Location: Hyderabad, India


Vista Virus Unleashed? Not Exactly

Xtremesoftstuff has a post on some recent work by Second Part To Hell on a Monad scripting virus. According to the posting, an Austrian virus writer had published proof-of-concept viruses that, in theory, could target Microsoft's scripting shell, code-named Monad, and also known as "MSH." The fact that MSH is used as the execution vehicle is really a side-note, as it does not exploit any vulnerabilities in MSH. The guidance on shell script viruses is the same as the guidance on all viruses and malware: protect yourself against the point of entry, and limit the amount of damage that the malicious code can do. In the real world, it's very hard to protect yourself against the point of entry. To combat this, Monad has three features to help: not installing a shell association by default, configurable execution policies (along with digitally signing scripts,) and not running scripts from the current directory. In the past, many viruses have injected themselves into a user's system when they double-click on the file. This is especially true in the case of email attachments. Windows then looks for the program that understands the file, and tells the program to run it. This is known as a shell association. Double-clicking on a .txt file opens Notepad. Double clicking on a .html page opens your browser of choice.The installer doesn't tell Windows that it understands .msh scripts, so double-clicking on a .msh file does nothing. Monad also support three execution policies to help you run scripts only from publishers that you trust. The first execution policy, "AllSigned," checks all scripts for a digital signature. Monad asks you if you trust that publisher to run scripts on your system. If you do, Monad will run the script. If you don't, it won't. The second execution policy, "RemoteSigned," checks scripts origintating from the Internet for a digital signature. If a script originates from the Internet, Monad goes through the same process that it does in the "AllSigned" mode. The final execution policy, "Unrestricted," does not check the digital signatures on scripts. However, if a script originates from the internet, it will warn (and prompt you) before it runs it. As for not running scripts in the current directory, Monad follows a policy similar to that of Unix shells: Monad do not run them, unless you explicitly ask it to. But Monad is not expected to be part of Vista when it ships and was not included in the Vista Beta 1 bits distributed by the company late last month. Monad, which is Microsoft's alternative to the scripting shell environments that are part of Linux and Unix, is expected to debut as part of Exchange Server 12 when that product ships next year. It is unlikely to be incorporated into Windows until Longhorn Server R2, expected around 2009, ships.


Post a Comment

<< Home