Windows Vista Tool Targeted By Virus Writers 293
An anonymous reader writes "Five proof-of-concept viruses that target Monad, the next version of Vista's command prompt, have been published on the web. Monad is a command line interface and scripting language that is similar to Unix shells such as bash, but is based on object-oriented programming and the .Net framework. The viruses' only action is to infect other shell scripts on the host's operating system. They would cause little harm in the wild, but would be relatively easy to modify using the information from the article, said Mikko Hyppönen, the director of antivirus research at F-Secure."
Short on Details (Score:3, Interesting)
But seriously, this article is very light on the details. I assume that these virus writers found a way to gain administrative rights using Monad, but the article makes it sound like these are just malicious scripts. It might as well be a advanced batch script that can spread it self then del
Re:Short on Details (Score:5, Informative)
You got it right when you said "it might as well be a batch script." These are just Monad scripts running on the system, just like batch files, perl scripts, Cygwin bash scripts, Ruby scripts, etc.
There is nothing intrinsic in Monad that enables these attacks, aside from it being a new language. In fact, Monad implements several features that help mitigate the dangers of traditional script viruses, as I outline here [leeholmes.com].
Re:Short on Details (Score:4, Informative)
Re:Short on Details (Score:2)
The most obvious thing wrong with your statement: Monad is part of the Vista beta. If it wasn't shipping with Vista, what's the point of putting it in the beta?
Re:Short on Details (Score:3, Interesting)
I honestly chuckled when I read the article. Not that I hate MS in any ways, in fact I dual boot and tend to use Windows more than linux due to work. But honestlt, did ANYONE really believe that the next product out of MS would be ANY safer than previous products? I know that is what MS themselves claim they are focusing on, security that is, but with their trackrecord, I'd be surprised if we see less than 250 viruses over the first year or so after they release
Re:Short on Details (Score:2)
Re:Short on Details (Score:2)
Re:Short on Details (Score:2)
Re:Short on Details (Score:2)
Re:Short on Details (Score:5, Interesting)
Yes but you must remember that F-Secure are a bunch of alarmist gits who will jump at any opportunity to seed panic with regard to threats of viruses, hackers, "cyberterrorists" (if such a thing even exists), and whatever else they can dream up. Read through a decent sampling of their past press releases and you'll get the idea.
Certainly there are potential issues, but I don't think there's really anything to panic about yet.
Jedidiah.
Re:Short on Details (Score:2, Informative)
What's funny is that f-secure makes f-prot, one of the better cheap-to-free antivirus software packages that works on both Windows and Linux.
What I love about the Windows version is that you can run it on some old P3-450 and still end up with a working machine. Try the same with Symantec and you end up with a paperweight.
Also, F-Prot works on Linux, and I
Re:Short on Details (Score:3, Informative)
Re:Short on Details (Score:2)
Re:Short on Details (Score:2)
Re:Short on Details (Score:2)
Read Lee's post [leeholmes.com] or my post [proudlyserving.com] for more opinion.
- adam
What? Say it isn't so! (Score:3, Funny)
Re:What? Say it isn't so! (Score:5, Insightful)
Comments from a Monad developer (Score:5, Interesting)
The fact that MSH is used as the execution vehicle is really a side-note, as it does not exploit any vulnerabilities in Monad. The guidance on shell script viruses is the same as the guidance on all viruses and malware: protect yourself against the point of entry, and limit the amount of damage that the malicious code can do.
That's not to belittle the dangers of script viruses, though.
I wrote a blog entry about it here [leeholmes.com], in relation to Monad.
Re:Comments from a Monad developer (Score:2, Funny)
Re:Comments from a Monad developer (Score:4, Insightful)
For those of you who still don't get it: stop logging in as an administrator you idiots.
Re:Comments from a Monad developer (Score:5, Insightful)
I'm sure I'm not the only developer out there who's had to rewrite some stuff to keep XP happy. And, despite the extra work, I see it as a good thing.
