Become a fan of Slashdot on Facebook


Forgot your password?
Microsoft Security Worms IT

Windows Vista Tool Targeted By Virus Writers 293

An anonymous reader writes "Five proof-of-concept viruses that target Monad, the next version of Vista's command prompt, have been published on the web. Monad is a command line interface and scripting language that is similar to Unix shells such as bash, but is based on object-oriented programming and the .Net framework. The viruses' only action is to infect other shell scripts on the host's operating system. They would cause little harm in the wild, but would be relatively easy to modify using the information from the article, said Mikko Hyppönen, the director of antivirus research at F-Secure."
This discussion has been archived. No new comments can be posted.

Windows Vista Tool Targeted By Virus Writers

Comments Filter:
  • Short on Details (Score:3, Interesting)

    by Anonymous Coward on Friday August 05, 2005 @12:42AM (#13247175)
    There are always virus writers who want to be the first to write a virus for a new platform.
    I don't see what a big deal being the first person to write a virus for Vista is. Oh, first post!

    But seriously, this article is very light on the details. I assume that these virus writers found a way to gain administrative rights using Monad, but the article makes it sound like these are just malicious scripts. It might as well be a advanced batch script that can spread it self then del /s /q.
    • Re:Short on Details (Score:5, Informative)

      by Leeji ( 521631 ) <slashdot AT leeholmes DOT com> on Friday August 05, 2005 @12:50AM (#13247207) Homepage

      You got it right when you said "it might as well be a batch script." These are just Monad scripts running on the system, just like batch files, perl scripts, Cygwin bash scripts, Ruby scripts, etc.

      There is nothing intrinsic in Monad that enables these attacks, aside from it being a new language. In fact, Monad implements several features that help mitigate the dangers of traditional script viruses, as I outline here [].

      • Re:Short on Details (Score:4, Informative)

        by Owndapan ( 789196 ) on Friday August 05, 2005 @01:13AM (#13247316)
        I believe Monad/MSH is no longer even a part of the Longhorn release, so it is a bit unfair have everyone jump on it as a Windows Vista exploit. From Wikipedia []:
        MSH was originally slated to be shipped with Windows Vista, but has since assumed its own release schedule. Microsoft sources have confirmed MSH's first public release will most likely precede the release of Vista and be part of the next edition of Microsoft Exchange, due in the second half of 2006.
        • I don't think that article is saying that Monad is being dropped from Vista, but that it's being released ahead of Vista, and will still be a part of it (where previously it wouldn't be available until Vista shipped).

          The most obvious thing wrong with your statement: Monad is part of the Vista beta. If it wasn't shipping with Vista, what's the point of putting it in the beta?
        • Re:Short on Details (Score:3, Interesting)

          by IdleTime ( 561841 )
          Wow! MS apologistrs are out in force today!

          I honestly chuckled when I read the article. Not that I hate MS in any ways, in fact I dual boot and tend to use Windows more than linux due to work. But honestlt, did ANYONE really believe that the next product out of MS would be ANY safer than previous products? I know that is what MS themselves claim they are focusing on, security that is, but with their trackrecord, I'd be surprised if we see less than 250 viruses over the first year or so after they release
      • Re:Short on Details (Score:5, Interesting)

        by Coryoth ( 254751 ) on Friday August 05, 2005 @01:31AM (#13247379) Homepage Journal
        You got it right when you said "it might as well be a batch script." These are just Monad scripts running on the system, just like batch files, perl scripts, Cygwin bash scripts, Ruby scripts, etc.

        Yes but you must remember that F-Secure are a bunch of alarmist gits who will jump at any opportunity to seed panic with regard to threats of viruses, hackers, "cyberterrorists" (if such a thing even exists), and whatever else they can dream up. Read through a decent sampling of their past press releases and you'll get the idea.

        Certainly there are potential issues, but I don't think there's really anything to panic about yet.

        • Re:Short on Details (Score:2, Informative)

          by mcrbids ( 148650 )
          Yes but you must remember that F-Secure are a bunch of alarmist gits who will jump at any opportunity to seed panic with regard to threats... <SNIP>

          What's funny is that f-secure makes f-prot, one of the better cheap-to-free antivirus software packages that works on both Windows and Linux.

