First (proof-of-concept) .NET virus

Juergen Kreileder writes "Symantec says they've received W32.Donut, the first .NET virus: 'This virus targets EXE files that were created for the Microsoft .NET framework. W32.Donut is a concept virus. It does not have any significant chance to become wide spread. However it shows that virus writers are paying close attention to the new .NET architecture and attempting to learn how to exploit it before the Framework will be available on most systems.'"

Also at El Reg

[Anonymous+Brave+Guy]

More details also at The Register.

heh

[kitts]

This is, of course, not counting the slightly philosophical argument that .NET is the first .NET virus.

A concept virus?

[k98sven]

Sounds like the vaporware phenomenon has extended to virii.

Even if I hate .NET, I have to be realistic...

[2Flower]

.NET is dangerous. It's a security disaster waiting to happen. I don't want to use it if I can avoid it...

See last sentence. WILL we be able to avoid it, realistically? A lot of /.'ers might be able to, but folks who still have to live and work with Microsoft products in the workplace or even at home and want to get things done online might not have a choice. If online shopping services convert over to .NET or god forbid my bill payment services, it's going to be very difficult to avoid having to make that Passport account and start using .NET.

So, taking the hypothetical stance that one would need to eventually get registered to use .NET services they can't avoid using, what can be done to protect yourself and your data? Are there any .NET developers out there who can comment on how much risk is involved and how it can be minimized beyond 'Don't use it'?

Re:Even if I hate .NET, I have to be realistic...

[wo1verin3]

The day i'm FORCED to use a passport, to do business with a NON-MICROSOFT company, is the day I stop doing business with that company.

Re:Even if I hate .NET, I have to be realistic...

[SnakeStu]

That's my first thought too, but... what if "that company" is the power company, or the garbage company, or the phone company (the only one to provide service in my area), or something like that? As much as I would love to live "off the grid" I'm not in position to do it yet, so if "essential" -- but privately owned -- services start forcing consumers to use Passport "to provide betteer service" (puke), I'm screwed, as would many people be.

Re:Even if I hate .NET, I have to be realistic...

[Jaysyn]

umm...I still know lots of people without computers. If infrastructure companies decided to do this, how would they recieve payment from the less tech inclined. I don't think they would me handing out emachines to the constituents or anything like that.

Jaysyn

Re:Even if I hate .NET, I have to be realistic...

[Jason+Earl]

AOL will almost certainly throw their millions of users towards some other system, and web sites will be forced to support both AOL's system or Microsoft's, or neither (they will probably just stick with whatever they are doing now).

Trust me, Microsoft's Passport numbers look impressive, but that's almost entirely due to Hotmail (which Microsoft doesn't charge for). In other words they have a load of crap data, and they are just now trying to get folks to actually associate this information with useable information like credit card numbers. To make matters even more interesting, Microsoft has had several well published security exploits. Only the dimmest of dim bulbs is going to trust Microsoft with their billing information (especially since chances are good that all of the places that they purchase things online already have this information). AOL, on the other hand, already has billing information for each and every one of their customers. They have literally got exactly what they need to make Internet Shopping truly painless.

Better yet, there is at least some chance that AOL will share their Passport equivalent, which will almost certainly spread to other large ISPs.

And finally, every eCommerce site currently in existance already has a way to charge you money. They aren't likely to throw their old software away and change to a .NET only site. Microsoft is the only company I can think of that has a good reason to force paying customers towards .NET.

Re:Even if I hate .NET, I have to be realistic...

[CaptainSuperBoy]

When you say .NET, you seem to be referring to the .NET initiative, a company-wide push for XML web services. This is separate from the .NET framework, which is what the virus is about.

The .NET framework is an executable platform, with an intermediate language runtime (much like Java bytecode). This is the platform the virus was found on. For compatibility, a 5 byte stub of native code is used to start the execution of MSIL code. The virus infects this stub. You could compare this to a 'java' virus that infected your JVM.

In contrast, the .NET initiative has its own problems. It seems like that's what you're thinking of - the issues with Passport, etc. That's a separate issue and it deserves a lot of evaluation before it's declared a safe platform for storing sensitive information.

Re:Even if I hate .NET, I have to be realistic...

