Slashdot Mirror
First (proof-of-concept) .NET virus
Juergen Kreileder writes "Symantec
says they've received W32.Donut, the first .NET virus: 'This virus targets EXE files that were created for the Microsoft .NET framework. W32.Donut is a concept virus. It does not have any significant chance to become wide spread. However it shows that virus writers are paying close attention to the new .NET architecture and attempting to learn how to exploit it before the Framework will be available on most systems.'"
Heh I still haven't fully figured out just what .NET is - as near as I can figure it's a framework to allow for easier Application Hosting? I also get the idea that MS is going to be cramming it down our throats :)
More details also at The Register.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
This is, of course, not counting the slightly philosophical argument that .NET is the first .NET virus.
-------------------------------------------------
charlton heston is more of a man than yo
Sounds like the vaporware phenomenon has extended to virii.
And this is different from any other Win32 virus how?
.net code is either compiled to native .exe code or into intermediate code, which a virus could, yes, infect. how is this more or less dangerous than compiling normal C/C++ code into an .exe which can spread viruses?
So
If Symantec were to host a poll that asked:
.NET secure, after we found the first virus to infect the software:
;)
Is Microsoft
a) Yes
b) No
c) Hell No
Would a) be the most popular choice because of Microsoft Vote-Rigging and Ballot Stuffing?
.NET is dangerous. It's a security disaster waiting to happen. I don't want to use it if I can avoid it...
See last sentence. WILL we be able to avoid it, realistically? A lot of /.'ers might be able to, but folks who still have to live and work with Microsoft products in the workplace or even at home and want to get things done online might not have a choice. If online shopping services convert over to .NET or god forbid my bill payment services, it's going to be very difficult to avoid having to make that Passport account and start using .NET.
So, taking the hypothetical stance that one would need to eventually get registered to use .NET services they can't avoid using, what can be done to protect yourself and your data? Are there any .NET developers out there who can comment on how much risk is involved and how it can be minimized beyond 'Don't use it'?
AV companies have been aware of the possibility for a while. It was discussed at the 2001 Virus Bulliten Conference. Here are the abstracts from two papers: MSIL For The .NET Framework: The Next Battleground? amd The Effects of Microsoft .NET on Malicious Threats.
But does it work in Mono?
Ha! I kill me!
http://benny29a.kgb.cz/
There was a interview with him for Softwarove Noviny (czech magazine), its translation is at:
http://benny29a.kgb.cz/articles/iigi.txt
-- Wanna textmode user interface for ruby? http://freshmeat.net/projects/jttui/
If I remember right, the original word-macro "concept" viruses infected all of the inside of Microsoft within days and had a total payload of "See, I told you it could be done." Several news sources suggested that it was written inside Microsoft by a tech to prove a point.
I wonder if this too, was a similar sort of event.
Wow, he managed to make a virus that infects MICROSOFT software? Holy crap....
Well, this virus really does not do anything interesting. .NET as any other complete programming environment will allow you to create replicating code (oh big surprise).
.NET "applets" or any other .NET code that is downloaded from the network and executed, the virus would throw an exception because it would not have permission to touch your file system.
These kind of virus programs will probably not succeed in the NT world with user permissions or in any system with per-user permissions (Linux). Although theoretically possible (root runs the virus) in practice this kind of virus programs never succeed on the wild due to this kind of security mechanisms.
For
Now that's a business strategy.
I'd find it more surprising that hackers weren't already at work trying to hack .NET. Imagine the free pickings some criminally-inclined hacker could have...
all the credit card numbers, personal info, etc they ever desired about people who are on average probably pretty clueless (otherwise, they wouldn't be using .NET most likely)
Nosce te Ipsum
AV companies rarely name the virus by the name the virus author wants. This is done so that there is, hopefully, less incentive to write a virus.
Hogsback
...was "voted" to be the "Platform of Choice".
lol
I'm not a prophet or a stone-age man,
I'm just a mortal with potential of a super man.
Do virus checkers currently check SWF, java, etc files that are downloaded through web browsers?
/home/*. Are people doing development work under one account, reading email in another, browsing the web in a third, and ripping CD's in a fourth account? Didn't think so. And for that reason, sooner or later, we need more helpful Linux virus solutions than "don't run as root".
