Slashdot Mirror
First (proof-of-concept) .NET virus
Juergen Kreileder writes "Symantec
says they've received W32.Donut, the first .NET virus: 'This virus targets EXE files that were created for the Microsoft .NET framework. W32.Donut is a concept virus. It does not have any significant chance to become wide spread. However it shows that virus writers are paying close attention to the new .NET architecture and attempting to learn how to exploit it before the Framework will be available on most systems.'"
and I just wrote my first .NET class, now that should be newsworthy :)
Heh I still haven't fully figured out just what .NET is - as near as I can figure it's a framework to allow for easier Application Hosting? I also get the idea that MS is going to be cramming it down our throats :)
Looks like Microsoft can't blame Java now for being insecure :)
Don't the ever-grinding gears of progress just warm your heart?
...not...
More details also at The Register.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
This is, of course, not counting the slightly philosophical argument that .NET is the first .NET virus.
-------------------------------------------------
charlton heston is more of a man than yo
..and here I thought .NET was a virus.
Sounds like the vaporware phenomenon has extended to virii.
And this is different from any other Win32 virus how?
.net code is either compiled to native .exe code or into intermediate code, which a virus could, yes, infect. how is this more or less dangerous than compiling normal C/C++ code into an .exe which can spread viruses?
So
If Symantec were to host a poll that asked:
.NET secure, after we found the first virus to infect the software:
;)
Is Microsoft
a) Yes
b) No
c) Hell No
Would a) be the most popular choice because of Microsoft Vote-Rigging and Ballot Stuffing?
.NET is dangerous. It's a security disaster waiting to happen. I don't want to use it if I can avoid it...
See last sentence. WILL we be able to avoid it, realistically? A lot of /.'ers might be able to, but folks who still have to live and work with Microsoft products in the workplace or even at home and want to get things done online might not have a choice. If online shopping services convert over to .NET or god forbid my bill payment services, it's going to be very difficult to avoid having to make that Passport account and start using .NET.
So, taking the hypothetical stance that one would need to eventually get registered to use .NET services they can't avoid using, what can be done to protect yourself and your data? Are there any .NET developers out there who can comment on how much risk is involved and how it can be minimized beyond 'Don't use it'?
Here's the writeup from Symantec:
.NET framework.
.NET files do not have any platform
.NET MISL (intermediate language) gets
.NET framework is installed.
.NET application executes native
.NET
.NET executables by attacking the
.reloc section with itself and nullifies the
.EXE
.NET file structure which will not be the
.NET framework
.NET
.NET.dotNET by Benny/29A
.NET header pointer in the data directory
.NET file whenever
.exe
.NET architecture and attempt
On the 9th of January a set of AV companies have
received a new virus from its author. The virus
was named "dotNET" by its creator but we decided to
add detection of it as W32.Donut instead.
The virus targets EXE files that were created for
the Microsoft
Normally
dependent code, but a small 5 byte stub. This stub
executes the mscoree.dll _CorExeMain() function and
thus the
control if the
Thus currently a
code before it will execute the platform
independent code. According to Microsoft this
native code will be removed and the operating
system itself will recognize and execute
images.
The virus infects
5 byte jump to the _CorExeMain() function. It
replaces this jump, with another one to point into
the last section of the executable, it overwrites
its
relocation directory.
Thus when an infected file is executed the virus
code will get control as a 386 application. The
virus checks the platform and only infects on
Windows 2000 and above. If so it will attempt to
infect all files in the current directory with
extension and in up to 20 directories above it. It
must be noted that there are many assumptions made
about the
case with most executables. Nonetheless many C#
complied files would have similar structure. The
virus author worked with the Beta 2
and thus checks files for the new header signature
"BSJB". The virus would therefore ignore the
Beta 1 file format. The virus will inject itself
into the file by using regular virus techniques to
get access to the API addresses it needs to
call. Most API's are referenced in the code as
CRCs. It must be noted that the virus also modifies
the checksum field of PE header's to make the image
look valid. Donut also injects a small MSIL code
and metadata into the infected file. These will
execute the payload of the virus and display the
following message box with a 1:10 chance.
This cell has been infected by dotNET virus!
Infected files will look like regular
applications. The virus will first drop a file with
a fixed
as well as the jump to the _CorExeMain() function
so the application can run as a
the Framework is installed. In this case the MSIL
code of the virus will get control and display the
above message box. When the host application
returns the virus create yet another copy of the
file and in this case the original MSIL code will
be executed and the file will run normal. During
this process the virus creates a temporary file
with the name of the host executable and a
space. For example,
runme.exe
will have temporary file
runme
W32.Donut is a concept virus. It does not have any
significant chance to become wide spread. However
it shows that virus writers are paying close
attention to the new
to learn it before the Framework will be available
on most systems.
Cantankerous old coot since 1957.
This begs the question - it sounds like this virus was written for the benefit of the virus companies (but aren't they all....)
AV companies have been aware of the possibility for a while. It was discussed at the 2001 Virus Bulliten Conference. Here are the abstracts from two papers: MSIL For The .NET Framework: The Next Battleground? amd The Effects of Microsoft .NET on Malicious Threats.
But does it work in Mono?
Ha! I kill me!