          What I love about the Windows version is that you can run it on some old P3-450 and still end up with a working machine. Try the same with Symantec and you end up with a paperweight.

          Also, F-Prot works on Linux, and I
      • The key thing for two of the modes seems to be the knowledge of where a file came from. So tell me, is this IE only functionality that the file's metadata is tagged as 'downloaded'?
    • You would think from the way it was presented that "these virus writers found a way to gain administrative rights using Monad" but you'd be wrong. All they are, are some shell scripts. You still need to get the user to run them, they run with the same privilege the user has, etc.

      Read Lee's post [] or my post [] for more opinion.

      - adam

  • by CypherXero ( 798440 ) on Friday August 05, 2005 @12:43AM (#13247180) Homepage
    Microsoft Windows is insecure! More details later, movie at 10.
  • by Leeji ( 521631 ) <slashdot AT leeholmes DOT com> on Friday August 05, 2005 @12:43AM (#13247181) Homepage

    The fact that MSH is used as the execution vehicle is really a side-note, as it does not exploit any vulnerabilities in Monad. The guidance on shell script viruses is the same as the guidance on all viruses and malware: protect yourself against the point of entry, and limit the amount of damage that the malicious code can do.

    That's not to belittle the dangers of script viruses, though.

    I wrote a blog entry about it here [], in relation to Monad.

  • Doesn't bode well... (Score:3, Informative)

    by confusion ( 14388 ) on Friday August 05, 2005 @12:52AM (#13247223) Homepage
    For MS.

    But seriously, this is like tipping over someone in a wheelchair. It's a BETA of WINDOWS. Hopefully MS will learn from this before the release, though. I'm not up for a whole new vector of threats against my windows boxen.

    Jerry []
    • Funny thing is Monad is not even present in Vista beta 1!!!

      How the hell this virus writers execute it on Vista B1 is a mystery to me.

    • Sir.

      As many people have mentioned before.

      Collective name for Linux machines = Boxen.

      Collective name for Windows machines = Crap.


    • As others have pointed out, this is not a notification of a vulnerability. The exact same things can be done with Python, Bash, Ruby, Perl... hell, you can even write stuff with the general gist of this with batch files and the DOS command line.

      As far as we can tell, and this includes a reply from a writer of Monad elsewhere in the discussion, this is an alarmist article proving little other than the fact that Monad is a shell scripting language.

  • I would think that people would quite going after all Windows. After all, there is not that much sport shooting ducks in a barrel. And it will be at least another decade before these ducks learn to fly.
  • by Anonymous Coward on Friday August 05, 2005 @12:56AM (#13247238)
    Something which requires you to execute a script on the computer is not a virus. Think if you execute a bash script in Linux and it goes on and put itself in all your bash scripts, would you call it a virus?

    This is actually nothing, it simply prepends/appends or put itself in the middle of existing MSH scripts. It is equivalent to, if you run a binary on your machine, it can attach itself to all the binaries on your machine.

    On top of that, MSH by default on let digitally signed scripts to execute hence once infected scripts on execute. This is not really a threat at all.
    • Something which requires you to execute a script on the computer is not a virus. Think if you execute a bash script in Linux and it goes on and put itself in all your bash scripts, would you call it a virus?

      No, I'd call it a trojan that infects my system with a virus.
    • []

      That's not to say that these scripts are any different than a Bash script in a Linux environment. But they are viruses.

      As for the digitally-signed scripts, how do I write my own scripts? Presumably I have to digitally sign them before I can use them, if what you say is true. What's to stop a script from getting other scripts/executables that it modifies re-signed through that same mechanism?
  • I'm sort of surprised that it didn't happen earlier.

    What would really be a surprise, pleasant one at that, is to see a F/OSS program actually plug the holes in Vista before it can sink?

    • I can mail you a Slackware boot disk. It will cure all of Vista's problems, before it is even released. :)

      That said, a lot more people would plug Windows holes (if for no other reason than to rid the world of zombies)... if MS would just free the source. But that would probably make poorly-written Perl code look good. ;)
    • "see a F/OSS program actually plug the holes in Vista before it can sink?"