It seems that while everyone says we have 'more than enough processing power' it is going to be sucked up by virus scanners and "do you want to run this" pop-up boxes.
Except of course (for now) on Linux.
A side point: everyone says "don't run as root, only run as a regular user". Sure. No problem. But suppose I run as a regular user, and get some virus/trojan/whatever. I've got a lot of stuff in my home directory. In fact, I'll even say that it's easier to replace / than
Jesus was all right but his disciples were thick and ordinary. -John Lennon
Don't forget everytime a new version of Windows comes out Symantec gets to sell a million copies of it's software.
I know most people won't agree, but doesn't Symantec stand to make a mint if this is true?
I guess they needed a virus before they released anti-virus software.
Get your Unix fortune now!
One OS to rule them all, one OS to find them, one OS to bring them all, and in the darkness bind them.
...this is also quite possibly the first .NET application!
- A.P.
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
MMMMM, W32.Donut.
JET Program: see Japan, meet intere
Set a Cron Job that does a backup every hour or two. Have the file time stamped and rotate out the oldest backups in a way that you hard drive space allows.
Full backup every few days, and incrementals throughout the day. Bit of thrashing, but it will protect you from most problems.
"Live Free or Die." Don't like it? Then keep out of the USA
"Normally .NET files do not have any platform dependent code, but a small 5 byte stub. This stub executes the mscoree.dll _CorExeMain() function and thus the .NET MISL (intermediate language) gets control if the .NET framework is installed."
"The virus infects .NET executables by attacking the 5 byte jump to the _CorExeMain() function. It replaces this jump, with another one to point into the last section of the executable, it overwrites its .reloc section with itself and nullifies the relocation directory."
Interesting. I predict we will be seeing many, many attacks on .NET somewhat similar to this, since Microsoft kept function pointers (which are unverifiable) in the mix. Good for the checkbox battles, but fatal for security.
From said Reigster article:
However experts say emergence of the "proof of concept" virus means the industry needs to invest in changing the way antivirus software works and adapt it to new environments.
Sigh. I must be in the minority thinking that the applications themselves can be written with security in mind.
I hope the latest search for ET intelligence is fruitful so that we can be saved from ourselves.
To-do List: Receive telemarketing call during a tornado warning. Check.
The torch has been passed...
.NET
Outlook ->
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
Virii are money making entities in themselves and I'm tired of seeing companies encourging the creation of Virii. I don't remember when, but I do remember a scandal typeness on the net a LONG while ago about McAffee going out to software writers to see if they would be interested in writing virii to test out their detector ... then they just happen to get released out into the wild.
The other thing that I see wrong with Virii and Worms is that it kills the IT world. IT department heads are forced to clean up after end user mistakes when they could be developing. And when a worm like nimbda is released my bandwidth was cut by a third almost.
It's rediculous ... and I'm really sick of it ... virii writers are the lowest of lows when it comes to software. A monkey can code, but a true hacker can realize when his code could harm something or someone.
Ignore the "p2p is theft" trolls, they're just uninformed
article here.
Buy a Nintendo DS Lite
The virus wasn't even written in CLR. Basic security measures are similar to Java. Apps run in a sandboxed, and can only access what they have permission to access. So as an example, if you download code from the internet, or load an app from a non-local resource, by default it won't have access to System.Net, which contains the Networking classes...
.NET is a lot more strict on memory, so I don't think that should be a concern. Besides, code sections don't even stay in the same place in memory. The garbage collector can actually move your objects around in memory if needed. With that in mind, a traditional buffer-overflow exploit probably wouldn't be garaunteed to work anyways. And thats if there even was a buffer-overflow problem to exploit.
Also CLR code can be signed and authenticated, so if you run code, the Framework can check for Authentication/Authorization and Integrity. That will surely but a cramp on viruses.
Also as far as buffer overflows are concerned,
And when the CLR/CLI goes through ECMA standardization, you may not even have to rely on MS to supply the framework. I know groups are already working on getting a CLR platform on Linux as an example....
Don't get all worked up, guys. Executable files that can modify other executable files to self-replicate are nothing new, and
(Regardless, kudos to the creator for the cool hack and for not unleashing it on the world!)