If you build it , they will sploit. And sometimes they'll be in line, waiting before it even premiere's
http://benny29a.kgb.cz/
There was a interview with him for Softwarove Noviny (czech magazine), its translation is at:
http://benny29a.kgb.cz/articles/iigi.txt
-- Wanna textmode user interface for ruby? http://freshmeat.net/projects/jttui/
If I remember right, the original word-macro "concept" viruses infected all of the inside of Microsoft within days and had a total payload of "See, I told you it could be done." Several news sources suggested that it was written inside Microsoft by a tech to prove a point.
I wonder if this too, was a similar sort of event.
Wow, he managed to make a virus that infects MICROSOFT software? Holy crap....
From Symantec: "The virus was named 'dotNET' by its creator but we decided to add detection of it as W32.Donut instead."
Heaven forbid we actually tarnish the sterling security record of Microsoft products. Sheesh.
He who refuses to do arithmetic is doomed to talk nonsense.
Well, this virus really does not do anything interesting. .NET as any other complete programming environment will allow you to create replicating code (oh big surprise).
.NET "applets" or any other .NET code that is downloaded from the network and executed, the virus would throw an exception because it would not have permission to touch your file system.
These kind of virus programs will probably not succeed in the NT world with user permissions or in any system with per-user permissions (Linux). Although theoretically possible (root runs the virus) in practice this kind of virus programs never succeed on the wild due to this kind of security mechanisms.
For
Now that's a business strategy.
I'd find it more surprising that hackers weren't already at work trying to hack .NET. Imagine the free pickings some criminally-inclined hacker could have...
all the credit card numbers, personal info, etc they ever desired about people who are on average probably pretty clueless (otherwise, they wouldn't be using .NET most likely)
Nosce te Ipsum
...was "voted" to be the "Platform of Choice".
lol
I'm not a prophet or a stone-age man,
I'm just a mortal with potential of a super man.
Here, symantec states:
.NET architecture from Microsoft and are attempting to understand the framework that eventually will be available on most systems,'' Symantec said.
.NET voting.
``However, it shows that virus writers are paying close attention to the new
Seems like we may need to check the symantec domain for votes in the
mp3's are only for those with bad memories
Do virus checkers currently check SWF, java, etc files that are downloaded through web browsers?
/home/*. Are people doing development work under one account, reading email in another, browsing the web in a third, and ripping CD's in a fourth account? Didn't think so. And for that reason, sooner or later, we need more helpful Linux virus solutions than "don't run as root".
It seems that while everyone says we have 'more than enough processing power' it is going to be sucked up by virus scanners and "do you want to run this" pop-up boxes.
Except of course (for now) on Linux.
A side point: everyone says "don't run as root, only run as a regular user". Sure. No problem. But suppose I run as a regular user, and get some virus/trojan/whatever. I've got a lot of stuff in my home directory. In fact, I'll even say that it's easier to replace / than
Jesus was all right but his disciples were thick and ordinary. -John Lennon
Don't forget everytime a new version of Windows comes out Symantec gets to sell a million copies of it's software.
I know most people won't agree, but doesn't Symantec stand to make a mint if this is true?
I guess they needed a virus before they released anti-virus software.
Get your Unix fortune now!
One OS to rule them all, one OS to find them, one OS to bring them all, and in the darkness bind them.
How about this time everyone lets .NET get into place _before_ ripping it apart? I mean, all this does is give MS time to patch it before it becomes mainstream. It's like cracking the Cactus copy protection, or the CSS... it isn't a standard yet, so it doesn't hurt the company much.
First (proof-of-concept) .NET virus
.NET, on the other hand, needs weeks and weeks and weeks before some dude from Semantac notices there's nothing under the .NET category and that it's messing up his spreadsheet field lengths, so he quickly codes up a .NET virus that's like the equivalent of:
Pshaw, even on the first-virus front GNU/Linux has MS's ass BEAT. Since the GLP is a viral-type philosophy, it started spreading even before one line of code was licensed with it!
1. {384 lines of MS junk}
2. Enumerate "My Neighborhood" into MsTpAtemp (that's Hungarian notation for a variable named "temp" of "Microsoft Temporary Array" type)
2. For MSTpInti = 1 to MS_Length_Of_Funct(MsTpAtemp)
{
1. MsOpenRawNetSocketToFor("writing") MsTpAtemp[MSTpInti]
2. MsOpenRawNetSocketToFor->Send(MSDevOnly_CopyOfS elf())
}
3. MsOpenRawNetSocketToFor->Close(MsSuccessVar)
At least that's what I imagine it might look like, based on what little I've seen of VB. I'm afraid to look.
Ya think MSFT might try to put a positive spin on this?:
.NET must be gaining popularity, it already has virii, just like other well accepted platforms. Developers must not like Java, you don't see a lot of viruses on that platform, do you?"
"See?
While I am trying to be funny, I might not be far off. Does having viruses this early in development give this platform some credence?
...this is also quite possibly the first .NET application!
- A.P.
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
Sorry had to be done.
MMMMM, W32.Donut.
JET Program: see Japan, meet intere
Set a Cron Job that does a backup every hour or two. Have the file time stamped and rotate out the oldest backups in a way that you hard drive space allows.
