Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Windows Vista Tool Targeted By Virus Writers

Posted by CowboyNeal on Thu Aug 04, 2005 11:41 PM
from the infectious-diseases dept.
Microsoft Security Worms IT
An anonymous reader writes "Five proof-of-concept viruses that target Monad, the next version of Vista's command prompt, have been published on the web. Monad is a command line interface and scripting language that is similar to Unix shells such as bash, but is based on object-oriented programming and the .Net framework. The viruses' only action is to infect other shell scripts on the host's operating system. They would cause little harm in the wild, but would be relatively easy to modify using the information from the article, said Mikko Hyppönen, the director of antivirus research at F-Secure."
+ -
story
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Windows Vista Tool Targeted By Virus Writers 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • Short on Details (Score:3, Interesting)

    by Anonymous Coward on Thursday August 04 2005, @11:42PM (#13247175)
    There are always virus writers who want to be the first to write a virus for a new platform.
    I don't see what a big deal being the first person to write a virus for Vista is. Oh, first post!

    But seriously, this article is very light on the details. I assume that these virus writers found a way to gain administrative rights using Monad, but the article makes it sound like these are just malicious scripts. It might as well be a advanced batch script that can spread it self then del /s /q.

    • Re:Short on Details (Score:5, Informative)

      by Leeji (521631) <slashdot&leeholmes,com> on Thursday August 04 2005, @11:50PM (#13247207) Homepage

      You got it right when you said "it might as well be a batch script." These are just Monad scripts running on the system, just like batch files, perl scripts, Cygwin bash scripts, Ruby scripts, etc.

      There is nothing intrinsic in Monad that enables these attacks, aside from it being a new language. In fact, Monad implements several features that help mitigate the dangers of traditional script viruses, as I outline here [leeholmes.com].

      • Re:Short on Details (Score:4, Informative)

        by Owndapan (789196) on Friday August 05 2005, @12:13AM (#13247316)
        I believe Monad/MSH is no longer even a part of the Longhorn release, so it is a bit unfair have everyone jump on it as a Windows Vista exploit. From Wikipedia [wikipedia.org]:
        MSH was originally slated to be shipped with Windows Vista, but has since assumed its own release schedule. Microsoft sources have confirmed MSH's first public release will most likely precede the release of Vista and be part of the next edition of Microsoft Exchange, due in the second half of 2006.
        • Wow! MS apologistrs are out in force today!

          I honestly chuckled when I read the article. Not that I hate MS in any ways, in fact I dual boot and tend to use Windows more than linux due to work. But honestlt, did ANYONE really believe that the next product out of MS would be ANY safer than previous products? I know that is what MS themselves claim they are focusing on, security that is, but with their trackrecord, I'd be surprised if we see less than 250 viruses over the first year or so after they release

      • Re:Short on Details (Score:5, Interesting)

        by Coryoth (254751) on Friday August 05 2005, @12:31AM (#13247379) Homepage Journal
        You got it right when you said "it might as well be a batch script." These are just Monad scripts running on the system, just like batch files, perl scripts, Cygwin bash scripts, Ruby scripts, etc.

        Yes but you must remember that F-Secure are a bunch of alarmist gits who will jump at any opportunity to seed panic with regard to threats of viruses, hackers, "cyberterrorists" (if such a thing even exists), and whatever else they can dream up. Read through a decent sampling of their past press releases and you'll get the idea.

        Certainly there are potential issues, but I don't think there's really anything to panic about yet.

        Jedidiah.

  • What? Say it isn't so! (Score:3, Funny)

    by CypherXero (798440) on Thursday August 04 2005, @11:43PM (#13247180) Homepage
    Microsoft Windows is insecure! More details later, movie at 10.

  • Comments from a Monad developer (Score:5, Interesting)

    by Leeji (521631) <slashdot&leeholmes,com> on Thursday August 04 2005, @11:43PM (#13247181) Homepage

    The fact that MSH is used as the execution vehicle is really a side-note, as it does not exploit any vulnerabilities in Monad. The guidance on shell script viruses is the same as the guidance on all viruses and malware: protect yourself against the point of entry, and limit the amount of damage that the malicious code can do.

    That's not to belittle the dangers of script viruses, though.