[Kallahar]

You said "Internet Shopping" when you should have said "AOL Shopping". If I want to buy a book online I don't want to be forced to sign up with AOL.

Repeat after me: AOL is not the internet.

Conference included .NET virus capabilities

[Dancing_monkey_boy]

AV companies have been aware of the possibility for a while. It was discussed at the 2001 Virus Bulliten Conference. Here are the abstracts from two papers: MSIL For The .NET Framework: The Next Battleground? amd The Effects of Microsoft .NET on Malicious Threats.

Mono

[gordon_schumway]

But does it work in Mono?

Author is benny

[jtra]

His home page is at:
http://benny29a.kgb.cz/

There was a interview with him for Softwarove Noviny (czech magazine), its translation is at:
http://benny29a.kgb.cz/articles/iigi.txt

Origin?

[jbailey999]

If I remember right, the original word-macro "concept" viruses infected all of the inside of Microsoft within days and had a total payload of "See, I told you it could be done." Several news sources suggested that it was written inside Microsoft by a tech to prove a point.

I wonder if this too, was a similar sort of event.

l337 hax0r

[xg0blin]

Wow, he managed to make a virus that infects MICROSOFT software? Holy crap....

The virus.

[miguel]

Well, this virus really does not do anything interesting. .NET as any other complete programming environment will allow you to create replicating code (oh big surprise).

These kind of virus programs will probably not succeed in the NT world with user permissions or in any system with per-user permissions (Linux). Although theoretically possible (root runs the virus) in practice this kind of virus programs never succeed on the wild due to this kind of security mechanisms.

For .NET "applets" or any other .NET code that is downloaded from the network and executed, the virus would throw an exception because it would not have permission to touch your file system.

Re:The virus.

[miguel]

Although it is not well known, .NET includes the same kind of functionality to develop "applets".

.NET comes with a security system in place to enable to execute dynamically and untrusted code in your application domain.

For example, you could be running an untrusted math analysis tool that is downloaded from the network into say your spreadsheet program without having to worry about the plugin damaging your system (security system kicks in).

Miguel

Did anybody else..

[mandolin]

..read that as "Symantec says they've released W32.Donut, the first .NET virus"?

Now that's a business strategy.

Not particularly surprising

[gergi]

I'd find it more surprising that hackers weren't already at work trying to hack .NET. Imagine the free pickings some criminally-inclined hacker could have... all the credit card numbers, personal info, etc they ever desired about people who are on average probably pretty clueless (otherwise, they wouldn't be using .NET most likely)

And .NET...

[xanadu-xtroot.com]

...was "voted" to be the "Platform of Choice".

lol

Virus Check every SWF, etc?

[gmhowell]

Do virus checkers currently check SWF, java, etc files that are downloaded through web browsers?

It seems that while everyone says we have 'more than enough processing power' it is going to be sucked up by virus scanners and "do you want to run this" pop-up boxes.

Except of course (for now) on Linux.

A side point: everyone says "don't run as root, only run as a regular user". Sure. No problem. But suppose I run as a regular user, and get some virus/trojan/whatever. I've got a lot of stuff in my home directory. In fact, I'll even say that it's easier to replace / than /home/*. Are people doing development work under one account, reading email in another, browsing the web in a third, and ripping CD's in a fourth account? Didn't think so. And for that reason, sooner or later, we need more helpful Linux virus solutions than "don't run as root".

Re:Virus Check every SWF, etc?

[zulux]

In fact, I'll even say that it's easier to replace / than /home/*.

This is the crux of the mater! /home/* has all of my carfully handmade files. The rest of the tree is all GPL/BSD stuff that I can get off the net and have reinstalled in under an hour. Trash my /usr/local/bin directory and I really won't cry. Trash my /home/posgres directory and I'll loose my billable hours for today.

If anything Unix needs to push it over the top as far as a secure server operating systems is the ability to tell the OS that "This File can never be deleted and can only be appended to by Postmaster. Forever. No matter what. Even if I want to get rid of it later." If I could give my clints that, they would jump to UNIX no matter what hurdels thay had to jump - they have lost too many Outlook folders and too many database tables due to the insecurity of Windows. They would RUN to Unix.