Personally, I think the idea of high-level languages and portable binaries is a good one, so I am actually excited about the Common Language Runtime (etc.) aspect of
Java, of course, is composed of byte code that runs in a "sandbox" which is supposed to prevent malicious attacks on a user machine. Say what you want about Java, but from what I can tell Sun has been pretty successful in achieving their security goals.
.Net Framework driven applications, it will be possible to download apps from the internet and run them without security concerns.
OTOH, Microsoft, jealous of Java's success, is attempting a similar model and boasts similar security measures, claiming that with
The problem is that M$ is cutting a bunch of corners that make me very nervous. For example, the user only compiles a program the first time he runs it. After that a machine-code file is left on the user's machine for further runs. Also, M$ is attempting to mix "Managed Code" in with "Unmanaged Code". Their attempt is to make their apps run faster than Java code. But I'm afraid we're going to bear the misfortunes of their aggressive tactics, by being the real victims of a new wave of viruses exploiting these new holes...
RM
More details also at cNet News. Its been there for a couple of hours, and I thought about posting it but was too lazy.
Unfortunately, Passport, (which I believe offers the authentication for .NET services?) is really only secure as the least secure server it's deployed on. More unfortunately, it's deployed on microsoft.com. Even more unfortunately, there are still OPEN SECURITY HOLES on microsoft.com... Oh, how many many ways are their to hijack cookies or script actions with Cross Site Scripting? A lot.
-- these are only opinions and they might not be mine.
Having a kid infect a .NET server makes it harder for those working with web services. Large institutions most likely will continue their web services plans, but it makes it harder for consumers to trust the services. Non technical people might thing all web services are full of security holes and decide none of it is any good.
In microsoft's race to get something out, they are doing more damage to the perception of the web services industry than anything else. Consumers are already freaked about big corp taking too much control. It's great the security hole has been revealed, but it shouldn't have been so easy. Like the kid says in his interview, "they are the idiots." Is the consumer going to agree with the kid or the company that just got hacked?
$1,000 per year +
$1,500 per application
Large Developer
$10,000 per year +
$1,500 per application
Virus Developers
$1,200 per year +
$0.25cents per computer infected*
* Tracking provided by Bill Gate's Email Tracking System(tm)
Firstly, I'm not a MS fan, I hate to defend them, but I feel compelled to correct gross misconceptions when I see them...
.NET is pretty much a Java clone that supports many languages. That's it...
.NET is capable of an applet like technology, restricting the program to not damage the system)
.NET programmers aren't forced to use Passport just like Java programmers aren't forced to use Jxta. So, I don't see how they're going to force you to use Passport, let alone charge for it.
1.
.NET is a virtual machine. It's as dangerous a Java or any other programming platform. (Yes,
2.
3. Microsoft isn't looking to put everything on the Server. This would jeopardize thier client monopoly, and plus it makes absolutely no sense.
If Microsoft wants to insure a steady revenue stream, they have two ways of doing this.
A. Change the license to require companies to renew thier license after x years.
B. Add new features to the next version causing customers to salivate and upgrade.
They're pretty much doing a good job with B, but if they happen to fail, they can always revert to A.
If you would like me to clarify on any further points, feel free to respond.
"Communism is like having one [local] phone company " - Lenny Bruce
Java Virii: 0
Seriously, wouldn't a Java virus be great? I mean, it runs on just about anything (including your PlayStation 2). I wonder why there aren't any roaming the net . . .
Maybe because Sun actually put some effort into the security aspects of an inherently dangerous idea?
Do not touch -Willie
I'm rather amused by this article: .Net may lead to fewer viruses, but I'm baffled by the name!!!
.Net virus might contain only something that specifies where malicious code comes from."
.Net binaries, Trojans written in .Net languages and malicious code taking advantages of .Net services are all possible."
The article is dated 28/09/2001, 4 months ago.
They say:
".Net will almost undoubtedly create fresh infection mechanisms for virus writers to exploit."
"[.Net] not yet addressed by AV[AntiVirus] products."
"a
"Viruses that infect
"it might allow 'viruses to propagate to operating systems that were previously considered low risk'"
Why the HELL is the article titled ".Net may lead to fewer viruses"?!?!?!