Re:Comments from a Monad developer (Score:5, Interesting)
You might not even need the popup. My firewall on a couple of machines has a database it can go out to search and see if this application is "known" and should have access.
It might be less secure than a total limited-account-lockdown, but it would be better than nothing. In fact, I think the latest version of ZoneAlarm already has this sort of "inner firewall".
Re:Comments from a Monad developer (Score:3, Insightful)
Re:Comments from a Monad developer (Score:3, Funny)
becuase people are retards and would click "no don't allow access" then proceed to whinge to tech support that their internet is broken, nothing works, blah blah...
OTOH, people are retards and would click "yes do allow access" then proceed to whinge to tech support that their computer is broken, nothing works, blah blah
Re:Comments from a Monad developer (Score:2)
I remember there being a few problems, such as most apps talk to X, so you have to let that through, and then X connects to everything else, so it's like you have a big hole in your sieve.
Also it gets more difficult when you have shared memory etc.
http://www.nsa.gov/selinux/info/faq.cfm [nsa.gov]
Re:Comments from a Monad developer (Score:2)
Actually, they can, and they are. One of the new features of vista (provided it makes it in) is the ability to virtualize both registry settings and certain system folders. I can't remember if they are doing it on a per user account level or per application level, but in effect, legacy software gets its own copy of the registry and certain system files. There is a bit of a description of it h [microsoft.com]
Re:Comments from a Monad developer (Score:5, Funny)
Re:Comments from a Monad developer (Score:5, Funny)
Sneaky, huh?
Re:Comments from a Monad developer (Score:2, Funny)
Re:Comments from a Monad developer (Score:5, Funny)
Looking at the syntax, I think the GPL version is called Perl 6
Re:Comments from a Monad developer (Score:3, Funny)
Moobs.
KFG
Re:Comments from a Monad developer (Score:2)
Re:Comments from a Monad developer (Score:4, Informative)
The short answer: It's a codename. It won't ship with that name. Most likely it'll go with the less interesting "Microsoft Shell" or "msh".
The long answer: Monad [wikipedia.org] and Monads in functional programming [wikipedia.org] (long answer has been diverted to Wikipedia, because I'm lazy).
The non-answer: Get your mind of the gutter, you pervert. Not everything ending in "-nad" refers to genitalia.
Re:Comments from a Monad developer (Score:2)
Re:Comments from a Monad developer (Score:2)
Re:Comments from a Monad developer (Score:2)
Yes, but it is extremely difficult not to snicker when one reads "mo'nad"....
Re:Comments from a Monad developer (Score:3, Funny)
Would you have preferred "Warthy Warthog" or "Sweaty Weasel"?
Re:Comments from a Monad developer (Score:2)
"The Collaborative International Dictionary of English v.0.48"
Monad Mon"ad, n. L. monas, -adis, a unit, Gr. ?, ?, fr.
mo`nos alone.
1. An ultimate atom, or simple, unextended point; something
ultimate and indivisible.
1913 Web
Re:Comments from a Monad developer (Score:2)
Some people at MS have actually been pretty active in the Haskell community, so the word probably came from there in
Doesn't bode well... (Score:3, Informative)
But seriously, this is like tipping over someone in a wheelchair. It's a BETA of WINDOWS. Hopefully MS will learn from this before the release, though. I'm not up for a whole new vector of threats against my windows boxen.
Jerry
http://www.cyvin.org/ [cyvin.org]
Re:Doesn't bode well... (Score:2)
How the hell this virus writers execute it on Vista B1 is a mystery to me.
Re:Doesn't bode well... (Score:2)
Download it from beta.microsoft.com, install it, then run it, maybe?
Re:Doesn't bode well... (Score:2)
As many people have mentioned before.
Collective name for Linux machines = Boxen.
Collective name for Windows machines = Crap.
R.
