Future Windows component could spur old-school viruses

A planned component for Microsoft's next version of Windows is causing consternation among anti-virus experts, who say that the new module, a scripting platform called Microsoft Shell, could give birth to a whole new generation of viruses and remotely exploitable attacks.

Microsoft Shell, code-named "Monad," is still in development and is planned for release with the next version of Windows, known as "Longhorn." Monad will allow developers or administrators to configure Windows systems using text commands or scripts containing multiple commands. But the flexibility of the new platform and its support for remote execution of commands could spawn a whole new generation of "script viruses," like the "Melissa" script virus of 1999, e-mail worms and remote attacks, said Eric Chien, a Symantec  researcher.

Chien was speaking at the Virus Bulletin 2004 International Conference and issued a warning about the new component to antivirus researchers and corporate antivirus experts. He said that the new Windows component is similar to existing Windows components for interpreting text commands, such as cmd.exe, but much more powerful.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

A planned component for Microsoft's next version of Windows is causing consternation among anti-virus experts, who say that the new module, a scripting platform called Microsoft Shell, could give birth to a whole new generation of viruses and remotely exploitable attacks.

Microsoft Shell, code-named "Monad," is still in development and is planned for release with the next version of Windows, known as "Longhorn." Monad will allow developers or administrators to configure Windows systems using text commands or scripts containing multiple commands. But the flexibility of the new platform and its support for remote execution of commands could spawn a whole new generation of "script viruses," like the "Melissa" script virus of 1999, e-mail worms and remote attacks, said Eric Chien, a Symantec  researcher.

Chien was speaking at the Virus Bulletin 2004 International Conference and issued a warning about the new component to antivirus researchers and corporate antivirus experts. He said that the new Windows component is similar to existing Windows components for interpreting text commands, such as cmd.exe, but much more powerful.

Microsoft contends that the new component is in an early stage of development and that its features have not been finalized. When released, Monad will not allow malicious users to circumvent Windows security features, and will have features that prevent hackers from exploiting its powerful administrative capabilities, said Greg Sullivan, lead product manager in the Windows client division at Microsoft.

Early copies of Monad were distributed at Microsoft's Professional Developers Conference to independent software vendors and corporate developers in October 2003. The company released an updated version of the code at its Windows Hardware Engineering Conference (WinHEC) in May, Sullivan said.

As currently designed, Monad allows administrators to use commands to list and shut down any process running on a Windows system, send e-mail messages or list shared network drives. None of those features are available using cmd.exe. Beyond that, Monad supports its own scripting syntax, which allows administrators to combine commands into powerful statements that can search hard drives for specific information or manipulate data and files stored on a Windows hard drive, Chien said.

As with Visual Basic script, which spawned scripting viruses such as Melissa, Monad will be attractive to those who write malicious code, because it allows them to consolidate many commands into a few lines of code, creating small, efficient programs that are very powerful, he said.

Scripting viruses such as Melissa are also easy to read and modify once they are released, spawning countless variants and copycat creations. "It's like open source for malicious code writers," Chien said.

In his presentation, Chien discussed ways that Microsoft Shell and the new scripting language that goes along with it could be used to shut down antivirus software running on a Windows systems by killing system processes associated with those programs. Malicious hackers could also use Monad to navigate and modify the Windows registry, where program-specific configuration settings are stored, send e-mail messages with attachments and even download content files from the Internet.

The IDG News Service is a Network World affiliate.