    I wrote a blog entry about it here [leeholmes.com], in relation to Monad.

  • Doesn't bode well... (Score:3, Informative)

    by confusion (14388) on Thursday August 04 2005, @11:52PM (#13247223) Homepage
    For MS.

    But seriously, this is like tipping over someone in a wheelchair. It's a BETA of WINDOWS. Hopefully MS will learn from this before the release, though. I'm not up for a whole new vector of threats against my windows boxen.

    Jerry
    http://www.cyvin.org/ [cyvin.org]
  • I would think that people would quite going after all Windows. After all, there is not that much sport shooting ducks in a barrel. And it will be at least another decade before these ducks learn to fly.

  • Nothing serious i must say (Score:4, Interesting)

    by Anonymous Coward on Thursday August 04 2005, @11:56PM (#13247238)
    Something which requires you to execute a script on the computer is not a virus. Think if you execute a bash script in Linux and it goes on and put itself in all your bash scripts, would you call it a virus?

    This is actually nothing, it simply prepends/appends or put itself in the middle of existing MSH scripts. It is equivalent to, if you run a binary on your machine, it can attach itself to all the binaries on your machine.

    On top of that, MSH by default on let digitally signed scripts to execute hence once infected scripts on execute. This is not really a threat at all.
  • I'm sort of surprised that it didn't happen earlier.

    What would really be a surprise, pleasant one at that, is to see a F/OSS program actually plug the holes in Vista before it can sink?

    • I can mail you a Slackware boot disk. It will cure all of Vista's problems, before it is even released. :)

      That said, a lot more people would plug Windows holes (if for no other reason than to rid the world of zombies)... if MS would just free the source. But that would probably make poorly-written Perl code look good. ;)
  • Monad can be used to write scripts that do stuff!
  • How is this different than writing a ksh or bash script virus? Ksh and bash script viruses can be just as bad [virusbtn.com]. Heck, remember the Morris worm?

    I like bashing M$ just as much as the next ./er, but this might not be their bad just yet.
      • I remember it too. There's a good chance it could happen again: it would have to spread via HTTP, SMTP, and SSH vulnerabilities to use ports that aren't blocked on gateway systems, rather than telnet and rsh, and woould perhaps also require probing VPN setups to gain access from infected machines to corporate networks. But a better built package more aimed at damage could easily replicate its password guessing and replation capability and cause quite a lot more damage today. People should be concerned about
  • never mind the virus-

    windows now has a decent shell?!

    will wonders never cease?

    K.

  • So what? (Score:5, Insightful)

    by IchBinEinPenguin (589252) on Friday August 05 2005, @12:25AM (#13247358)
    All this proves is that Monad can find and modify text files (and that there are idiots out there who will misuse tools).
    About the only way around this is code-signing to prevent modification (yeah, like I'm gonna sign every single perl script I ever wrote.....)

    It's not like you can't do this in bash, awk, sed, perl, python, REXX etc. etc.

  • full circle wtf ? (Score:3, Funny)

    by bxbaser (252102) on Friday August 05 2005, @12:26AM (#13247362)
    I must be getting old when i see the full circles everywhere.

    when windows 95 came out the windows zealots where so quick to point out "no more haveing to type in dos windows is better than everything" now they will say "we have a shell windows is better than everything"

  • Leibnitz is rolling is his grave (Score:3, Interesting)

    by calculadoru (760076) <calculadoru@@@gmail...com> on Friday August 05 2005, @12:40AM (#13247412)
    Quoth the wise man in his treatise Monadology (1714) [uklinux.net]:
    "There is also no way of explaining how a monad can be altered or changed in its inner being by any other created thing, since there is no possibility of transposition within it, nor can we conceive of any internal movement which can be produced, directed, increased or diminished within it, such as can take place in the case of compounds where a change can occur among the parts. The monads have no windows through which anything may come in or go out. The Attributes cannot detach themselves or go forth from the substances, as could sensible species of the Schoolmen. In the same way neither substance nor attribute can enter from without into a monad."

    And they they've managed to attack them??? Oh, the humanity...