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
I keep hearing the marketshare argument, but it doesn't hold water. There are still more Apache webservers than IIS webservers, but which one almost shut down the internet by propagating Code Red? The worst hole I've seen in Apache lately is one where a user can see the contents listing of a directory even if that's turned off.
--
E_NOSIG
This virus takes advantage of the fact that the PE for CLR executable assemblies includes a small stub to bootstrap itself into older platforms that do not recognize and or honor .NET PEs natively (i.e. older versions of Windows).
.NET or the CLR, but rather a MS specific "optimization" that saves them from having to retrofit CLR PE recognition into their older platforms when the CLR is RTM. For more information, check out this thread[1] on the Developmentor .NET mailing list.
0 107B&L=DOTNET&D=0&P=47726
This is really not part of
The important thing to point out is that this hack does not foil CLR security. It's foiling standard Win32 security and only because of the afforementioned "optimization".
Later,
Drew
[1] http://discuss.develop.com/archives/wa.exe?A2=ind
Comment removed based on user account deletion
Comment removed based on user account deletion
1. That right there makes a
2. Passport and
I would honestly predict that very few
Remember Passport is just an authentication service with extras. This is a commodity technology with a lot of players, and if it does get hot I'm sure Yahoo or AOL are very capable of making thier own competiting authenication services...
"Communism is like having one [local] phone company " - Lenny Bruce
.NET is doomed to be a digital Petri dish for viruses. This is because Microsoft will rush it to market. Every day that passes without .NET being completed is another day that J2EE continues to entrench itself in the enterprise. This is happening because J2EE is actual good technology.
.NET framework rolled out quickly. And they're going to do that the same way they always do: by skipping most of the security QA they should be doing.
.NET will be every bit as secure as Windows XP -- i.e. not secure at all.
Microsoft has to get some of the
Rest assured that
You can count on it.
Tired of FB/Google censorship? Visit UNCENSORED!
http://www.cnn.com/TECH/computing/9808/19/javaviru s.idg/ and I'm sure it's not the only one...
-- these are only opinions and they might not be mine.
There are flag bits called "attributes" that can be placed on ext2 files; see lsattr(1) and chattr(1). The one you want is either 'a' or 'i', I think, or some combination thereof.
You cannot apply a technological solution to a sociological problem. (Edwards' Law)
Comment removed based on user account deletion
For those unfamiliar with .NET assemblies, here's a little tip for wanna-be virus writers:
All .NET assemblies are digitally signed. The sig is put together by the complier and is guaranteed to be unique across space and time (ala a GUID).
So, if you write a virus and release it into the wild, keep in mind that you might as well have 'GUILTY AS CHARGED' stamped on your forehead.
Comment removed based on user account deletion
Don't ask me why I'm bothering to respond to such a moronic post, but if someone's really looking to for a proof-of-concept application for .NET, they can check out http://www.gotdotnet.com/team/compare/ to see how Oracle's benchmarks for their implementation of Sun's own J2EE blueprint Java Pet Store application were destroyed by rewriting it as a .NET app in C#. The performance improved by a factor of 28 in a fraction of the code. Oh yeah, Oracle supposedly rewrote their implementation in response, but curiously won't release the details about how they did it. How convenient. :)
I see this .NET stuff being unleashed upon us with holes in it before it even gets started.
Ermmm, which holes? You *did* read the article right? Or did you just not understand it?
I attended Bill Gates' keynote address at the CES convention this week. I (admittedly naively) expected something a little less partisan than what I saw, being that keynote speeches tend not to be so proprietary in nature. Okay, stupid me. But even in my wildest nightmares I never would have expected such blatant advertisement for Microsoft.
.NET. Pretty much all of the devices are networked, either through hard lines or wireless, and are Internet ready. After seeing how the M$ television set notifies you of (and lets you view) instant messages, for example, I had to wonder if some day hackers will occupy their time busting into your home appliances with VB script.
I went just because I wanted to see Bill himself for some odd reason (I guess just to say that I did), and I paid the price. It was 1.5 hours of overproduced propaganda for M$ home electronics, ranging from the X Box to home automation to PDAs to music players to just about anything that could possibly have a single byte of M$ software grafted into it. Billy made it clear that they will dominate the world in all arenas, and I almost literally came away shaking.