Full backup every few days, and incrementals throughout the day. Bit of thrashing, but it will protect you from most problems.
"Live Free or Die." Don't like it? Then keep out of the USA
I think back to the RPC process that built the protocols used on this medium we've come to love and depend on, and I see this .NET stuff being unleashed upon us with holes in it before it even gets started.
Only one phrase comes to mind.. "I used to be disgusted.... now I'm just amused".
Symantec...
Migual wants to bring this to Linux...real smart... No wonder Microsoft backs mono that know that .net is insecure so mono will be insecure therefore Linux will insecure
Until their damn EULA gets blown away in court and they get sued and lose bigtime for negligence in how they handle security concerns, I don't see any reason why M$ would change things -- doing things right might cut into profitibility more than the aforementioned business methods we all know and love...to hate.
...Open Source isn't the only answer -- but it's almost always a better value than the alternatives...
"Normally .NET files do not have any platform dependent code, but a small 5 byte stub. This stub executes the mscoree.dll _CorExeMain() function and thus the .NET MISL (intermediate language) gets control if the .NET framework is installed."
"The virus infects .NET executables by attacking the 5 byte jump to the _CorExeMain() function. It replaces this jump, with another one to point into the last section of the executable, it overwrites its .reloc section with itself and nullifies the relocation directory."
Interesting. I predict we will be seeing many, many attacks on .NET somewhat similar to this, since Microsoft kept function pointers (which are unverifiable) in the mix. Good for the checkbox battles, but fatal for security.
From said Reigster article:
However experts say emergence of the "proof of concept" virus means the industry needs to invest in changing the way antivirus software works and adapt it to new environments.
Sigh. I must be in the minority thinking that the applications themselves can be written with security in mind.
I hope the latest search for ET intelligence is fruitful so that we can be saved from ourselves.
To-do List: Receive telemarketing call during a tornado warning. Check.
I have always wondered if one of the reasons that MS has more virii is becuase they are simply more popular. Would linux have as much trouble if it had as many users running around willy-nilly? You know what they say about those users.
...snicker....
I can't understand why people are suprised that one can write a virus with a programming language.
Shock of unbelievable shocks!
This isn't Earth shattering or even the fault of Microsoft.
Next please...
AC
When are we going to see W64.virusname start to appear?
Read my plan to save the Bengals
The torch has been passed...
.NET
Outlook ->
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
Virii are money making entities in themselves and I'm tired of seeing companies encourging the creation of Virii. I don't remember when, but I do remember a scandal typeness on the net a LONG while ago about McAffee going out to software writers to see if they would be interested in writing virii to test out their detector ... then they just happen to get released out into the wild.
The other thing that I see wrong with Virii and Worms is that it kills the IT world. IT department heads are forced to clean up after end user mistakes when they could be developing. And when a worm like nimbda is released my bandwidth was cut by a third almost.
It's rediculous ... and I'm really sick of it ... virii writers are the lowest of lows when it comes to software. A monkey can code, but a true hacker can realize when his code could harm something or someone.
Ignore the "p2p is theft" trolls, they're just uninformed
Am i the only one that's getting sick of all these, "one (insert slashdot topic here) to rule them all..." regurgitated posts?
JEBUS!!!
And modded up to 5!?!?!?! WTF?!?!
Yes, we've all read the books, yes, we've all seen the movie...let...it....go.
You'd think it would inspire an original thought instead of this posting diarrhea..
There are 01 types of people in this world. Those that understand binary, and me.
so I'm curious. Is it easier to write viruses for .NET or is it easier to write viruses for Java?
There needs to be a Linux framework similar to .NET how about we call it .COM ?
but I thought that .NET was a virus
I hate to say this, but anything as amibitiously wide spread as .NET will be virus prone.
.NET and as widespread as it, I think we should give it some grace and at least let it be released before we start saying it's a bad platform because of it's virus vulnerabilities. (this is of course not taking into account other things like privacy issues and what not)
Isn't it true that one can never claim a piece of software to be 100% bug free or secure? If you something as large as
article here.
Buy a Nintendo DS Lite
What I'm worry about is this phrasing: ... the Framework will be available on most systems. This means Mono, which means Linux, which is bad. Today there's round 20 or 30 known viruses on the Linux platform, 20000-30000 on the windows platform. Although a more rapid spread of won't give MS an edge it sertainly won't hurt them.
Look a monkey!
ok I read this article before on yahoo....this dude pretty much copy pasted the Yahoo blurb and added a few lines of his own!!!!
Plagerism!!!!!!!!!
The virus wasn't even written in CLR. Basic security measures are similar to Java. Apps run in a sandboxed, and can only access what they have permission to access. So as an example, if you download code from the internet, or load an app from a non-local resource, by default it won't have access to System.Net, which contains the Networking classes...
.NET is a lot more strict on memory, so I don't think that should be a concern. Besides, code sections don't even stay in the same place in memory. The garbage collector can actually move your objects around in memory if needed. With that in mind, a traditional buffer-overflow exploit probably wouldn't be garaunteed to work anyways. And thats if there even was a buffer-overflow problem to exploit.
Also CLR code can be signed and authenticated, so if you run code, the Framework can check for Authentication/Authorization and Integrity. That will surely but a cramp on viruses.