  • More Windows viruses? (Score:5, Funny)

    by Lisandro (799651) on Friday August 05 2005, @12:45AM (#13247427)
    Awwww, crap guys. Let it go already. It's a bit like kicking a crippled at this point.

  • An Example of One of the So-Called Viruses (Score:5, Informative)

    by AdamBa (64128) on Friday August 05 2005, @12:50AM (#13247454) Homepage
    This is the verbatim text of one of the five viruses:

    $name_array=get-childitem *.msh
    foreach ($name in $name_array)
    {
    if ($name.Length -eq 249)
    $my_file=$name.Name
    }
    }

    foreach ($victim in $name_array)
    {
    if ($name.Length -ne 249)
    {
    copy-item $my_file $name.Name
    }
    }

    All it does is find every .msh file and replace its contents with itself. That's it. You could do it with a .CMD file in any version of Windows (and of course in any other scripting language).

    The other scripts get a bit more complicated (insert at a random spot in the file, etc) but that's basically it. There's no new vulnerability exposed by Monad.

    - adam

  • PC World has the most sensationalized version... (Score:3, Informative)

    by AdamBa (64128) on Friday August 05 2005, @12:59AM (#13247482) Homepage
    Right here [pcworld.com]. "Microsoft's newest operating system in beta only a week, but already leaky." Eeek!! It claims the viruses "take advantage of a new command shell, code-named Monad, that is included in the Windows Vista beta code". Only problem is, Monad is not included in the Windows Vista beta code. Then it talks about how they "take advantage of security vulnerabilities in the new command shell". Like the ability to run scripts?

    - adam

  • Misleading topic (Score:3, Informative)

    by Jugalator (259273) on Friday August 05 2005, @01:19AM (#13247538) Journal
    It should be "Windows XP/2003/Vista Tool Targeted By Virus Writers". It won't just be for Vista. The tool is also still in early beta, and I'm not even sure what the script did; is it a script like "rm *", or does it exploit any actual vulnerabilities? There's too little info here to know if this is anything to call news or not...

    Monad will also not be included with Windows Vista RTM.

  • So bloody what ? (Score:3, Interesting)

    by polyp2000 (444682) on Friday August 05 2005, @01:42AM (#13247594) Homepage Journal
    As much as i despise microsoft and avoid using windows at whatever cost. They have not released Vista to end users yet. The purpose of a beta is to find out what the problems and issues are and resolve them. Wait until they release a final before criticising I am sure there will be plenty of viruses and bugs to get excited about then! (How else are they going to continue shipping their AV software ?)

  • The Monad (Score:4, Funny)

    by payndz (589033) on Friday August 05 2005, @01:50AM (#13247623)
    In the comic series [2000adonline.com]The ABC Warriors [wikipedia.org] (specifically the story 'Black Hole'), the Monad was a bloated, ruthless manifestation of all human evil that attempted to destroy the Earth by corrupting and overloading the incredible technological achievement that linked humanity together.

    But I'm sure that's just a coincidence.

  • i dont see why this is news.... (Score:4, Informative)

    by Madd Scientist (894040) on Friday August 05 2005, @02:32AM (#13247733)
    1) it's a scripting language
    2) assume you already have command line access

    a "virus" at this point is trivial... just append the code to append itself at the end of every file it assumes is a script for this command line.

    this is like batch file viruses that format the drive... it isn't anything special, it's just a matter of getting the mark to run the file. nothing to see here.

  • Too many Moving Parts (Score:3, Insightful)

    by ajs318 (655362) <{ku.oc.dohshtrae} {ta} {2pser_ds}> on Friday August 05 2005, @03:32AM (#13247928)
    Why the hell does a command line interface need to incorporate Object Oriented features? This sounds to me like adding features for features' sake.