Re:Doesn't bode well... (Score:2)
As others have pointed out, this is not a notification of a vulnerability. The exact same things can be done with Python, Bash, Ruby, Perl... hell, you can even write stuff with the general gist of this with batch files and the DOS command line.
As far as we can tell, and this includes a reply from a writer of Monad elsewhere in the discussion, this is an alarmist article proving little other than the fact that Monad is a shell scripting language.
Not very sporting. (Score:2)
Nothing serious i must say (Score:4, Interesting)
This is actually nothing, it simply prepends/appends or put itself in the middle of existing MSH scripts. It is equivalent to, if you run a binary on your machine, it can attach itself to all the binaries on your machine.
On top of that, MSH by default on let digitally signed scripts to execute hence once infected scripts on execute. This is not really a threat at all.
Re:Nothing serious i must say (Score:2)
No, I'd call it a trojan that infects my system with a virus.
Re:Nothing serious i must say (Score:2)
That's not to say that these scripts are any different than a Bash script in a Linux environment. But they are viruses.
As for the digitally-signed scripts, how do I write my own scripts? Presumably I have to digitally sign them before I can use them, if what you say is true. What's to stop a script from getting other scripts/executables that it modifies re-signed through that same mechanism?
No surprise here (Score:2)
What would really be a surprise, pleasant one at that, is to see a F/OSS program actually plug the holes in Vista before it can sink?
If you want... (Score:2)
That said, a lot more people would plug Windows holes (if for no other reason than to rid the world of zombies)... if MS would just free the source. But that would probably make poorly-written Perl code look good.
Re: (Score:2)
This just in! (Score:2, Redundant)
How is this different from *NIX shell scripts? (Score:5, Insightful)
I like bashing M$ just as much as the next
Re:How is this different from *NIX shell scripts? (Score:2)
Essentially, any time anything is being executed on a system, and that thing has a known/knowable format, it's going to be vulnerable to viral infection.
Re:How is this different from *NIX shell scripts? (Score:2)
What a load of hypothetical nonsense. To quote from the end of that article:
At this stage, Unix shell script malware as such is more targeted at the specific machine - currently it doesn't spread its code to other machines natively. So far, it couldn't survive on its own.
Yes I remember the Morris worm (1988). It had nothing to do with scripts as it exploited holes in programs that were hanging open on the net. Holes that have long since been closed. Also back then use of firewalls apart from at the cor
Re:How is this different from *NIX shell scripts? (Score:3, Interesting)
Re:How is this different from *NIX shell scripts? (Score:2)
Also remember, Microsoft's security models are not based on allowing the minimum privileges necessary to complete an operation. Due to the way they handle hardware, especially video, they can
NO WAY! (Score:2, Funny)
windows now has a decent shell?!
will wonders never cease?
K.
It still is a beta after all. (Score:2, Funny)
Re:It still is a beta after all. (Score:2)
OMG a shell! (Score:2)
OMG a shell! it like does things! and without a mouse!!
So what? (Score:5, Insightful)
About the only way around this is code-signing to prevent modification (yeah, like I'm gonna sign every single perl script I ever wrote.....)
It's not like you can't do this in bash, awk, sed, perl, python, REXX etc. etc.
Monad does support code signing (Score:2)
Actually, code signing does partially solve this problem, so that's one of the avenues we've taken. See my post about it [leeholmes.com] (although I feel like a whore for posting it again.)