      But wait! I can write a bash/perl/C/C++/python/ruby/php/java/C# virus that could run on your linux box and do bad stuff! Nevermind that I can't run it without access to your system! What if MS wrote a program to actually plug the holes in Linux before it can sink?
  • This just in! (Score:2, Redundant)

    by TummyX ( 84871 )
    Monad can be used to write scripts that do stuff!
  • by MagikSlinger ( 259969 ) on Friday August 05, 2005 @01:04AM (#13247278) Homepage Journal
    How is this different than writing a ksh or bash script virus? Ksh and bash script viruses can be just as bad []. Heck, remember the Morris worm?

    I like bashing M$ just as much as the next ./er, but this might not be their bad just yet.
    • That was my first thought.

      Essentially, any time anything is being executed on a system, and that thing has a known/knowable format, it's going to be vulnerable to viral infection.

    • What a load of hypothetical nonsense. To quote from the end of that article:

      At this stage, Unix shell script malware as such is more targeted at the specific machine - currently it doesn't spread its code to other machines natively. So far, it couldn't survive on its own.

      Yes I remember the Morris worm (1988). It had nothing to do with scripts as it exploited holes in programs that were hanging open on the net. Holes that have long since been closed. Also back then use of firewalls apart from at the cor
      • I remember it too. There's a good chance it could happen again: it would have to spread via HTTP, SMTP, and SSH vulnerabilities to use ports that aren't blocked on gateway systems, rather than telnet and rsh, and woould perhaps also require probing VPN setups to gain access from infected machines to corporate networks. But a better built package more aimed at damage could easily replicate its password guessing and replation capability and cause quite a lot more damage today. People should be concerned about
    • Few shell scripts run by users allow you to modify all the rest of the shell scripts on a system. Apparently, in Monad's excuse for a security model, they do. Remember, .NET had Peter LaMacchia, the author of Microsoft's .NET book, *resign* as project lead because of the security stupidities they were inserting into it.

      Also remember, Microsoft's security models are not based on allowing the minimum privileges necessary to complete an operation. Due to the way they handle hardware, especially video, they can
  • NO WAY! (Score:2, Funny)

    by stiefvater ( 101844 )
    never mind the virus-

    windows now has a decent shell?!

    will wonders never cease?

  • Give M$ some time to work its magic, then there will be plenty of holes and viruses for all!
  • es/index.php []

    OMG a shell! it like does things! and without a mouse!!
  • So what? (Score:5, Insightful)

    by IchBinEinPenguin ( 589252 ) on Friday August 05, 2005 @01:25AM (#13247358)
    All this proves is that Monad can find and modify text files (and that there are idiots out there who will misuse tools).
    About the only way around this is code-signing to prevent modification (yeah, like I'm gonna sign every single perl script I ever wrote.....)

    It's not like you can't do this in bash, awk, sed, perl, python, REXX etc. etc.
    • Actually, code signing does partially solve this problem, so that's one of the avenues we've taken. See my post about it [] (although I feel like a whore for posting it again.)

      That said, once you have a code signing infrastructure to save you from untrusted script publishers, your signing keys become the attack point. Malicious code can create another malicious script, and then sign it with your keys. To prevent that threat, always password protect your signing keys. When you do so, Windows brings up a di

  • by bxbaser ( 252102 ) on Friday August 05, 2005 @01:26AM (#13247362)
    I must be getting old when i see the full circles everywhere.

    when windows 95 came out the windows zealots where so quick to point out "no more haveing to type in dos windows is better than everything" now they will say "we have a shell windows is better than everything"
  • by calculadoru ( 760076 ) <> on Friday August 05, 2005 @01:40AM (#13247412)
    Quoth the wise man in his treatise Monadology (1714) []:
    "There is also no way of explaining how a monad can be altered or changed in its inner being by any other created thing, since there is no possibility of transposition within it, nor can we conceive of any internal movement which can be produced, directed, increased or diminished within it, such as can take place in the case of compounds where a change can occur among the parts. The monads have no windows through which anything may come in or go out. The Attributes cannot detach themselves or go forth from the substances, as could sensible species of the Schoolmen. In the same way neither substance nor attribute can enter from without into a monad."