    The more sophisticated you make a system, the more failure modes you introduce -- and the harder it gets to test the edge cases, because there end up being too many edges. You want Obejct Oriented? I'll give you an Object Oriented example. Let's have a "length" type with properties which correspond to its conversion into different measuring units.
    var height IsOfType length
    reset height
    let height = 1.75
    print height.feet # prints 5
    print height.feet.inches # prints 8.8975
    print height.inches # prints 68.8975
    reset height
    let height.inches = 72
    print height.feet # prints 6
    print height # prints 1.8288
    forget height
    It may well be pretty, but outside of any programme dealing with units conversion it's fairly unnecessary. And it contains many programming hazards which would thwart the careless implementor. {BTW, that was a fictitious example; but I'm willing to bet there is at least one programming language out there that actually implements something like it.}

    All a command shell really has to do is be able to launch programmes, police the I/O traffic and keep hold of some state information. If it can do all that right, any other functionality you need can be provided by external programmes. That way, everything is kept as simple as it needs to be; you haven't got code cluttering up things that don't need it. If you do build functionality into the shell, there should be a bloody good reason -- usually that reason is that some external programme is getting launched more than its fair share. And in that case you already have the code you need to incorporate and it's been thoroughly tested.

  • Everything that was once, will be again... (Score:3, Informative)

    by Spoing (152917) on Friday August 05 2005, @05:41AM (#13248194) Homepage
    "As for not running scripts in the current directory, Monad follows a policy similar to that of Unix shells: we do not run them, unless you explicitly ask us to. This prevents malicious scripts (with names such as dir.msh, or get-childitem.msh) from intercepting your otherwise innocent attempt to list the files in that directory."

    As time goes on, they keep reinventing bits and pieces of Unix.

    • Re:What's the motivation (Score:3, Funny)

      by Anonymous Coward
      So l337 h4x0rz c4n pwn j00!!!!
    • Maybe it's because they pound their chests and declare they're the most secure, cheapest, bestest, fastest, etc, etc, even when there's overwhelming evidence to the contrary. When someone gets big-headed it's only natural to poke fun at them, or in a more sinister way, to want to exploit holes & make a big noise about it. It's like throwing cream pies at famous people, to embarass them in public. (Disclaimer: I'm a programmer, not a cracker or virus writer. I've never chucked a cream pie at a Personage

      • Re:What's the motivation (Score:5, Interesting)

        by dedazo (737510) on Friday August 05 2005, @12:48AM (#13247443) Journal
        Maybe it's because they pound their chests and declare they're the most secure, cheapest, bestest, fastest, etc, etc, even when there's overwhelming evidence to the contrary.

        Yeah, it sucks when that happens [mozilla.org].

        Of course you can always "embargo" all your vulnerability details (see for example bug #294795) - and feel comfortable in your superior position!

    • Re:Oopsie! (Score:4, Interesting)

      by jmking1 (899043) on Friday August 05 2005, @12:21AM (#13247345)
      That's exactly the reasoning people used in support of Firefox before 1.0 was released. I don't see why it can't be used for any beta software.

      Oh, and just for completeness, vulnerabilities have been found in Firefox since 1.0, so the argument that only Microsoft releases "beta" (read: vulnerable/insecure) code as production-level software doesn't work either.

    • Re:Not a vulnerability (Score:5, Insightful)

      by dedazo (737510) on Friday August 05 2005, @12:36AM (#13247398) Journal
      Slashdot has a history of reporting user-executed attachments as "vulnerabilities", to the never ending delight of the peanut gallery, who consider that it's Microsoft's fault if I run something I shouldn't have on my computer, but if I do the same thing on any other OS, it's my fault.

      Plus, Hakko Mipponen (or whatever his name is) has to make a living scaring the bejezus out of everyone - what better way to get started than with something that's not even really out of alpha?

        • Mikko Hypponen

          Am I suppose to believe you're him?

          But very few of the most widespread viruses in the world rely on vulnerabilities.

          Right, and assuming you are Hypponen, how does this affect you (or not)? I was making a comment about Slashdot, not you.

          OTOH, assuming you are who you say you are, let me just say that I'm hardly the first person in the world to point out that companies like F-Secure tend to be on the unfortunate side of hysteria when it comes to reporting vulnerabilities. So don't be off

        • The real issue

          The real issue is that I do not want a case-sensitive file system, or one that requires me to do all sorts of command line incantations to run a script. It's not my fault that Joe User and his 1,000,000 friends are stupid.

          In any case, I can send you a tarball with the execute bit turned on and ask you to unpack it and run the REAL COOL ANNA KOURNIKOVA SCREENSAVER!!!, and chances are you'll do it. Chances are when Linux hits the "big time" there will be something slightly more functional t

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.