That said, once you have a code signing infrastructure to save you from untrusted script publishers, your signing keys become the attack point. Malicious code can create another malicious script, and then sign it with your keys. To prevent that threat, always password protect your signing keys. When you do so, Windows brings up a di
full circle wtf ? (Score:3, Funny)
when windows 95 came out the windows zealots where so quick to point out "no more haveing to type in dos windows is better than everything" now they will say "we have a shell windows is better than everything"
Re:full circle wtf ? (Score:2)
Leibnitz is rolling is his grave (Score:3, Interesting)
"There is also no way of explaining how a monad can be altered or changed in its inner being by any other created thing, since there is no possibility of transposition within it, nor can we conceive of any internal movement which can be produced, directed, increased or diminished within it, such as can take place in the case of compounds where a change can occur among the parts. The monads have no windows through which anything may come in or go out. The Attributes cannot detach themselves or go forth from the substances, as could sensible species of the Schoolmen. In the same way neither substance nor attribute can enter from without into a monad."
And they they've managed to attack them??? Oh, the humanity...
Gist (Score:2)
My 2 cents anyway.
Here's the very Squashed [btinternet.com] version with the important text
More Windows viruses? (Score:5, Funny)
An Example of One of the So-Called Viruses (Score:5, Informative)
All it does is find every .msh file and replace its contents with itself. That's it. You could do it with a .CMD file in any version of Windows (and of course in any other scripting language).
The other scripts get a bit more complicated (insert at a random spot in the file, etc) but that's basically it. There's no new vulnerability exposed by Monad.
- adam
Re:An Example of One of the So-Called Viruses (Score:2)
It only used a few lines; a set of echo commands to create a .com file followed by a line to run that .com file.
Now, it won't work because the reboot sequence -- jumping to the end of the bios and poking in the string 123 -- is now trapped by any protected mode OS. That, and I don't even know if headerless .com files are valid anymore under XP's CMD.EXE.
PC World has the most sensationalized version... (Score:3, Informative)
- adam
Re:PC World has the most sensationalized version.. (Score:3, Informative)
It will probably not [microsoft-watch.com] be included in the final Windows Vista code either.
It'll be a separate, downloadable tool for all MS OS'es since Windows XP.
I'm still looking for the connection to Windows Vista here...
Re:PC World has the most sensationalized version.. (Score:2, Insightful)
Misleading topic (Score:3, Informative)
Monad will also not be included with Windows Vista RTM.
Hey -- Give MS a break! (Score:2)
Big pat on the back to all you Windows coders out there in Redmond!
Second and most important, these are only shell scripts meant to be executed in Monad -- not some nasty Outlook/IE infecting VB script that spreads like super-flu.
No... those wont babies wont be hatching till NEXT week.
I'd say this is a marked improvement in Windows Security overall. Bill must be proud right about now.
You've got your chocolate in my penut butter. (Score:2)
Interesting... (Score:2)
So when Monad is considered a feature, it won't be in WV, but when it is a problem, it's magically back in there.
The truth is, no one knows for sure if Monad will be in, and this "virus" is just a fucking shell script.
Everyone, type rmdir c:\ and pass it along.
Re:Interesting... (Score:2)
"Virus writers are targeting a new Microsoft tool that will be part of Windows and is set to ship as part of the next Exchange e-mail server release."
Again, the topic there is also misleading; this isn't about Vista, this is about Monad. Monad will be released for three operating systems, not one. And I hear now it's not even a vulnerability.
So bloody what ? (Score:3, Interesting)
The Monad (Score:4, Funny)
But I'm sure that's just a coincidence.
i dont see why this is news.... (Score:4, Informative)
2) assume you already have command line access
a "virus" at this point is trivial... just append the code to append itself at the end of every file it assumes is a script for this command line.
this is like batch file viruses that format the drive... it isn't anything special, it's just a matter of getting the mark to run the file. nothing to see here.