Just me and my rambelings. And yes I know about backups and rsyncing from a locked down OpenBSD box.

Re:Virus Check every SWF, etc?

[Jason+Earl]

Imagine you are a virus. Now tell me how exactly are you going to spread using the stuff found in your home directory. Viruses spread by attaching themselves to executables, but I don't have any executables in my home directory, and if I did there is almost no chance that some other user is going to run them. If by some amazing obscure fluke I did have some binaries in my home directory, and I just so happened to mail one of those infected binaries to a friend, even if my friend did run this binary the virus is stuck with the same low chances for infection. It can only infect files that my friend has read access to, and it can only carry out tasks that my friend has permission to do.

In other words such a beast has almost no chance of actually spreading.

Now, someone could send you a malicious email attachment. Something along the lines of:

#!/bin/sh
rm -rf ~/

Of course, this sort of binary has very little chance of getting run. After all, there isn't an email client for Linux that I am aware of that would make this sort of attachment easy to run. You would have to save it to your home directory, set the executable bit, and then run it.

And even if you did run it, how would it spread. It might try and email itself to everyone in your address book, but Linux doesn't have a default address book, nor is it likely to ever have one. Some folks use mutt, others use Pine, Evolution has it's own format, as does Aethera, and for folks like me that use Emacs to read our mail there are several possible places to put our address book.

Windows has a ton of viruses for four basic reasons:

1) There are no sensible file permissions. Users can write to system files.

2) Microsoft has made it easy to do some incredibly stupid things. For example, getting the contents of your address book is dead simple.

3) Microsoft has blended the line between executable content and data. Double clicking on an icon can either launch a program or open a document. Some documents (like MS Word files) can even contain executable content with full access to your system.

4) Microsoft is a ubiquitous mono-culture. A Microsoft exploit has plenty of susceptible victims, making it easier for viruses to spread. Even if someone did write a Linux mail virus, the chance of it working on both my Emacs/Gnus set up and someone else's Evolution setup is highly unlikely. Without enough susceptible victims viruses can't spread.

Even if all of the Joe Sixpacks in the world were running Linux it still would be a good deal less dangerous than what Windows users currently face.

Re:Virus Check every SWF, etc?

[Jason+Earl]

Absolute security wouldn't be any fun. It would entail turning off the computer, burying it in concrete and firing it off towards the center of the sun. Linux gives the user a great deal of security without being unusable. It's pretty close to the "ideal form" IMHO.

Of course, I am not too paranoid. You might prefer OpenBSD :).

Symantec.

[ImaLamer]

Don't forget everytime a new version of Windows comes out Symantec gets to sell a million copies of it's software.

I know most people won't agree, but doesn't Symantec stand to make a mint if this is true?

I guess they needed a virus before they released anti-virus software.

I tossed .NET in the fire and this came up!

[Dutchmaan]

One OS to rule them all, one OS to find them, one OS to bring them all, and in the darkness bind them.

Wow...

[Wakko+Warner]

...this is also quite possibly the first .NET application!

- A.P.

Re:Even before you have a proof-of-concept app?

[Pfhreakaz0id]

people have been writing .NET apps for well over a year. There are web sites (including some of MSDN, for instance), running on .NET .aspx pages. You can by books on .NET for pete's sake.

Homer Sez

[ocie]

MMMMM, W32.Donut.

Or decent backup

[doublem]

Set a Cron Job that does a backup every hour or two. Have the file time stamped and rotate out the oldest backups in a way that you hard drive space allows.

Full backup every few days, and incrementals throughout the day. Bit of thrashing, but it will protect you from most problems.

No sandbox = .NET security

[coltrane99]

(from the Symantec site)

"Normally .NET files do not have any platform dependent code, but a small 5 byte stub. This stub executes the mscoree.dll _CorExeMain() function and thus the .NET MISL (intermediate language) gets control if the .NET framework is installed."

"The virus infects .NET executables by attacking the 5 byte jump to the _CorExeMain() function. It replaces this jump, with another one to point into the last section of the executable, it overwrites its .reloc section with itself and nullifies the relocation directory."

Interesting. I predict we will be seeing many, many attacks on .NET somewhat similar to this, since Microsoft kept function pointers (which are unverifiable) in the mix. Good for the checkbox battles, but fatal for security.

