Windows Vista Tool Targeted By Virus Writers

An anonymous reader writes "Five proof-of-concept viruses that target Monad, the next version of Vista's command prompt, have been published on the web. Monad is a command line interface and scripting language that is similar to Unix shells such as bash, but is based on object-oriented programming and the .Net framework. The viruses' only action is to infect other shell scripts on the host's operating system. They would cause little harm in the wild, but would be relatively easy to modify using the information from the article, said Mikko Hyppönen, the director of antivirus research at F-Secure."

Short on Details

There are always virus writers who want to be the first to write a virus for a new platform.

I don't see what a big deal being the first person to write a virus for Vista is. Oh, first post!

But seriously, this article is very light on the details. I assume that these virus writers found a way to gain administrative rights using Monad, but the article makes it sound like these are just malicious scripts. It might as well be a advanced batch script that can spread it self then del /s /q.

Re:Short on Details

You got it right when you said "it might as well be a batch script." These are just Monad scripts running on the system, just like batch files, perl scripts, Cygwin bash scripts, Ruby scripts, etc.

There is nothing intrinsic in Monad that enables these attacks, aside from it being a new language. In fact, Monad implements several features that help mitigate the dangers of traditional script viruses, as I outline here [leeholmes.com].

Re:Short on Details

I believe Monad/MSH is no longer even a part of the Longhorn release, so it is a bit unfair have everyone jump on it as a Windows Vista exploit. From Wikipedia [wikipedia.org]:

MSH was originally slated to be shipped with Windows Vista, but has since assumed its own release schedule. Microsoft sources have confirmed MSH's first public release will most likely precede the release of Vista and be part of the next edition of Microsoft Exchange, due in the second half of 2006.

Re:Short on Details

You got it right when you said "it might as well be a batch script." These are just Monad scripts running on the system, just like batch files, perl scripts, Cygwin bash scripts, Ruby scripts, etc.

Yes but you must remember that F-Secure are a bunch of alarmist gits who will jump at any opportunity to seed panic with regard to threats of viruses, hackers, "cyberterrorists" (if such a thing even exists), and whatever else they can dream up. Read through a decent sampling of their past press releases and you'll get the idea.

Certainly there are potential issues, but I don't think there's really anything to panic about yet.

Jedidiah.

What? Say it isn't so!

Microsoft Windows is insecure! More details later, movie at 10.

Re:What? Say it isn't so!

This just in! Running arbitrary code from an untrusted source not a security best-practice!

Comments from a Monad developer

The fact that MSH is used as the execution vehicle is really a side-note, as it does not exploit any vulnerabilities in Monad. The guidance on shell script viruses is the same as the guidance on all viruses and malware: protect yourself against the point of entry, and limit the amount of damage that the malicious code can do.

That's not to belittle the dangers of script viruses, though.

I wrote a blog entry about it here [leeholmes.com], in relation to Monad.

Re:Comments from a Monad developer

They've stated that they dont care if legacy apps break, and they proved it (somewhat) with XP SP2, and an anti-spyware tool which kicks the crap out of a lot of old code.

I'm sure I'm not the only developer out there who's had to rewrite some stuff to keep XP happy. And, despite the extra work, I see it as a good thing.

Re:Comments from a Monad developer

I don't see why they can't lock it down firewall-style. When XYZ application runs and tries to hit a reserved directory or section of the registry, popup a window saying so and ask if you want to allow it.

You might not even need the popup. My firewall on a couple of machines has a database it can go out to search and see if this application is "known" and should have access.

It might be less secure than a total limited-account-lockdown, but it would be better than nothing. In fact, I think the latest version of ZoneAlarm already has this sort of "inner firewall".

Re:Comments from a Monad developer

The guidance on shell script viruses is the same as the guidance on all viruses and malware: protect yourself against the point of entry, and limit the amount of damage that the malicious code can do.
 
For those of you who still don't get it: stop logging in as an administrator you idiots.

Re:Comments from a Monad developer

Believe it or not but "Monad" wasn't their first choice. Other names which were seriously considered include: Mesticle, Menis, Magina and Mitoris ...

Re:Comments from a Monad developer

Yabbut if they'd chosen one of those other names the GNU version wouldn't end up being called Gonad.

Sneaky, huh?