Central to many of the things he and his buddies demonstrated there seems to be
It's definitely time to be scared. The day may soon arrive when you pay M$ licensing fees with every toaster oven purchased, and even your freaking toilet can be hacked.
Phat actually dates back to the 1920's.
When in doubt, have a man come through a door with a gun in his hand.
Sounds like the vaporware phenomenon has extended to virii.
1. It's 'viruses'. ESR says so.
2. Concept Virus is also the name of the virus commonly known as Nimda.
Will I retire or break 10K?
Virus writers are terrorists.
"Unlike acts of terrorism, acts of sabotage do not have a primary objective of causing casualties". They're not terrorists but mere saboteurs.
Will I retire or break 10K?
I'm impressed with the number of slashdot readers who, well, are incapable of reading. Hm, actually, no I'm not.
.NET virus. It does not infect a .NET executable, it infects a PE executable. It would be a trivial matter to overwrite the entrypoint of a PE with a jump to the end of the file, tack on your own crap, and jump back. This virus does not target .NET, as it does not infect the IL, or utilize any of the framework. This is no different than the COM trojans of the DOS days, and no more a virus than a shell script designed to call rm, to which Linux is incredibly succeptable. It would be very trivial to pull this off with any binary executable format, all you would need to know is a little machine code for the intended platform, and where the entrypoint lies.
.NET, _CorExeMain is only an intermediary bootstrap for older OSes. It's interesting to note that Windows XP could not be affected by this because Windows XP does not launch it as a PE executable, rather immediately begins to compile and execute the .NET entrypoint instead.
.NET is also built from the ground up to employ a deep security model, where each function to each class is scrutinized by a user or administration editable regime of standards based on where the code lies, who is running it, what day of the week it is, etc. .NET installation in Windows creates two control panel applets for the purpose of configuring exactly what may run. For example, I can execute a program containing pointers that has been saved to my local machine if I have the appropriate permissions, but I would not be able to run that same program if the assembly resided on a website, or an SMB share.
This is not a
Of course, if you read further in the explanation, and know anything about
.NET itself is not immune to virii. To the contrary, the platform was built from the ground up to satisfy both internal compilation needs (System.Reflection) and debugging (System.Diagnostics.) However,
Comment removed based on user account deletion
Comment removed based on user account deletion
I'm unsure of the "troll factor" in this post, but I'm biting...
In past experience, I find it's typically best to consider stability issues to be the fault of the underlying hardware.
I've many times seen Linux perform flawlessly on motherboards that Windows was horribly unstable on. The reverse I've never seen (A Windows system stable on H/W that Linux was unstable on)
That's not to say that there's some misconfiguration or something in your setup, but I've just never seen it. And note that not all hardware works with Linux (duh!) but we're talking stability here, not compatability.
So, without any further ado:
YOU HAVE BAD HARDWARE, DUDE!
I have no problem with your religion until you decide it's reason to deprive others of the truth.
Just to be contrary and perverse: On this box Win95 is utterly stable (hardly ever crashes, and never BSODs), but linux fell over regularly (mostly Gnome, but sometimes the base OS would just halt during startup) -- this was probably due to a disagreement with the S3Trio video card.
On one particularly buggy batch of K6-2 CPUs, linux would not run at all, but Win32 will run just fine (tho it won't install; has to be installed with another CPU in place).
I warned you this post was contrary and perverse :)
~REZ~ #43301. Who'd fake being me anyway?
que?
We do not live in the 21st century. We live in the 20 second century.
I see, you're saying that a program that allows a user to run a program as a different user doesn't exist. That's strang because I seem to remember using SUDO, the SUID bit & the SGID bit for some time now.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
very few compiler programmers would think anyone would be insane enough to type "cc MySource.c -o /etc/cc/compiler-time-billing-log.txt".
Or cp or mv.
Fumble-fingers and tab completion.
I destroyed several production web sites because of a we<tab> instead of wo<tab>.
I'm too much a newbie to know what the details are, but what you want is the ability to run email viruses with impunity. You don't stop them from running. You stop them from being able to do anything, even delete themselves. Won't be easy. Might be some clues in Multics.