Future Windows component could spur old-school viruses

A planned component for Microsoft's next version of Windows is causing consternation among antivirus experts, who say that the new module, a scripting platform called Microsoft Shell, could give birth to a whole new generation of viruses and remotely exploitable attacks.

Microsoft Shell, code-named "Monad," is still in development and is planned for release with the next version of Windows, known as "Longhorn." Monad will allow developers or administrators to configure Windows systems using text commands or scripts containing multiple commands. But the flexibility of the new platform and its support for remote execution of commands could spawn a whole new generation of "script viruses," like the "Melissa" script virus of 1999, e-mail worms and remote attacks, said Eric Chien, a Symantec researcher.

Chien was speaking at the Virus Bulletin 2004 International Conference and issued a warning about the new component to antivirus researchers and corporate antivirus experts. He said that the new Windows component is similar to existing Windows components for interpreting text commands, such as cmd.exe, but much more powerful.

Microsoft contends that the new component is in an early stage of development and that its features have not been finalized. When released, Monad will not allow malicious users to circumvent Windows security features, and will have features that prevent hackers from exploiting its powerful administrative capabilities, said Greg Sullivan, lead product manager in the Windows client division at Microsoft.

Early copies of Monad were distributed at Microsoft's Professional Developers Conference to independent software vendors and corporate developers in October 2003. The company released an updated version of the code at its Windows Hardware Engineering Conference (WinHEC) in May, Sullivan said.

As currently designed, Monad allows administrators to use commands to list and shut down any process running on a Windows system, send e-mail messages or list shared network drives. None of those features are available using cmd.exe. Beyond that, Monad supports its own scripting syntax, which allows administrators to combine commands into powerful statements that can search hard drives for specific information or manipulate data and files stored on a Windows hard drive, Chien said.

As with Visual Basic script, which spawned scripting viruses such as Melissa, Monad will be attractive to those who write malicious code, because it allows them to consolidate many commands into a few lines of code, creating small, efficient programs that are very powerful, he said.

Scripting viruses such as Melissa are also easy to read and modify once they are released, spawning countless variants and copycat creations. "It's like open source for malicious code writers," Chien said.

In his presentation, Chien discussed ways that Microsoft Shell and the new scripting language that goes along with it could be used to shut down antivirus software running on a Windows systems by killing system processes associated with those programs. Malicious hackers could also use Monad to navigate and modify the Windows registry, where program-specific configuration settings are stored, send e-mail messages with attachments and even download content files from the Internet.

Microsoft documentation and presentations on Monad claim that Microsoft will support remote execution of Microsoft shell scripts, for authorized users, via telnet, secure HTTP (HTTPS) or other Internet-based protocols, Chien said.

But execution of scripts will be carefully controlled by security features in the finished version of Monad, which will be released in beta in the middle of 2005 and may or may not be included with Longhorn in 2006, Sullivan said.

For example, Microsoft will disable remote script execution by default and require administrators to digitally sign scripts so that they can be authenticated before being executed. The company will also run Monad scripts so as to insure that any input from the script is not automatically trusted and sent to a command without first being validated, Sullivan said.

Antivirus experts at the show expressed concern about the possibilities of the new component, but acknowledged that they had been unaware of its existence.

"I didn't know anything about it, but it seems very powerful. It's just like the Unix shell," said Mikko Hypponen, of antivirus company F-Secure, referring to a similar scripting platform used by Unix operating systems.

The new scripting platform was created in response to requests from network administrators, who wanted a fast and efficient way to control multiple machines across a Windows network. However, making Windows networks easier to manage for network administrators doesn't necessarily mean making the operating system less secure, Sullivan said.

In addition, even without additional security features, the ability of malicious hackers to use Monad would rely on them getting administrative access to Windows machines and will be tempered by security features already in Windows XP SP2 and others planned for Longhorn that are designed to prevent remote access and code execution, Chien acknowledged.

"(Microsoft Shell) doesn't skirt or bypass any SP2 security features. That security model will still be in place," he said.

Corporations with well managed security policies may also be able to lock down Monad on Windows machines so that it can only be used by approved network administrators. However, the presence of Monad on millions of loosely managed home computers, whose owners would have little use for the advanced scripting and remote management capabilities of the new shell platform, could make it a powerful platform for launching future worms and viruses, Chien said.

Microsoft "appreciates" Symantec raising security concerns about Monad, Sullivan said.

"The concerns that Symantec raises are the kinds of things we look at in making sure we do things in a secure way," he said.

Still, he believes it is "not meaningful to go into the technology feature by feature at this stage of development," given the likelihood that it will change significantly before it is released, he said.

"We're going to work with all our partners to deliver a secure platform. Whatever we do deliver will take (security concerns) into account."

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Paul Roberts

IDG News Service
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill


I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?