Re:Comments from a Monad developer

Yabbut if they'd chosen one of those other names the GNU version wouldn't end up being called Gonad.

Looking at the syntax, I think the GPL version is called Perl 6

Re:Comments from a Monad developer

The real question is why the heck they decided to call it "Monad"?!

The short answer: It's a codename. It won't ship with that name. Most likely it'll go with the less interesting "Microsoft Shell" or "msh".

The long answer: Monad [wikipedia.org] and Monads in functional programming [wikipedia.org] (long answer has been diverted to Wikipedia, because I'm lazy).

The non-answer: Get your mind of the gutter, you pervert. Not everything ending in "-nad" refers to genitalia.

What's the motivation

Behind attacking Microsoft?

Re:What's the motivation

Maybe it's because they pound their chests and declare they're the most secure, cheapest, bestest, fastest, etc, etc, even when there's overwhelming evidence to the contrary.

Yeah, it sucks when that happens [mozilla.org].

Of course you can always "embargo" all your vulnerability details (see for example bug #294795) - and feel comfortable in your superior position!

Doesn't bode well...

For MS.

But seriously, this is like tipping over someone in a wheelchair. It's a BETA of WINDOWS. Hopefully MS will learn from this before the release, though. I'm not up for a whole new vector of threats against my windows boxen.

Jerry
http://www.cyvin.org/ [cyvin.org]

Not very sporting.

I would think that people would quite going after all Windows. After all, there is not that much sport shooting ducks in a barrel. And it will be at least another decade before these ducks learn to fly.

Nothing serious i must say

Something which requires you to execute a script on the computer is not a virus. Think if you execute a bash script in Linux and it goes on and put itself in all your bash scripts, would you call it a virus?

This is actually nothing, it simply prepends/appends or put itself in the middle of existing MSH scripts. It is equivalent to, if you run a binary on your machine, it can attach itself to all the binaries on your machine.

On top of that, MSH by default on let digitally signed scripts to execute hence once infected scripts on execute. This is not really a threat at all.

No surprise here

I'm sort of surprised that it didn't happen earlier.

What would really be a surprise, pleasant one at that, is to see a F/OSS program actually plug the holes in Vista before it can sink?

This just in!

Monad can be used to write scripts that do stuff!

How is this different from *NIX shell scripts?

How is this different than writing a ksh or bash script virus? Ksh and bash script viruses can be just as bad [virusbtn.com]. Heck, remember the Morris worm?

I like bashing M$ just as much as the next ./er, but this might not be their bad just yet.

No Monad.

Monad's not going into Vista/Longhorn, hadn't you heard?

NO WAY!

never mind the virus-

windows now has a decent shell?!

will wonders never cease?

K.

It still is a beta after all.

Give M$ some time to work its magic, then there will be plenty of holes and viruses for all!

OMG a shell!

http://www.macworld.com/news/2005/08/04/vistavirus es/index.php [macworld.com]

OMG a shell! it like does things! and without a mouse!!

From the Article:

"Five proof-of-concept viruses that target Monad, the next version of Microsoft's command prompt, were included in a recently published virus writing magazine, according to Mikko Hyppönen, the director of antivirus research at F-Secure."

I'm certain this comment will pit Slashdoter against Slashdoter, but with all the so called "free speech" that is actively being censored one subject at a time today, why is it that these people aren't under the sociopolitical microscope for publishing this kind of information?

Furthermore and looking at the situation from a different angle, not long ago I heard (or read, I can't remember which) someone in the government refer to the writing of malicious code and hacking of computer systems (especially crucial and/or sensitive ones) was to be considered an "act of terrorism." Now tell me, if I or anyone else can be arrested for training people how to commit "acts of terrorism" in the real world, why hasn't this applied to the digital world as yet?

So what?

All this proves is that Monad can find and modify text files (and that there are idiots out there who will misuse tools).
About the only way around this is code-signing to prevent modification (yeah, like I'm gonna sign every single perl script I ever wrote.....)

It's not like you can't do this in bash, awk, sed, perl, python, REXX etc. etc.

full circle wtf ?