Also as far as buffer overflows are concerned,
And when the CLR/CLI goes through ECMA standardization, you may not even have to rely on MS to supply the framework. I know groups are already working on getting a CLR platform on Linux as an example....
Hey its a computer system where viruses can spread... This is news?
.NET as well as linux or freebsd.
/. types should get a grasp of reality!
Anywhere a program can run from a third party can have viruses. Only if you physically build each bit of code you run yourself can you be relatively sure.
This includes
I think you
Someday, I'll have a real sig.
Don't get all worked up, guys. Executable files that can modify other executable files to self-replicate are nothing new, and
(Regardless, kudos to the creator for the cool hack and for not unleashing it on the world!)
Personally, I think the idea of high-level languages and portable binaries is a good one, so I am actually excited about the Common Language Runtime (etc.) aspect of
...you too can log out and agree with your own posts... BUT ONLY FOR A LIMITED TIME! So logout now!
Java, of course, is composed of byte code that runs in a "sandbox" which is supposed to prevent malicious attacks on a user machine. Say what you want about Java, but from what I can tell Sun has been pretty successful in achieving their security goals.
.Net Framework driven applications, it will be possible to download apps from the internet and run them without security concerns.
OTOH, Microsoft, jealous of Java's success, is attempting a similar model and boasts similar security measures, claiming that with
The problem is that M$ is cutting a bunch of corners that make me very nervous. For example, the user only compiles a program the first time he runs it. After that a machine-code file is left on the user's machine for further runs. Also, M$ is attempting to mix "Managed Code" in with "Unmanaged Code". Their attempt is to make their apps run faster than Java code. But I'm afraid we're going to bear the misfortunes of their aggressive tactics, by being the real victims of a new wave of viruses exploiting these new holes...
RM
More details also at cNet News. Its been there for a couple of hours, and I thought about posting it but was too lazy.
Why work on detecting the threats... seems kinda pointless to me when you could eleminate the threat. I think micrsoft might well be in leauge with the antivirus sotware writers, and im dreading the next version of windows with microsoft's own antivirus software. (unless by antivirus you mean hard to exploit to make run random code)
The average gullable home user doesnt need
As much as I love Java, Sun has poisoned it themselves as well...
.NET is smart enough to know that if you are trying to resolve a local hostname, it won't bother creating a DNS request, and it will always return current info. And it throws an exception if you try to change the cache policy. And even if it worked, it makes it JVM specific.
I mean, I happen to prefer delegate based eventing over innerclasses...
and I HATE, absolutely HATE how Sun decided to mandate a static cache of IP addresses in the InetAddress.GetAddressByName function. That makes the function almost useless.
At least
In Java, if you try this, it will always return the same IP Addresses, even if you dial-up/hang-up and renew, and enable/disable interfaces, which makes it useless. You have to restart the JVM to get the new addresses.
And I hate how most of Java is designed to be blocking, instead of non-blocking... But thats a holy-war in and of itself, so I won't go there... The InetAddress thing pisses me off tho...
My other gripes are mostly about how its write once, and debug everywhere... In windows, the component can get Key and Mouse events. In Linux, the component gets Mouse Events, but the Frame gets key events. You would think it would be consistent...
In some versions of the JVM, the component gets the update(graphics) method. In other versions, the frame does.
I meant that Java will throw an exception if you try to change the cache policy... (I worded it badly...)
The reason that MSFT employees had to "fix" the UK poll on what developers wanted to develop web services in. Because developers chose something stable like Java, not .Net - something harder to hack (not impossible, just harder).
-
--- Will in Seattle - What are you doing to fight the War?
Unfortunately, Passport, (which I believe offers the authentication for .NET services?) is really only secure as the least secure server it's deployed on. More unfortunately, it's deployed on microsoft.com. Even more unfortunately, there are still OPEN SECURITY HOLES on microsoft.com... Oh, how many many ways are their to hijack cookies or script actions with Cross Site Scripting? A lot.
-- these are only opinions and they might not be mine.
Having a kid infect a .NET server makes it harder for those working with web services. Large institutions most likely will continue their web services plans, but it makes it harder for consumers to trust the services. Non technical people might thing all web services are full of security holes and decide none of it is any good.
In microsoft's race to get something out, they are doing more damage to the perception of the web services industry than anything else. Consumers are already freaked about big corp taking too much control. It's great the security hole has been revealed, but it shouldn't have been so easy. Like the kid says in his interview, "they are the idiots." Is the consumer going to agree with the kid or the company that just got hacked?
All systems are going to have security issues. The framework has been out for some time now in various stages and this is the first real security flaw found in it.
I'm not going to say M$ is perfect by anymeans. They have thier good qualities and they have thier bad qualities.
Fact: For the average user, Microsoft products are a good, stable (enough for them), user friendly environment.
I know I'm not going to change your mind on Microsoft, but at least give them a break. I hear people say "Microsoft's security is crap.". True, it may not be the best and it could be better, but when you have a 90% marketshare, What system do you think the hackers are going to spend most of thier time trying to break? That is why so many viruses and security holes are exploited in Windows.
I'm sure, I've told nobody anything new, but just had to put in my 2 cents...
