early beta, and I'm not even sure what the script did; is it a script like "rm *", or does it exploit any actual vulnerabilities? There's too little info here to know if this is anything to call news or not...

Monad will also not be included with Windows Vista RTM.

Re:PC World has the most sensationalized version..

[Jugalator]

"Only problem is, Monad is not included in the Windows Vista beta code."

It will probably not be included in the final Windows Vista code either.
It'll be a separate, downloadable tool for all MS OS'es since Windows XP.
I'm still looking for the connection to Windows Vista here...

So bloody what ?

[polyp2000]

As much as i despise microsoft and avoid using windows at whatever cost. They have not released Vista to end users yet. The purpose of a beta is to find out what the problems and issues are and resolve them. Wait until they release a final before criticising I am sure there will be plenty of viruses and bugs to get excited about then! (How else are they going to continue shipping their AV software ?)

The Monad

[payndz]

In the comic series The ABC Warriors (specifically the story 'Black Hole'), the Monad was a bloated, ruthless manifestation of all human evil that attempted to destroy the Earth by corrupting and overloading the incredible technological achievement that linked humanity together.

But I'm sure that's just a coincidence.

i dont see why this is news....

[Madd+Scientist]

1) it's a scripting language
2) assume you already have command line access

a "virus" at this point is trivial... just append the code to append itself at the end of every file it assumes is a script for this command line.

this is like batch file viruses that format the drive... it isn't anything special, it's just a matter of getting the mark to run the file. nothing to see here.

Re:Not a vulnerability

[dedazo]

The real issue

The real issue is that I do not want a case-sensitive file system, or one that requires me to do all sorts of command line incantations to run a script. It's not my fault that Joe User and his 1,000,000 friends are stupid.

In any case, I can send you a tarball with the execute bit turned on and ask you to unpack it and run the REAL COOL ANNA KOURNIKOVA SCREENSAVER!!!, and chances are you'll do it. Chances are when Linux hits the "big time" there will be something slightly more functional than FileRoller out there. Chances are you'll give me your root password if I ask for it nicely. Chances are your assumptions or superiority are unfounded. People got infected with worms that came in on password protected zip files. Do you think you can engineer away user stupidity? That's scary.

to hide the file extension from the user

Bad design call, yes. OTOH, I could care less, I always turn it off.

Does longcock

OMFG, you're hilarious.

Re:PC World has the most sensationalized version..

[Chokolad]

Thing is, msh is not registered as handler for *.msh files, so in order to run the script you will have to execute 'msh.exe script.msh' from the command-line, it will not work by clicking an icon in Outlook Express for example.

Too many Moving Parts

[ajs318]

Why the hell does a command line interface need to incorporate Object Oriented features? This sounds to me like adding features for features' sake.

The more sophisticated you make a system, the more failure modes you introduce -- and the harder it gets to test the edge cases, because there end up being too many edges. You want Obejct Oriented? I'll give you an Object Oriented example. Let's have a "length" type with properties which correspond to its conversion into different measuring units.

var height IsOfType length
reset height
let height = 1.75
print height.feet # prints 5
print height.feet.inches # prints 8.8975
print height.inches # prints 68.8975
reset height
let height.inches = 72
print height.feet # prints 6
print height # prints 1.8288
forget height

It may well be pretty, but outside of any programme dealing with units conversion it's fairly unnecessary. And it contains many programming hazards which would thwart the careless implementor. {BTW, that was a fictitious example; but I'm willing to bet there is at least one programming language out there that actually implements something like it.}

All a command shell really has to do is be able to launch programmes, police the I/O traffic and keep hold of some state information. If it can do all that right, any other functionality you need can be provided by external programmes. That way, everything is kept as simple as it needs to be; you haven't got code cluttering up things that don't need it. If you do build functionality into the shell, there should be a bloody good reason -- usually that reason is that some external programme is getting launched more than its fair share. And in that case you already have the code you need to incorporate and it's been thoroughly tested.

Re:Too many Moving Parts

[MichaelJ]

MS, like virtually all Unix variants, is using a scripting language engine as its CLI. This is no different than Bash, Sh, Tcsh, etc. all of which support functions, etc.

Can you imagine a command-line interface that didn't support aliases, functions, the ability to do more than just launch programs? Even command.com wasn't that limited. My daily experience at work (Linux) would suck if I hadn't been able to customize the shell as I have.

And as for testing - it's not that hard. Since the same language is used in scripts as is interactively, you have a test framework right there.

The first thing I thought when they said MS added OO was that this was like using the Python interactive REPL. It all strikes me as much like Eshell-mode in Emacs.

You are right that as with any technology, the more the power and functionality, the more abusable it is. But a CLI that can only launch programs? Perhaps one could argue that that the model to follow is OS/2, whose CMD language was not nearly as rich as the ReXX scripting language (precompiled into filesystem extended attributes ... sigh), as opposed to the VMS model of the DCL language and CLI. But if you're going to live at a command line, there are things you have to be able to do to the environs of that shell that subprograms or scripts just cannot do for you.

Everything that was once, will be again...

[Spoing]

"As for not running scripts in the current directory, Monad follows a policy similar to that of Unix shells: we do not run them, unless you explicitly ask us to. This prevents malicious scripts (with names such as dir.msh, or get-childitem.msh) from intercepting your otherwise innocent attempt to list the files in that directory."

As time goes on, they keep reinventing bits and pieces of Unix.

Straight from the horses mouth

[xfmr_expert]

From a Dec. 2004 "chat": Q: How is security addressed in Monad? A: This is a very board topic. We spend a lot of time on security. One of the common questions is "are we reintroducing script attacks?". We are doing a number of things to mitigate those exposures. 1) we will not have a doc handler for .msh files (this means that you won't be able to double-click a .msh file and have it run). 2) We'll have a policy that only allows signed scripts (from people you trust) to run (we'll then make it easy for you to sign scripts).

Wait my friends

[lord_rob+the+only+on]

It's just a beta product. All flaws are not fixed yet.

I suppose you all remember when Whistler (codename for windows XP) came out, it was full of bugs and security holes. This is normal, it's a beta. Now we all know that Windows XP is stable and secure as hell *cough cough*