I must be getting old when i see the full circles everywhere.

when windows 95 came out the windows zealots where so quick to point out "no more haveing to type in dos windows is better than everything" now they will say "we have a shell windows is better than everything"

Leibnitz is rolling is his grave

Quoth the wise man in his treatise Monadology (1714) [uklinux.net]:
"There is also no way of explaining how a monad can be altered or changed in its inner being by any other created thing, since there is no possibility of transposition within it, nor can we conceive of any internal movement which can be produced, directed, increased or diminished within it, such as can take place in the case of compounds where a change can occur among the parts. The monads have no windows through which anything may come in or go out. The Attributes cannot detach themselves or go forth from the substances, as could sensible species of the Schoolmen. In the same way neither substance nor attribute can enter from without into a monad."

And they they've managed to attack them??? Oh, the humanity...

More Windows viruses?

Awwww, crap guys. Let it go already. It's a bit like kicking a crippled at this point.

Virus writers...

Well I guess they've really got Microsoft by the monads now, eh?

Highest form of wit! ;)

An Example of One of the So-Called Viruses

This is the verbatim text of one of the five viruses:

$name_array=get-childitem *.msh
foreach ($name in $name_array)
{
if ($name.Length -eq 249)
$my_file=$name.Name
}
}

foreach ($victim in $name_array)
{
if ($name.Length -ne 249)
{
copy-item $my_file $name.Name
}
}

All it does is find every .msh file and replace its contents with itself. That's it. You could do it with a .CMD file in any version of Windows (and of course in any other scripting language).

The other scripts get a bit more complicated (insert at a random spot in the file, etc) but that's basically it. There's no new vulnerability exposed by Monad.

- adam

PC World has the most sensationalized version...

Right here [pcworld.com]. "Microsoft's newest operating system in beta only a week, but already leaky." Eeek!! It claims the viruses "take advantage of a new command shell, code-named Monad, that is included in the Windows Vista beta code". Only problem is, Monad is not included in the Windows Vista beta code. Then it talks about how they "take advantage of security vulnerabilities in the new command shell". Like the ability to run scripts?

- adam

Misleading topic

It should be "Windows XP/2003/Vista Tool Targeted By Virus Writers". It won't just be for Vista. The tool is also still in early beta, and I'm not even sure what the script did; is it a script like "rm *", or does it exploit any actual vulnerabilities? There's too little info here to know if this is anything to call news or not...

Monad will also not be included with Windows Vista RTM.

Hey -- Give MS a break!

First off -- credit where it's due, it took a few days for these to show up. Unlike the mere hours it took before.

Big pat on the back to all you Windows coders out there in Redmond!

Second and most important, these are only shell scripts meant to be executed in Monad -- not some nasty Outlook/IE infecting VB script that spreads like super-flu.

No... those wont babies wont be hatching till NEXT week.

I'd say this is a marked improvement in Windows Security overall. Bill must be proud right about now.

You've got your chocolate in my penut butter.

Combine the power and flexability of Unix-style scripting with the robust security of a Microsoft environment. As long as the millions of less savvy users are all operating within least-privalege account model this should be great.

Interesting...

Monad is now a "Windows Vista Tool." And just 2.5 months ago, Slashdot indicated Monad wouldn't be in Windows Vista [slashdot.org] (then codenamed Longhorn).

So when Monad is considered a feature, it won't be in WV, but when it is a problem, it's magically back in there.

The truth is, no one knows for sure if Monad will be in, and this "virus" is just a fucking shell script.

Everyone, type rmdir c:\ and pass it along.

So bloody what ?

As much as i despise microsoft and avoid using windows at whatever cost. They have not released Vista to end users yet. The purpose of a beta is to find out what the problems and issues are and resolve them. Wait until they release a final before criticising I am sure there will be plenty of viruses and bugs to get excited about then! (How else are they going to continue shipping their AV software ?)

The Monad

In the comic series [2000adonline.com]The ABC Warriors [wikipedia.org] (specifically the story 'Black Hole'), the Monad was a bloated, ruthless manifestation of all human evil that attempted to destroy the Earth by corrupting and overloading the incredible technological achievement that linked humanity together.

But I'm sure that's just a coincidence.

Read as "viruses that target Gonad"

And thought, "shit! my computer can get gonorrhea!!" (also known as Vista pka Longhorn)

Anyway, so what. Prediction: 1 week after Vista based servers come out, my internet will mysteriously slow down as a new attack wreaks havoc on all my fav pr0n sites. :-(

i dont see why this is news....