The software virus, .NETs 'killer app'!!!!!
who finds saying "W32.Donut" to be really, really, funny? Try it with me, just say it a few times. Well?
$1,000 per year +
$1,500 per application
Large Developer
$10,000 per year +
$1,500 per application
Virus Developers
$1,200 per year +
$0.25cents per computer infected*
* Tracking provided by Bill Gate's Email Tracking System(tm)
Looks like someone should really read the moderator guidelines.
Ignore the "p2p is theft" trolls, they're just uninformed
I hate to say it, but now that my server logs are constantly filled up with infected machines calling out with their infected packets, I must question why M$ isn't liable for damages done by their security holes? Viruses are expensive, whether they are .NET viruses, outlook viruses or IIE viruses. They should be held accountable.
-Sean
Firstly, I'm not a MS fan, I hate to defend them, but I feel compelled to correct gross misconceptions when I see them...
.NET is pretty much a Java clone that supports many languages. That's it...
.NET is capable of an applet like technology, restricting the program to not damage the system)
.NET programmers aren't forced to use Passport just like Java programmers aren't forced to use Jxta. So, I don't see how they're going to force you to use Passport, let alone charge for it.
1.
.NET is a virtual machine. It's as dangerous a Java or any other programming platform. (Yes,
2.
3. Microsoft isn't looking to put everything on the Server. This would jeopardize thier client monopoly, and plus it makes absolutely no sense.
If Microsoft wants to insure a steady revenue stream, they have two ways of doing this.
A. Change the license to require companies to renew thier license after x years.
B. Add new features to the next version causing customers to salivate and upgrade.
They're pretty much doing a good job with B, but if they happen to fail, they can always revert to A.
If you would like me to clarify on any further points, feel free to respond.
"Communism is like having one [local] phone company " - Lenny Bruce
Java Virii: 0
Seriously, wouldn't a Java virus be great? I mean, it runs on just about anything (including your PlayStation 2). I wonder why there aren't any roaming the net . . .
Maybe because Sun actually put some effort into the security aspects of an inherently dangerous idea?
Do not touch -Willie
I'm rather amused by this article: .Net may lead to fewer viruses, but I'm baffled by the name!!!
.Net virus might contain only something that specifies where malicious code comes from."
.Net binaries, Trojans written in .Net languages and malicious code taking advantages of .Net services are all possible."
The article is dated 28/09/2001, 4 months ago.
They say:
".Net will almost undoubtedly create fresh infection mechanisms for virus writers to exploit."
"[.Net] not yet addressed by AV[AntiVirus] products."
"a
"Viruses that infect
"it might allow 'viruses to propagate to operating systems that were previously considered low risk'"
Why the HELL is the article titled ".Net may lead to fewer viruses"?!?!?!
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
there are people who there who should be there are people out there who
baby# id /dev/null >! messages
uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest), 37(resident)
baby# ls -lo messages
-rw-rw-r-- 1 root wheel sappnd 221149 Jan 7 17:16 messages
baby# rm -f messages
rm: messages: Operation not permitted
baby# cat
messages: Operation not permitted.
baby# logger "Test"
baby# tail -1 messages
Jan 10 12:40:25 baby username: Test
BSD's been doing that for quite a long time (that's an old OpenBSD/sparc machine).
-- The world is watching America, and America is watching TV.
This virus takes advantage of the fact that the PE for CLR executable assemblies includes a small stub to bootstrap itself into older platforms that do not recognize and or honor .NET PEs natively (i.e. older versions of Windows).
.NET or the CLR, but rather a MS specific "optimization" that saves them from having to retrofit CLR PE recognition into their older platforms when the CLR is RTM. For more information, check out this thread[1] on the Developmentor .NET mailing list.
0 107B&L=DOTNET&D=0&P=47726
This is really not part of
The important thing to point out is that this hack does not foil CLR security. It's foiling standard Win32 security and only because of the afforementioned "optimization".
Later,
Drew
[1] http://discuss.develop.com/archives/wa.exe?A2=ind
Comment removed based on user account deletion
funny how when i posted this story this morning it got refused...
if the sites slashdot links to get slashdoted, how come slashdot itself never gets slashdoted??
Comment removed based on user account deletion
1. That right there makes a
2. Passport and
I would honestly predict that very few
Remember Passport is just an authentication service with extras. This is a commodity technology with a lot of players, and if it does get hot I'm sure Yahoo or AOL are very capable of making thier own competiting authenication services...
"Communism is like having one [local] phone company " - Lenny Bruce
Because now you won't have to bother with word macro virii and IIS virii and VBscript virii. You just jave to write one for .NET.
Do not touch -Willie
.NET is doomed to be a digital Petri dish for viruses. This is because Microsoft will rush it to market. Every day that passes without .NET being completed is another day that J2EE continues to entrench itself in the enterprise. This is happening because J2EE is actual good technology.
.NET framework rolled out quickly. And they're going to do that the same way they always do: by skipping most of the security QA they should be doing.
.NET will be every bit as secure as Windows XP -- i.e. not secure at all.
Microsoft has to get some of the
Rest assured that
You can count on it.
