Monad and the "First Vista Virus"

Thu, Aug 4, 2005 4-minute read

F-Secure has reported on some recent work by Second Part To Hell on a Monad scripting virus ("First Vista Virus Found"). It’s a misleading title, as it’s an issue that affects any vehicle for any executable code on any operating system. There’s an excellent treatment of shell script viruses on Virus Bulletin that covers this issue, but predates it by 2 years: Unix Shell Scripting Malware.

The fact that MSH is used as the execution vehicle is really a side-note, as it does not exploit any vulnerabilities in Monad. The guidance on shell script viruses is the same as the guidance on all viruses and malware: protect yourself against the point of entry, and limit the amount of damage that the malicious code can do.

To protect yourself against the point of entry, follow the guidance suggested by Microsoft’s Malware FAQ:

The best way to stop viruses is to use common sense. If an executable computer program is attached to your e-mail and you are unsure of the source, then it should be deleted immediately. Do not download any applications or executable files from unknown sources, and be careful when trading files with other users.

To limit the amount of damage that the malicious code can do, try to limit the amount of time you run as Administrator / root.  Aaron Margosis has an excellent blog on how to run as non-Administrator.

Now, this isn’t meant to be dismissive of the very real threat of scripting viruses. In the real world, it’s very hard to protect yourself against the point of entry.

To combat this, Monad has three features to help: not installing a shell association by default, configurable execution policies (along with digitally signing scripts,) and not running scripts from the current directory.

In the past, many viruses have injected themselves into a user’s system when they double-click on the file. This is especially true in the case of email attachments. Windows then looks for the program that understands the file, and tells the program to run it. This is known as a shell association. Double-clicking on a .txt file opens Notepad. Double clicking on a .html page opens your browser of choice. Our installer doesn’t tell Windows that it understands .msh scripts, so double-clicking on a .msh file does nothing.

We also support three execution policies to help you run scripts only from publishers that you trust.

The first execution policy, “AllSigned,” checks all scripts for a digital signature. Monad asks you if you trust that publisher to run scripts on your system. If you do, Monad will run the script. If you don’t, it won’t. If the file doesn’t have a digital signature, Monad won’t run the file. Monad contains functionality to let you digitally sign your own scripts to help you run in this mode. This will be our default execution policy past beta.

The second execution policy, “RemoteSigned,” checks scripts origintating from the Internet for a digital signature. If a script originates from the Internet, Monad goes through the same process that it does in the “AllSigned” mode. If the script does not originate from the Internet, it runs the script. This is the mode that our betas are configured for.

The final execution policy, “Unrestricted,” does not check the digital signatures on scripts. However, if a script originates from the internet, it will warn (and prompt you) before it runs it.

As for not running scripts in the current directory, Monad follows a policy similar to that of Unix shells: we do not run them, unless you explicitly ask us to. This prevents malicious scripts (with names such as dir.msh, or get-childitem.msh) from intercepting your otherwise innocent attempt to list the files in that directory.

[Edit: Monad has now been renamed to Windows PowerShell. This script or discussion may require slight adjustments before it applies directly to newer builds.]