1) it's a scripting language
2) assume you already have command line access

a "virus" at this point is trivial... just append the code to append itself at the end of every file it assumes is a script for this command line.

this is like batch file viruses that format the drive... it isn't anything special, it's just a matter of getting the mark to run the file. nothing to see here.

Virusproof Windows.

If Microsoft made Windows completly immune to viruses, spyware, and the like, they would be immediatly sued by every dying for-profit anti-virus company, just like Netscape did.

Too many Moving Parts

Why the hell does a command line interface need to incorporate Object Oriented features? This sounds to me like adding features for features' sake.

The more sophisticated you make a system, the more failure modes you introduce -- and the harder it gets to test the edge cases, because there end up being too many edges. You want Obejct Oriented? I'll give you an Object Oriented example. Let's have a "length" type with properties which correspond to its conversion into different measuring units.

var height IsOfType length
reset height
let height = 1.75
print height.feet # prints 5
print height.feet.inches # prints 8.8975
print height.inches # prints 68.8975
reset height
let height.inches = 72
print height.feet # prints 6
print height # prints 1.8288
forget height

It may well be pretty, but outside of any programme dealing with units conversion it's fairly unnecessary. And it contains many programming hazards which would thwart the careless implementor. {BTW, that was a fictitious example; but I'm willing to bet there is at least one programming language out there that actually implements something like it.}

All a command shell really has to do is be able to launch programmes, police the I/O traffic and keep hold of some state information. If it can do all that right, any other functionality you need can be provided by external programmes. That way, everything is kept as simple as it needs to be; you haven't got code cluttering up things that don't need it. If you do build functionality into the shell, there should be a bloody good reason -- usually that reason is that some external programme is getting launched more than its fair share. And in that case you already have the code you need to incorporate and it's been thoroughly tested.

Beta release

So a beta release of your software goes out to about 500.000 beta testers & developers, and and up in the hands of concept virus writers within about a week after releasing it?
So your group of testers is not 100% trustworthy and to write a new concept virus only takes 1 week (including the "learning curve" on the new shell environment?).

It is going to be a bright and shiny future.

Monad

Hasn't Monad been dropped from the Vista/Longhorn Feature list?? I thought that it as just going to have the same/similar CLI as Windows XP? and Monad was going to be an 'upgrade' some time in the future?

Everything that was once, will be again...

"As for not running scripts in the current directory, Monad follows a policy similar to that of Unix shells: we do not run them, unless you explicitly ask us to. This prevents malicious scripts (with names such as dir.msh, or get-childitem.msh) from intercepting your otherwise innocent attempt to list the files in that directory."

As time goes on, they keep reinventing bits and pieces of Unix.

These people are smart

Apparently they haven't been around things like BASH enough because it's not very hard to write a similar "virus" in BASH script

Help me understand....

1. It's like a batch file and therefore doesn't count as a virus.
...but viruses started out as batch files and wiped a lot of harddrives.

2. Microsoft can't be held responsible because shell scripts can be written and ran in *nix/*nux too, so what's the big?
...but Windows has a long history of MSTD (Microsoft Terminal Disease) wherein everything is accessible all the time because they built an OS (nay, an NOS) on the principle of "everything is accessible unless explicitly stated otherwise." No other NOS has done this -- no serious one that's broadly used -- so Windows viruses, no matter what they are, have been very egregious.

The issue, to me, is whether or not Microsoft has finally figured out to really seperate the kernel (if they've ever really developed one) from what the user has access to. The reason viruses, malware, whatever, have never really bothered *nix/*nux/Netware is because of the basic principle of denying everything unless explicitly stated otherwise.

Our old Netware guys here still joke and laugh about the insanity that is Windows and security issues around it that a symbiont industry thrives on. Never did, or have, other NOSes generated such a special security area in the free market....

No! I don't believe it!

Bugs and security holes in a beta? No! It's impossible. Not that Microsoft gets the benefit of the doubt anymore, but let's at least wait until the product is out of the beta testing phase before we begin harping on it for bugs and security flaws. Unless, of course, the flaws exist because of fundamental problems with the design of the product (a la Internet Explorer). Then by all means, pile on!

Monad

Here was my first thought (it's obvious i didn't get much sleep last night)

Monad kinda sounds like it's a daemon related to a female...something that most geeks probably don't know much about....I bet this is a hoax...