Tired of FB/Google censorship? Visit UNCENSORED!
http://www.cnn.com/TECH/computing/9808/19/javaviru s.idg/ and I'm sure it's not the only one...
-- these are only opinions and they might not be mine.
Some JVM implementations generate the same sort of stub for their runtimes. So technically if you consider this a hack, it just as much a JVM hack (depending on the implementation of course!) as it is a CLR hack.
In fact... it's basically a hack for any PE, no matter what it's contents, which Win32 executes blindly.
There are flag bits called "attributes" that can be placed on ext2 files; see lsattr(1) and chattr(1). The one you want is either 'a' or 'i', I think, or some combination thereof.
You cannot apply a technological solution to a sociological problem. (Edwards' Law)
Comment removed based on user account deletion
he said .Net. No Butthead he said virus.
SUPER SECRET, NO EYES ONLY, DESTROY ON SIGHT.
Yes, it's true. As a recent ZDnet Poll showed,
the majority of virus writers are developing for the !NET.
Don't let anyone know.
I think they proved their point.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
For those unfamiliar with .NET assemblies, here's a little tip for wanna-be virus writers:
All .NET assemblies are digitally signed. The sig is put together by the complier and is guaranteed to be unique across space and time (ala a GUID).
So, if you write a virus and release it into the wild, keep in mind that you might as well have 'GUILTY AS CHARGED' stamped on your forehead.
Comment removed based on user account deletion
MSIL code is JIT'ed to native code by the runtime, after byte-verification. If the source MSIL executable has sufficiently high privileges, then it can bypass byte-verification and supply its own pre-JIT'ed native image - this lets you pre-JIT images on your local disk. But MSIL executables would need the "Run native code" privilege in order to supply their own pre-JIT'ed native image, and if they have the "Run native code" privilege, why do they need to bother with supplying bogus pre-JIT'ed native code?
.Net install, this privilege is hard to come by - it is even denied to executables which are loaded from network shares. You either have to have an executable on your local hard disk (i.e. you installed it on your own machine - so you know what you are doing, right?), or it needs to have specific policy setup to grant it that privilege, for example by strongnaming (aka digital signature) or maybe by granting elevated privileges to the website from which it is downloaded (useful for internal websites, not for the Internet).
The "Run native code" privilege is the highest privilege. In the default
Basically, the author of the "insightful" article is spouting off his mouth, without actually knowing any facts.
--Don
This virus does not effect .net applets. First, it operates by overwriting the 5 byte native win32 stub. This stub is ONLY used to make the exe work in the existing windows environment. Compare it to #!/bin/bash. The stub calls the framework, pointing back to itself, and the framework loads everything after the stub. If the code were distributed over the internet, it wouldn't be in the form of an exe, but rather that of pure IL (bytecode for all you Java people, a simple class file... in fact, extension .dll). This .dll would be a pure assembly, with no stub to load the framework. No unmanaged code at all. The browser would have already loaded the framework. Thus this virus DOES NOT EFFECT .net. It effects plain windows .exe's, which is just not something to make a big fuss about. You can do this to ANY .exe. As soon as we see a .net virus that modifies the IL itself to gain unprivedledged access, is when you need to start worrying.
well, .net is a common TLD, but they're stealing it now every time the proprietary usage virus propagates to a new person.
Don't ask me why I'm bothering to respond to such a moronic post, but if someone's really looking to for a proof-of-concept application for .NET, they can check out http://www.gotdotnet.com/team/compare/ to see how Oracle's benchmarks for their implementation of Sun's own J2EE blueprint Java Pet Store application were destroyed by rewriting it as a .NET app in C#. The performance improved by a factor of 28 in a fraction of the code. Oh yeah, Oracle supposedly rewrote their implementation in response, but curiously won't release the details about how they did it. How convenient. :)
-----Original Message----- .NET Created Virus
.NET Framework (MSIL PE) files. So claims that this is the "first .NET virus" are basically inaccurate.
.exe application to their system and run it locally -- it cannot spread through Internet Explorer or through Outlook (which blocks potentially dangerous attachments).
.exe on the command line).
.NET managed code also detect this virus and will not run it. In other words, users who are taking standard security precautions (like running the current operating system and not downloading and running code they don't know about) won't ever be infected.
From: Scott Guthrie [mailto:scottgu@microsoft.com]
Sent: Thursday, January 10, 2002 3:59 PM
To: aspngcommunity
Subject: [aspngcommunity] RE: First
Just to be clear -- this was not a ".NET virus."
It's a standard Windows virus written largely in unmanaged assembler that happens to locate and modify
To be infected, a user would have to download an infected
In fact, because of the security enhancements in Windows XP it cannot even trigger and spread if you are running Windows XP no matter how hard you try (even if you download and run the
In addition, for downloaded code on all platforms, additional safeguards for
Hope this helps explain it some more,
Scott
P.S. Ironically, the virus author even talks about how hard it would be to write a real ".NET virus" -- "How easy it sounded, so hard to code it was. C#, such like Java have VERY STRICT type checking. And I figured out that there's NO easy way how to work with stringz - once a string is defined, you CAN'T change it - and I needed to do that, becoz it was very important for viral functionality."
really? Does writing java now endanger your immortal soul?