Virusproof Windows. (Score:2)
Too many Moving Parts (Score:3, Insightful)
The more sophisticated you make a system, the more failure modes you introduce -- and the harder it gets to test the edge cases, because there end up being too many edges. You want Obejct Oriented? I'll give you an Object Oriented example. Let's have a "length" type with properties which correspond to its conversion into different measuring units. It may well be pretty, but outside of any programme dealing with units conversion it's fairly unnecessary. And it contains many programming hazards which would thwart the careless implementor. {BTW, that was a fictitious example; but I'm willing to bet there is at least one programming language out there that actually implements something like it.}
All a command shell really has to do is be able to launch programmes, police the I/O traffic and keep hold of some state information. If it can do all that right, any other functionality you need can be provided by external programmes. That way, everything is kept as simple as it needs to be; you haven't got code cluttering up things that don't need it. If you do build functionality into the shell, there should be a bloody good reason -- usually that reason is that some external programme is getting launched more than its fair share. And in that case you already have the code you need to incorporate and it's been thoroughly tested.
Re:Too many Moving Parts (Score:2, Insightful)
Can you imagine a command-line interface that didn't support aliases, functions, the ability to do more than just launch programs? Even command.com wasn't that limited. My daily experience at work (Linux) would suck if I hadn't been able to customize the shell as I have.
And as for testing - it's not that hard. Since the same language is use
Everything that was once, will be again... (Score:3, Informative)
As time goes on, they keep reinventing bits and pieces of Unix.
These people are smart (Score:2)
Help me understand.... (Score:2)
2. Microsoft can't be held responsible because shell scripts can be written and ran in *nix/*nux too, so what's the big?
No! I don't believe it! (Score:2)
Re:What's the motivation (Score:3, Funny)
Re:What's the motivation (Score:3, Insightful)
Re:What's the motivation (Score:5, Interesting)
Yeah, it sucks when that happens [mozilla.org].
Of course you can always "embargo" all your vulnerability details (see for example bug #294795) - and feel comfortable in your superior position!
Re:What's the motivation (Score:2)
They have never said this about Monad, as far as I can tell.
Note that this article isn't about Vista, but Monad.
Re:What's the motivation (Score:2)
Sure, I'm replying to my own non-proofed post, but that's one hole of a typo.
Re:A Windows beta is exploitable?? (Score:2)
Re:A Windows beta is exploitable?? (Score:2)
I do actually. I get opportunities to say "well what do you expect if you use Windows?" to people that way.
Of course, to be fair to MS, in this case the article is BS.
Re:Oopsie! (Score:4, Interesting)
Oh, and just for completeness, vulnerabilities have been found in Firefox since 1.0, so the argument that only Microsoft releases "beta" (read: vulnerable/insecure) code as production-level software doesn't work either.
Re:Not a vulnerability (Score:5, Insightful)
Plus, Hakko Mipponen (or whatever his name is) has to make a living scaring the bejezus out of everyone - what better way to get started than with something that's not even really out of alpha?
Re:Not a vulnerability (Score:2)
Wrong ! That's actually Windows executed attachments which are vulnerabilities.
Users don't want to execute anything when they click on something that Windows tells them is a picture, for example.
So Windows fool the user, and worse, Windows do things that the user never wanted.
to the never ending delight of the peanut gallery, who consider that it's Microsoft's fault if I run something I shouldn't have on my computer, but if I
Re:Not a vulnerability (Score:3, Insightful)
Am I suppose to believe you're him?
But very few of the most widespread viruses in the world rely on vulnerabilities.
Right, and assuming you are Hypponen, how does this affect you (or not)? I was making a comment about Slashdot, not you.
OTOH, assuming you are who you say you are, let me just say that I'm hardly the first person in the world to point out that companies like F-Secure tend to be on the unfortunate side of hysteria when it comes to reporting vulnerabilities. So don't be off
Re:Not a vulnerability (Score:3, Interesting)
The real issue is that I do not want a case-sensitive file system, or one that requires me to do all sorts of command line incantations to run a script. It's not my fault that Joe User and his 1,000,000 friends are stupid.
In any case, I can send you a tarball with the execute bit turned on and ask you to unpack it and run the REAL COOL ANNA KOURNIKOVA SCREENSAVER!!!, and chances are you'll do it. Chances are when Linux hits the "big time" there will be something slightly more functional t