    And they they've managed to attack them??? Oh, the humanity...
    • Monadology seems to be a protoscience towards the understanding of the fundamental building blocks of the universe. Today we call things Quantum back then it was essences. Notice how consciousness is described as an attribute of matter instead of an emergent artifact which in a real sense does not physically exist within our Universe, it only logically exists like calling a collection of cells a "glider" in Conways Game of Life.
      My 2 cents anyway.

      Here's the very Squashed [] version with the important text
  • by Lisandro ( 799651 ) on Friday August 05, 2005 @01:45AM (#13247427)
    Awwww, crap guys. Let it go already. It's a bit like kicking a crippled at this point.
  • by AdamBa ( 64128 ) on Friday August 05, 2005 @01:50AM (#13247454) Homepage
    This is the verbatim text of one of the five viruses:

    $name_array=get-childitem *.msh
    foreach ($name in $name_array)
    if ($name.Length -eq 249)

    foreach ($victim in $name_array)
    if ($name.Length -ne 249)
    copy-item $my_file $name.Name

    All it does is find every .msh file and replace its contents with itself. That's it. You could do it with a .CMD file in any version of Windows (and of course in any other scripting language).

    The other scripts get a bit more complicated (insert at a random spot in the file, etc) but that's basically it. There's no new vulnerability exposed by Monad.

    - adam

  • by AdamBa ( 64128 ) on Friday August 05, 2005 @01:59AM (#13247482) Homepage
    Right here []. "Microsoft's newest operating system in beta only a week, but already leaky." Eeek!! It claims the viruses "take advantage of a new command shell, code-named Monad, that is included in the Windows Vista beta code". Only problem is, Monad is not included in the Windows Vista beta code. Then it talks about how they "take advantage of security vulnerabilities in the new command shell". Like the ability to run scripts?

    - adam

  • Misleading topic (Score:3, Informative)

    by Jugalator ( 259273 ) on Friday August 05, 2005 @02:19AM (#13247538) Journal
    It should be "Windows XP/2003/Vista Tool Targeted By Virus Writers". It won't just be for Vista. The tool is also still in early beta, and I'm not even sure what the script did; is it a script like "rm *", or does it exploit any actual vulnerabilities? There's too little info here to know if this is anything to call news or not...

    Monad will also not be included with Windows Vista RTM.
  • First off -- credit where it's due, it took a few days for these to show up. Unlike the mere hours it took before.

    Big pat on the back to all you Windows coders out there in Redmond!

    Second and most important, these are only shell scripts meant to be executed in Monad -- not some nasty Outlook/IE infecting VB script that spreads like super-flu.

    No... those wont babies wont be hatching till NEXT week.

    I'd say this is a marked improvement in Windows Security overall. Bill must be proud right about now.
  • Combine the power and flexability of Unix-style scripting with the robust security of a Microsoft environment. As long as the millions of less savvy users are all operating within least-privalege account model this should be great.
  • Monad is now a "Windows Vista Tool." And just 2.5 months ago, Slashdot indicated Monad wouldn't be in Windows Vista [] (then codenamed Longhorn).

    So when Monad is considered a feature, it won't be in WV, but when it is a problem, it's magically back in there.

    The truth is, no one knows for sure if Monad will be in, and this "virus" is just a fucking shell script.

    Everyone, type rmdir c:\ and pass it along.
    • It gets even funnier in this further bastardized version at CNET [] -- another contradiction right in the first paragraph:

      "Virus writers are targeting a new Microsoft tool that will be part of Windows and is set to ship as part of the next Exchange e-mail server release."

      Again, the topic there is also misleading; this isn't about Vista, this is about Monad. Monad will be released for three operating systems, not one. And I hear now it's not even a vulnerability.
  • So bloody what ? (Score:3, Interesting)

    by polyp2000 ( 444682 ) on Friday August 05, 2005 @02:42AM (#13247594) Homepage Journal
    As much as i despise microsoft and avoid using windows at whatever cost. They have not released Vista to end users yet. The purpose of a beta is to find out what the problems and issues are and resolve them. Wait until they release a final before criticising I am sure there will be plenty of viruses and bugs to get excited about then! (How else are they going to continue shipping their AV software ?)
  • The Monad (Score:4, Funny)

    by payndz ( 589033 ) on Friday August 05, 2005 @02:50AM (#13247623)
    In the comic series []The ABC Warriors [] (specifically the story 'Black Hole'), the Monad was a bloated, ruthless manifestation of all human evil that attempted to destroy the Earth by corrupting and overloading the incredible technological achievement that linked humanity together.