:)
hawk
I attended Bill Gates' keynote address at the CES convention this week. I (admittedly naively) expected something a little less partisan than what I saw, being that keynote speeches tend not to be so proprietary in nature. Okay, stupid me. But even in my wildest nightmares I never would have expected such blatant advertisement for Microsoft.
.NET. Pretty much all of the devices are networked, either through hard lines or wireless, and are Internet ready. After seeing how the M$ television set notifies you of (and lets you view) instant messages, for example, I had to wonder if some day hackers will occupy their time busting into your home appliances with VB script.
I went just because I wanted to see Bill himself for some odd reason (I guess just to say that I did), and I paid the price. It was 1.5 hours of overproduced propaganda for M$ home electronics, ranging from the X Box to home automation to PDAs to music players to just about anything that could possibly have a single byte of M$ software grafted into it. Billy made it clear that they will dominate the world in all arenas, and I almost literally came away shaking.
Central to many of the things he and his buddies demonstrated there seems to be
It's definitely time to be scared. The day may soon arrive when you pay M$ licensing fees with every toaster oven purchased, and even your freaking toilet can be hacked.
Phat actually dates back to the 1920's.
When in doubt, have a man come through a door with a gun in his hand.
The first poster said there is no, the second said there is.
Sounds like the vaporware phenomenon has extended to virii.
1. It's 'viruses'. ESR says so.
2. Concept Virus is also the name of the virus commonly known as Nimda.
Will I retire or break 10K?
Imagine requiring internet access to get a phone or electric service!
So go down to your local public library and hop on one of the Web terminals. Think of it this way: If you're getting phone service hooked up, how do you call the phone company?
Will I retire or break 10K?
Mono is an implementaion of C# that is it. .NET is a platform and an archetecture.
Not so fast. Mono will implement the runtime, using a JIT compiler on some platforms (e.g. ix86) and an interpreter on others. They're working on the class library.
Will I retire or break 10K?
There is such a thing as su on NT
The only su or su-like thing that comes with NT 4 is 'su' in the POSIX subsystem, from which it is impossible to make Win32 calls. Is it possible to change the effective Win32 user and run a Win32 application as that user? Does Cygwin help?
Will I retire or break 10K?
Virus writers are terrorists.
"Unlike acts of terrorism, acts of sabotage do not have a primary objective of causing casualties". They're not terrorists but mere saboteurs.
Will I retire or break 10K?
I'm impressed with the number of slashdot readers who, well, are incapable of reading. Hm, actually, no I'm not.
.NET virus. It does not infect a .NET executable, it infects a PE executable. It would be a trivial matter to overwrite the entrypoint of a PE with a jump to the end of the file, tack on your own crap, and jump back. This virus does not target .NET, as it does not infect the IL, or utilize any of the framework. This is no different than the COM trojans of the DOS days, and no more a virus than a shell script designed to call rm, to which Linux is incredibly succeptable. It would be very trivial to pull this off with any binary executable format, all you would need to know is a little machine code for the intended platform, and where the entrypoint lies.
.NET, _CorExeMain is only an intermediary bootstrap for older OSes. It's interesting to note that Windows XP could not be affected by this because Windows XP does not launch it as a PE executable, rather immediately begins to compile and execute the .NET entrypoint instead.
.NET is also built from the ground up to employ a deep security model, where each function to each class is scrutinized by a user or administration editable regime of standards based on where the code lies, who is running it, what day of the week it is, etc. .NET installation in Windows creates two control panel applets for the purpose of configuring exactly what may run. For example, I can execute a program containing pointers that has been saved to my local machine if I have the appropriate permissions, but I would not be able to run that same program if the assembly resided on a website, or an SMB share.
This is not a
Of course, if you read further in the explanation, and know anything about
.NET itself is not immune to virii. To the contrary, the platform was built from the ground up to satisfy both internal compilation needs (System.Reflection) and debugging (System.Diagnostics.) However,
Hate to pick nits, but 'color' and similarly bastardized spellings came about through an effort on the part of Webster and others to distinguish American English from British shortly after the revolution.
Imagine you are a virus. Now tell me how exactly are you going to spread using the stuff found in your home directory.
Mass mail. Just like SirCam. It takes files out of the home directory and sends them to everybody on your address book and in your web cache, both of which reside in (a subdirectory of) your home directory.
Or, if the system is locked down tight enough, then immediately unleash the payload on all the precious files in the home directory: system("rm -rf ~/*");
Will I retire or break 10K?
Dang, now that I think about it, how did the first compiler get compiled?
The first Fortran and Cobol compilers were written in assembly language. The first assembler was written in binary.
Will I retire or break 10K?
Remember this, if I was to write a virus .net seems like a nice vector.
Permission percolation/escalation, by rouge processes latching on to obscure or undocumented api's, duff parsing/traversal, and ms has not used doubly chained feedback signatures, nor are viri using DMA in activeX drivers, should holes be found here, lest alone protocol spoofing to another remote ip address.
.Net means you are willing to reduce your organisations security level DOWN to whats current at MS on any one given day. Why add unproven products/processes, and is this worth the security tradeoff?
The real question is what cant XML do. Perhaps
KISS principle. As Sir Humphrey said, why take the simple and effective approach, when there is a much more complicated and expensive alternative available (.Net?).