Maybe it's time for sleep again.

uhm, yay?

He found a hole in a peice of BETA software...
last I checked the entire point of BETA sofware was to find holes in it.
ZOMGWTFBBQ he did exactly that! Whooptie fucking do!

you have earned yourself a cookie! go report it to whatever bug tracking sceme they're using and feel proud. or, do something tantamount to screaming "LOOKIT ME! I'M EVER SO SMART!" into a bullhorn while dancing naked with undies on your head in the middle of times square...

Straight from the horses mouth

From a Dec. 2004 "chat": Q: How is security addressed in Monad? A: This is a very board topic. We spend a lot of time on security. One of the common questions is "are we reintroducing script attacks?". We are doing a number of things to mitigate those exposures. 1) we will not have a doc handler for .msh files (this means that you won't be able to double-click a .msh file and have it run). 2) We'll have a policy that only allows signed scripts (from people you trust) to run (we'll then make it easy for you to sign scripts).

Hmm

Why do I get the feeling that this is the Monad equivalent of
$ echo "#!/bin/rm -rf" > ls

and probably not nearly as dangerous as the article makes it sound.

.Net sandbox?

similar to Unix shells such as bash, but is based on object-oriented programming and the .Net framework.

I thought that the .Net framework was supposed to prevent malicious code by sandboxing things.

.NET Dead?

Didn't Microsoft recently admit that .NET was a failure? If so, why are they including it in the core of Windows Vista?

It's comparing Apples and Oranges.

The vulnerabilities found are just a function of how popular the system is in the real world. Microsoft is a victim of its own success.
If Linux had as huge an installed base as Microsoft Vista then we would see all the script kiddies exploiting and 'owning' Linux boxes.
(c)2007

This is news?

Am I the only one to have seen every release of Microsoft since CP/M? Must be.

OF COURSE the virus writers already have a jump on the product before the beta is done. You don't really think 8,000 viruses this year so far, just *happen* do you?

The cycle continues.

The release.

The press proclaiming that it isn't selling. A handful of corporations jump on it for the same stupid reasons one can only make when earning more than a million dollars each year. (corporate stupidity).

Then comes the inevidable "We're going to stop supporting old release X" when more jump on board.

Just as people are getting settled in, OH! It's time for a new Office and maybe Works! The old ones are grossly incapable of doing simple math and are seriously lacking 'cool', so the herd begins to turn and shed their cash.

There are still people running DOS, ya know. And Wfw. And Win9x. They're happy as long as they don't use the net. (So they're safe)

When will corporate America and the man on the street tire of being surprised at this rope-a-dope?

Monad

is more akin to the bastard child of wmic and cmd; at least the beta i last saw was.

Wait my friends

It's just a beta product. All flaws are not fixed yet.

I suppose you all remember when Whistler (codename for windows XP) came out, it was full of bugs and security holes. This is normal, it's a beta. Now we all know that Windows XP is stable and secure as hell *cough cough*

Well, this explains MS's name change better...

Because this certainly confirms that windows virus's have a new VISTA to exploit!

turing machines considered harmful

• turing machines are universal.
• thus: you can write a self-replicating, propagating program (virus) in a turing machine.
• thus: the virus can be ported to any turing-complete system.
• thus: the only way to secure a system is to make it turing-incomplete.
• or: any reasonably useful system is susceptable to viruses.

Re:A Windows beta is exploitable??

Why? Do you prefer the release versions of Windows to be vulnerable instead? ;>

Re:Oopsie!

That's exactly the reasoning people used in support of Firefox before 1.0 was released. I don't see why it can't be used for any beta software.

Oh, and just for completeness, vulnerabilities have been found in Firefox since 1.0, so the argument that only Microsoft releases "beta" (read: vulnerable/insecure) code as production-level software doesn't work either.

Re:Not a vulnerability

Slashdot has a history of reporting user-executed attachments as "vulnerabilities", to the never ending delight of the peanut gallery, who consider that it's Microsoft's fault if I run something I shouldn't have on my computer, but if I do the same thing on any other OS, it's my fault.

Plus, Hakko Mipponen (or whatever his name is) has to make a living scaring the bejezus out of everyone - what better way to get started than with something that's not even really out of alpha?