    But I'm sure that's just a coincidence.

  • by Madd Scientist ( 894040 ) on Friday August 05, 2005 @03:32AM (#13247733)
    1) it's a scripting language
    2) assume you already have command line access

    a "virus" at this point is trivial... just append the code to append itself at the end of every file it assumes is a script for this command line.

    this is like batch file viruses that format the drive... it isn't anything special, it's just a matter of getting the mark to run the file. nothing to see here.

  • If Microsoft made Windows completly immune to viruses, spyware, and the like, they would be immediatly sued by every dying for-profit anti-virus company, just like Netscape did.
  • by ajs318 ( 655362 ) <sd_resp2@earthsho[ ] ['d.c' in gap]> on Friday August 05, 2005 @04:32AM (#13247928)
    Why the hell does a command line interface need to incorporate Object Oriented features? This sounds to me like adding features for features' sake.

    The more sophisticated you make a system, the more failure modes you introduce -- and the harder it gets to test the edge cases, because there end up being too many edges. You want Obejct Oriented? I'll give you an Object Oriented example. Let's have a "length" type with properties which correspond to its conversion into different measuring units.
    var height IsOfType length
    reset height
    let height = 1.75
    print height.feet # prints 5
    print height.feet.inches # prints 8.8975
    print height.inches # prints 68.8975
    reset height
    let height.inches = 72
    print height.feet # prints 6
    print height # prints 1.8288
    forget height
    It may well be pretty, but outside of any programme dealing with units conversion it's fairly unnecessary. And it contains many programming hazards which would thwart the careless implementor. {BTW, that was a fictitious example; but I'm willing to bet there is at least one programming language out there that actually implements something like it.}

    All a command shell really has to do is be able to launch programmes, police the I/O traffic and keep hold of some state information. If it can do all that right, any other functionality you need can be provided by external programmes. That way, everything is kept as simple as it needs to be; you haven't got code cluttering up things that don't need it. If you do build functionality into the shell, there should be a bloody good reason -- usually that reason is that some external programme is getting launched more than its fair share. And in that case you already have the code you need to incorporate and it's been thoroughly tested.
    • MS, like virtually all Unix variants, is using a scripting language engine as its CLI. This is no different than Bash, Sh, Tcsh, etc. all of which support functions, etc.

      Can you imagine a command-line interface that didn't support aliases, functions, the ability to do more than just launch programs? Even wasn't that limited. My daily experience at work (Linux) would suck if I hadn't been able to customize the shell as I have.

      And as for testing - it's not that hard. Since the same language is use
  • by Spoing ( 152917 ) on Friday August 05, 2005 @06:41AM (#13248194) Homepage
    "As for not running scripts in the current directory, Monad follows a policy similar to that of Unix shells: we do not run them, unless you explicitly ask us to. This prevents malicious scripts (with names such as dir.msh, or get-childitem.msh) from intercepting your otherwise innocent attempt to list the files in that directory."

    As time goes on, they keep reinventing bits and pieces of Unix.

  • Apparently they haven't been around things like BASH enough because it's not very hard to write a similar "virus" in BASH script
  • 1. It's like a batch file and therefore doesn't count as a virus.
    ...but viruses started out as batch files and wiped a lot of harddrives.

    2. Microsoft can't be held responsible because shell scripts can be written and ran in *nix/*nux too, so what's the big?
    ...but Windows has a long history of MSTD (Microsoft Terminal Disease) wherein everything is accessible all the time because they built an OS (nay, an NOS) on the principle of "everything is accessible unless explicitly stated otherwise." No other
  • Bugs and security holes in a beta? No! It's impossible. Not that Microsoft gets the benefit of the doubt anymore, but let's at least wait until the product is out of the beta testing phase before we begin harping on it for bugs and security flaws. Unless, of course, the flaws exist because of fundamental problems with the design of the product (a la Internet Explorer). Then by all means, pile on!

Due to lack of disk space, this fortune database has been discontinued.