Comment removed based on user account deletion
Comment removed based on user account deletion
Haha, good to know Microsoft has it's fans.
Just like Dodge has their Concept Car (GT2 anyone) the virii folks have their concept virii, Microsoft will never catch a break.
But I'm kind of scared about Linux virii, it's dangerous because it doesn't seem to be as much of a "problem" but it could be one day. And with most servers being run on apache, alot of those processes are started on linux boxes. Now imagine a virus that would span across all *nix enviroments, yikes!
or *bsd yikkkes!
Gallix
"The sum of the angles of that rectangle is too monstrous to contemplate." --Commissioner Gordon
The Dutch railway company is blocking non-IE users. Check it out, pass it on, and send a complaint. Thanks.
Pushin' 'n dealin', shovin' 'n stealin'
Is this news?
Of course the register will post it because it sounds bad for MS, but please show me a programming language for which you cannot write a virus.
Java? Nope. You can use JNI and do anything. Java Applets are less restricted, sure, but in general you can.
.NET is a framework that allows you to write applications that can do, among other things, move, deleted, or edit files.
If you have that capability, then you can write viruses.
This is sensationalism at its worst, but not a new low for the Register, as they take any excuse (and I mean any, just look at this story) to try to bash MS.
I'm suprised they didn't try to claim that MS invented the concept of a "virus".
MS may not be the best at security, but recent publicity has put them on the defensive and they are actually fixing security holes. I bet this exploit won't work on the release version of the .NET Framework.
"You can now flame me, I am full of love,"
Comment removed based on user account deletion
I'll drink to that! -dbabb
hi,
Virusess have been written for all Microsoft platforms, ie: DOS, Windows 3.1, Windows NT x.xx, Windows 2000.
The problem is not the product but rather with the virus writers. The guys who cook up some of the best softwares in the world are very capable of writting virus but they choose not to do that.
No software is totally immune to virus or any form of security breach.
If any of this virus writers hate Microsoft, they should spend their time writting better software rather than writting virus to mess up everybody's life.
thanks.
If anything Unix needs to push it over the top as far as a secure server operating systems is the ability to tell the OS that "This File can never be deleted and can only be appended to by ...
More importantly, I think UNIX needs a better security model. Right now one of the big problems is that all of your executables have the same permissions that you do. In a capability based system, your email program may own capabilities for reading its configuration files, but an open() on a file owned by the user would require active user input to succeed. (Someone wrote a paper about using a Windows-like GUI to make capabities more understandable to the user, but I can't find the url at the moment.)
In any case, here are some links.
"E", a capability-secure language.
Capabilitiesvs. Microsoft's signed execuatables solution. (Part of a good introduction to capabilities).
Linux Kernel Capabilities vs. the standard definition of capabilities.
Copyright Violation:"theft, piracy"::Anti-Trust Violation:"thermonuclear price terrorism"<-Overly dramatic language.
Following this logic (virii is not a word in english since it is not a word in latin,
:-)
despite that it is used)..
We must conclude that "Windows" is not a word, since the word "window" is from the norse "vindauge" ("winds-eye", the smoke-hole in the roof of cabins)
Since the plural of vindauge is NOT vindauges, the plural of window cannot be windows.
The reprecussions of this for OS nomenclature cannot be underestimated.
que?
We do not live in the 21st century. We live in the 20 second century.
Disclaimer: I don't love or hate .NET and Micro$oft...
I can easily admit that there are somethings that M$FT does that are quite cool,
e.g. helping me to get 1600% gain on my nVidia shares! :)
-----Original Message-----
From: Scott Guthrie [@microsoft.com]
To: aspngcommunity
Subject: [aspngcommunity] RE: First .NET Created Virus
Just to be clear -- this was not a ".NET virus."
It's a standard Windows virus written largely in unmanaged assembler that happens to locate and modify .NET Framework (MSIL PE) files. So claims that this is the "first .NET virus" are basically inaccurate.
To be infected, a user would have to download an infected .exe application to their system and run it locally -- it cannot spread through Internet Explorer or through Outlook (which blocks potentially dangerous attachments).
In fact, because of the security enhancements in Windows XP it cannot even trigger and spread if you are running Windows XP no matter how hard you try (even if you download and run the .exe on the command line).
In addition, for downloaded code on all platforms, additional safeguards for .NET managed code also detect this virus and will not run it. In other words, users who are taking standard security precautions (like running the current operating system and not downloading and running code they don't know about) won't ever be infected.
Hope this helps explain it some more,
Scott
P.S. Ironically, the virus author even talks about how hard it would be to write a real ".NET virus" -- "How easy it sounded, so hard to code it was. C#, such like Java have VERY STRICT type checking. And I figured out that there's NO easy way how to work with stringz - once a string is defined, you CAN'T change it - and I needed to do that, becoz it was very important for viral functionality."
I think its chattr +a under linux to make it append only...always a good one to catch kiddies trying to wipe the system logs that can only use chmod :)
DISCLAIMER....append only files only secure you from the most idiotic kids....so thats probably most hax0rs out there but do you really wanna take the chance? use lids (www.lids.org) to make sure.
Cnet holds an article about.
Buy a Nintendo DS Lite