Slashdot Mirror
First (proof-of-concept) .NET virus
Juergen Kreileder writes "Symantec
says they've received W32.Donut, the first .NET virus: 'This virus targets EXE files that were created for the Microsoft .NET framework. W32.Donut is a concept virus. It does not have any significant chance to become wide spread. However it shows that virus writers are paying close attention to the new .NET architecture and attempting to learn how to exploit it before the Framework will be available on most systems.'"
More details also at The Register.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
AV companies have been aware of the possibility for a while. It was discussed at the 2001 Virus Bulliten Conference. Here are the abstracts from two papers: MSIL For The .NET Framework: The Next Battleground? amd The Effects of Microsoft .NET on Malicious Threats.
http://benny29a.kgb.cz/
There was a interview with him for Softwarove Noviny (czech magazine), its translation is at:
http://benny29a.kgb.cz/articles/iigi.txt
-- Wanna textmode user interface for ruby? http://freshmeat.net/projects/jttui/
"Normally .NET files do not have any platform dependent code, but a small 5 byte stub. This stub executes the mscoree.dll _CorExeMain() function and thus the .NET MISL (intermediate language) gets control if the .NET framework is installed."
"The virus infects .NET executables by attacking the 5 byte jump to the _CorExeMain() function. It replaces this jump, with another one to point into the last section of the executable, it overwrites its .reloc section with itself and nullifies the relocation directory."
Interesting. I predict we will be seeing many, many attacks on .NET somewhat similar to this, since Microsoft kept function pointers (which are unverifiable) in the mix. Good for the checkbox battles, but fatal for security.
When you say .NET, you seem to be referring to the .NET initiative, a company-wide push for XML web services. This is separate from the .NET framework, which is what the virus is about.
.NET framework is an executable platform, with an intermediate language runtime (much like Java bytecode). This is the platform the virus was found on. For compatibility, a 5 byte stub of native code is used to start the execution of MSIL code. The virus infects this stub. You could compare this to a 'java' virus that infected your JVM.
.NET initiative has its own problems. It seems like that's what you're thinking of - the issues with Passport, etc. That's a separate issue and it deserves a lot of evaluation before it's declared a safe platform for storing sensitive information.
The
In contrast, the
Firstly, I'm not a MS fan, I hate to defend them, but I feel compelled to correct gross misconceptions when I see them...
.NET is pretty much a Java clone that supports many languages. That's it...
.NET is capable of an applet like technology, restricting the program to not damage the system)
.NET programmers aren't forced to use Passport just like Java programmers aren't forced to use Jxta. So, I don't see how they're going to force you to use Passport, let alone charge for it.
1.
.NET is a virtual machine. It's as dangerous a Java or any other programming platform. (Yes,
2.
3. Microsoft isn't looking to put everything on the Server. This would jeopardize thier client monopoly, and plus it makes absolutely no sense.
If Microsoft wants to insure a steady revenue stream, they have two ways of doing this.
A. Change the license to require companies to renew thier license after x years.
B. Add new features to the next version causing customers to salivate and upgrade.
They're pretty much doing a good job with B, but if they happen to fail, they can always revert to A.
If you would like me to clarify on any further points, feel free to respond.
"Communism is like having one [local] phone company " - Lenny Bruce