Monad and the “First Vista Virus”


F-Secure has reported on some recent work by Second Part To Hell on a Monad scripting virus (“First Vista Virus Found“). It’s a misleading title, as it’s an issue that affects any vehicle for any executable code on any operating system. There’s an excellent treatment of shell script viruses on Virus Bulletin that covers this issue, but predates it by 2 years: Unix Shell Scripting Malware.


The fact that MSH is used as the execution vehicle is really a side-note, as it does not exploit any vulnerabilities in Monad. The guidance on shell script viruses is the same as the guidance on all viruses and malware: protect yourself against the point of entry, and limit the amount of damage that the malicious code can do.


To protect yourself against the point of entry, follow the guidance suggested by Microsoft’s Malware FAQ:



The best way to stop viruses is to use common sense. If an executable computer program is attached to your e-mail and you are unsure of the source, then it should be deleted immediately. Do not download any applications or executable files from unknown sources, and be careful when trading files with other users.


To limit the amount of damage that the malicious code can do, try to limit the amount of time you run as Administrator / root.  Aaron Margosis has an excellent blog on how to run as non-Administrator.


Now, this isn’t meant to be dismissive of the very real threat of scripting viruses. In the real world, it’s very hard to protect yourself against the point of entry.


To combat this, Monad has three features to help: not installing a shell association by default, configurable execution policies (along with digitally signing scripts,) and not running scripts from the current directory.


In the past, many viruses have injected themselves into a user’s system when they double-click on the file. This is especially true in the case of email attachments. Windows then looks for the program that understands the file, and tells the program to run it. This is known as a shell association. Double-clicking on a .txt file opens Notepad. Double clicking on a .html page opens your browser of choice. Our installer doesn’t tell Windows that it understands .msh scripts, so double-clicking on a .msh file does nothing.


We also support three execution policies to help you run scripts only from publishers that you trust.


The first execution policy, “AllSigned,” checks all scripts for a digital signature. Monad asks you if you trust that publisher to run scripts on your system. If you do, Monad will run the script. If you don’t, it won’t. If the file doesn’t have a digital signature, Monad won’t run the file. Monad contains functionality to let you digitally sign your own scripts to help you run in this mode. This will be our default execution policy past beta.


The second execution policy, “RemoteSigned,” checks scripts origintating from the Internet for a digital signature. If a script originates from the Internet, Monad goes through the same process that it does in the “AllSigned” mode. If the script does not originate from the Internet, it runs the script. This is the mode that our betas are configured for.


The final execution policy, “Unrestricted,” does not check the digital signatures on scripts. However, if a script originates from the internet, it will warn (and prompt you) before it runs it.


As for not running scripts in the current directory, Monad follows a policy similar to that of Unix shells: we do not run them, unless you explicitly ask us to. This prevents malicious scripts (with names such as dir.msh, or get-childitem.msh) from intercepting your otherwise innocent attempt to list the files in that directory.

[Edit: Monad has now been renamed to Windows PowerShell. This script or discussion may require slight adjustments before it applies directly to newer builds.]

6 Responses to “Monad and the “First Vista Virus””

  1. phucktard writes:

    Just write some C code, make some system() calls change the file extension, edit the registry to allow Unrestricted execute, and call PSH with args pointing to the script via another system() call. Wrap it up in a nice package with pretty bows and stockings and call it porn. Double click and flush.

  2. Ivan writes:

    Not associating msh in the shell is nice idea.

    I used similar trick to avoid scripting hosts in Win98SE (by not installing them), unfortunatelly (I guess in attempt to promote this successor of BAT,) Microsoft Update didn’t work without vbs. As monad won’t be shiped with Vista I guess you would be unable to repeat this mean mistake.

    Anyway. It is not so hard to make shortcut with "monad startup.msh" in it. This is to say, it should not be shell associated at all, not just by default.

    There is something I don’t quite understand. If msh scripts are not shell associated then how they would be executed when originating from Internet?
    I mean that .msh is just a file sitting on the harddisk, how is going Monad to understand that it is originating from Internet once it is donwloaded? Are you tagging downloaded files in NTFS by some specific way?
    And why execute scripts originated from Internet at all?
    (The biggest advantage of the scipts is that you can see the code before start it.)

    BTW signing have never worked so far and it probably won’t work here too.
    Most legitime scripts would not be signed mainly because they won’t be written by profesional programmers, but by system administators. Trusted sartificate cost money and they would probably save them for something better (e.g. chips and beer).
    If most of useful scripts are not signed then users won’t pay attentiong of the singing at all.
    Not to say that spyware is already signed, by Verisign.

  3. Leonard Chung writes:

    Hi Ivan — answers to some of your questions & comments below from another Monad team member:

    "I mean that .msh is just a file sitting on the harddisk, how is going Monad to understand that it is originating from Internet once it is donwloaded? Are you tagging downloaded files in NTFS by some specific way?
    And why execute scripts originated from Internet at all? "

    The tagging is done similar to the "Mark of the Web" done by IE6 where files from the internet are tagged with a special attribute (in an alternate file stream within NTFS if I recall) to indicate they’re from the web. This persists with the file. Execution of scripts from the internet just won’t work in the first place as there’s no shell association. This is to prevent people from downloading some random script somewhere and running it without getting a warning. To be sure, it’s defense in depth as to get exploited by a script like this requires 4 steps:

    1) Download the malicious script from a website
    2) Start MSH
    3) Attempt to execute the untrusted script
    4) Monad notices it’s from the internet and the user must authorize the running of the untrusted script

    Compared to previously the one step necessary before VBS, etc. got locked down:
    1) Click on a link to a .VBS/.CMD/etc. file

    "BTW signing have never worked so far and it probably won’t work here too.
    Most legitime scripts would not be signed mainly because they won’t be written by profesional programmers, but by system administators. Trusted sartificate cost money and they would probably save them for something better (e.g. chips and beer)."

    Signing and authentication do not require an expensive cert unless you’re trying to distribute scripts to random folks. Certs are easy to generate and create personal trust for. If you’re on a domain, your admin can have one created with your domain account. If not, it’s a simple matter to run a command to generate and self-trust the cert.

    Think of cert signing on a personal machine as almost like a chmod +x in Unix. When a random script is first created or downloaded off the web, you have to set it to be executable. Once done so, the script works normally off a personal cert. If another person gets it in e-mail or downloads it, they’ll have to chmod +x or sign the thing themselves (unless they happen to trust you).

  4. SV Sleuth writes:

    The F-Secure post is a piece of rubbish. Any serious media website would correct their mistake.

    But as usual a catchy headline does its work.

  5. mitch foley writes:

    I was skeptic to the signing process, but the analogy to chmod +x is a good one. I have to say that most people that get spyware, viruses, and the like, could avoid them by paying attention. A little common sense goes a long way. However, Microsoft seems bent on not forcing users to use common sense through signing and warning boxes. (This is not a bad thing). However, I have had trouble in the past with Microsoft warning boxes, such as not being able to download files (such as iTunes) with IE 7 because of "security warnings." I understand why these features are necessary, but I would also like to see easier ways to turn them off. Clicking "Allow me to download this file" in IE 7 does not work for downloading iTunes, and I’m nervous that this "feature" will be implemented throughout Vista, and especially Monad.

    Plus, is a Monad virus really a Longhorn virus? It’s the shell, not the operating system that is under attack. That whole article is very inaccurate and misleading.

  6. Lee Holmes writes:

    Absolutely… if an attacker already has code running on your system, then it’s not your system any longer!

Leave a Reply