Sick of this sh*t

[whovian]

From said Reigster article:

However experts say emergence of the "proof of concept" virus means the industry needs to invest in changing the way antivirus software works and adapt it to new environments.

Sigh. I must be in the minority thinking that the applications themselves can be written with security in mind.

I hope the latest search for ET intelligence is fruitful so that we can be saved from ourselves.

Re:Sick of this sh*t

[corbettw]

"However experts say emergence of the "proof of concept" virus means the industry needs to invest in changing the way antivirus software works and adapt it to new environments.

Sigh. I must be in the minority thinking that the applications themselves can be written with security in mind. "

What the "experts" really mean is they have to completely rewrite their anti-virus software to be .NET compatible, and that everyone will have to buy brand new copies of those programs. So when M$ says that .NET is good for business, we know they're right about at least one business (anti-virus software).

The torch has been passed

[evilviper]

The torch has been passed...

Outlook -> .NET

Re:Even before you have a proof-of-concept app?

[1g$man]

.NET can't be released because .NET is not a product.

.NET is a platform. There are many applications and services that make up the platform. Some parts of the platform have been/are being rolled out.

Passport/.NET my services is one
Visual Studio.NET has "gone gold" and will be shipping soon.
various bits of .NET are included in Windows XP
.NET alerts are included in the latest MSN Messenger.

Yadda Yadda.

Anyway, I think calling this virus a ".NET virus" is mis-information. This virus is a Win32 virus. It doesn't work across all .NET implementations, only Win32 PE format executables. Therefore, it wouldn't work with .NET executables on another platform. It wouldn't even work on 64 bit windows.

Re:The real question at hand:

[Xenopax]

What would be the results if Microsoft held this poll?

Is Microsoft .NET secure, after Symantec found the first virus to infect the software:

a) Yes
b) Sure
c) You bet!

Re:The real question at hand:

[cscx]

a) Yes, Microsoft are evil soulless monsters
b) No, "a" would be popular because it's true
c) No, /.ers would flood the poll towards c
d) No, polls are always accurate
e) fish.

You forgot:

f) CowboyNeal.NET

.NET virus not such a big deal

[Tom7]

Don't get all worked up, guys. Executable files that can modify other executable files to self-replicate are nothing new, and .NET is not "insecure" because viruses can be written for it. (Though it may be insecure for many other reasons! ;)) Linux has viruses too. The real question is how much damage such code can do once it's run -- on multi-user systems with permissions like linux and NT, presumably this is not much.

(Regardless, kudos to the creator for the cool hack and for not unleashing it on the world!)

Personally, I think the idea of high-level languages and portable binaries is a good one, so I am actually excited about the Common Language Runtime (etc.) aspect of .NET. I hate hate hate the web services and passport bit, though...

Worrisome first volley

[begonia]

Java, of course, is composed of byte code that runs in a "sandbox" which is supposed to prevent malicious attacks on a user machine. Say what you want about Java, but from what I can tell Sun has been pretty successful in achieving their security goals.

OTOH, Microsoft, jealous of Java's success, is attempting a similar model and boasts similar security measures, claiming that with .Net Framework driven applications, it will be possible to download apps from the internet and run them without security concerns.

The problem is that M$ is cutting a bunch of corners that make me very nervous. For example, the user only compiles a program the first time he runs it. After that a machine-code file is left on the user's machine for further runs. Also, M$ is attempting to mix "Managed Code" in with "Unmanaged Code". Their attempt is to make their apps run faster than Java code. But I'm afraid we're going to bear the misfortunes of their aggressive tactics, by being the real victims of a new wave of viruses exploiting these new holes...

Passport and .NET Security...

[slashkitty]

Unfortunately, Passport, (which I believe offers the authentication for .NET services?) is really only secure as the least secure server it's deployed on. More unfortunately, it's deployed on microsoft.com. Even more unfortunately, there are still OPEN SECURITY HOLES on microsoft.com... Oh, how many many ways are their to hijack cookies or script actions with Cross Site Scripting? A lot.

Re:Passport and .NET Security...

[barzok]

You're not required to use Passport for .NET services. MS just makes it real easy to do so.

.NET pricing model

[thrillbert]

Small Developer

$1,000 per year +

$1,500 per application

Large Developer

$10,000 per year +

$1,500 per application

Virus Developers

$1,200 per year +

$0.25cents per computer infected*

* Tracking provided by Bill Gate's Email Tracking System(tm)

Where you are wrong...

[JohnDenver]

Firstly, I'm not a MS fan, I hate to defend them, but I feel compelled to correct gross misconceptions when I see them...

1. .NET is pretty much a Java clone that supports many languages. That's it...
.NET is a virtual machine. It's as dangerous a Java or any other programming platform. (Yes, .NET is capable of an applet like technology, restricting the program to not damage the system)

2. .NET programmers aren't forced to use Passport just like Java programmers aren't forced to use Jxta. So, I don't see how they're going to force you to use Passport, let alone charge for it.

3. Microsoft isn't looking to put everything on the Server. This would jeopardize thier client monopoly, and plus it makes absolutely no sense.
If Microsoft wants to insure a steady revenue stream, they have two ways of doing this.

A. Change the license to require companies to renew thier license after x years.
B. Add new features to the next version causing customers to salivate and upgrade.

They're pretty much doing a good job with B, but if they happen to fail, they can always revert to A.

If you would like me to clarify on any further points, feel free to respond.

Only in stub, not truely a .NET/CLR security hack

[dmarsh]

This virus takes advantage of the fact that the PE for CLR executable assemblies includes a small stub to bootstrap itself into older platforms that do not recognize and or honor .NET PEs natively (i.e. older versions of Windows).

This is really not part of .NET or the CLR, but rather a MS specific "optimization" that saves them from having to retrofit CLR PE recognition into their older platforms when the CLR is RTM. For more information, check out this thread[1] on the Developmentor .NET mailing list.

The important thing to point out is that this hack does not foil CLR security. It's foiling standard Win32 security and only because of the afforementioned "optimization".

Later,
Drew

[1] http://discuss.develop.com/archives/wa.exe?A2=ind0 107B&L=DOTNET&D=0&P=47726

Comment removed

[account_deleted]

Comment removed based on user account deletion

Comment removed

[account_deleted]

Comment removed based on user account deletion

Why .NET is doomed

[IGnatius+T+Foobar]

.NET is doomed to be a digital Petri dish for viruses. This is because Microsoft will rush it to market. Every day that passes without .NET being completed is another day that J2EE continues to entrench itself in the enterprise. This is happening because J2EE is actual good technology.

Microsoft has to get some of the .NET framework rolled out quickly. And they're going to do that the same way they always do: by skipping most of the security QA they should be doing.

Rest assured that .NET will be every bit as secure as Windows XP -- i.e. not secure at all.

You can count on it.

First Java virus in 1998

[slashkitty]

http://www.cnn.com/TECH/computing/9808/19/javaviru s.idg/ and I'm sure it's not the only one...

Comment removed

[account_deleted]

Comment removed based on user account deletion

Go to jail, go directly to jail...

[Duderstadt]

For those unfamiliar with .NET assemblies, here's a little tip for wanna-be virus writers:

All .NET assemblies are digitally signed. The sig is put together by the complier and is guaranteed to be unique across space and time (ala a GUID).

So, if you write a virus and release it into the wild, keep in mind that you might as well have 'GUILTY AS CHARGED' stamped on your forehead.

Re:Makes me Shudder

[Zico]

I see this .NET stuff being unleashed upon us with holes in it before it even gets started.

Ermmm, which holes? You *did* read the article right? Or did you just not understand it?

Re:Might get modded as flamebait, but oh well...

[mcrbids]

I'm unsure of the "troll factor" in this post, but I'm biting...

In past experience, I find it's typically best to consider stability issues to be the fault of the underlying hardware.

I've many times seen Linux perform flawlessly on motherboards that Windows was horribly unstable on. The reverse I've never seen (A Windows system stable on H/W that Linux was unstable on)

That's not to say that there's some misconfiguration or something in your setup, but I've just never seen it. And note that not all hardware works with Linux (duh!) but we're talking stability here, not compatability.

So, without any further ado:

YOU HAVE BAD HARDWARE, DUDE!