Forgot your password?
typodupeerror
Microsoft

First (proof-of-concept) .NET virus 384

Posted by CmdrTaco
from the guess-that-isn't-surprising dept.
Juergen Kreileder writes "Symantec says they've received W32.Donut, the first .NET virus: 'This virus targets EXE files that were created for the Microsoft .NET framework. W32.Donut is a concept virus. It does not have any significant chance to become wide spread. However it shows that virus writers are paying close attention to the new .NET architecture and attempting to learn how to exploit it before the Framework will be available on most systems.'"
This discussion has been archived. No new comments can be posted.

First (proof-of-concept) .NET virus

Comments Filter:
  • .NET? (Score:2, Interesting)

    Heh I still haven't fully figured out just what .NET is - as near as I can figure it's a framework to allow for easier Application Hosting? I also get the idea that MS is going to be cramming it down our throats :)
  • Also at El Reg (Score:5, Informative)

    by Anonymous Brave Guy (457657) on Thursday January 10, 2002 @03:15PM (#2818205)

    More details also at The Register [theregister.co.uk].

    • Sick of this sh*t (Score:3, Insightful)

      by whovian (107062)
      From said Reigster article:

      However experts say emergence of the "proof of concept" virus means the industry needs to invest in changing the way antivirus software works and adapt it to new environments.

      Sigh. I must be in the minority thinking that the applications themselves can be written with security in mind.

      I hope the latest search [slashdot.org] for ET intelligence is fruitful so that we can be saved from ourselves.
      • by corbettw (214229) <corbettw.yahoo@com> on Thursday January 10, 2002 @03:43PM (#2818438) Journal
        "However experts say emergence of the "proof of concept" virus means the industry needs to invest in changing the way antivirus software works and adapt it to new environments.

        Sigh. I must be in the minority thinking that the applications themselves can be written with security in mind. "

        What the "experts" really mean is they have to completely rewrite their anti-virus software to be .NET compatible, and that everyone will have to buy brand new copies of those programs. So when M$ says that .NET is good for business, we know they're right about at least one business (anti-virus software).

    • And CNET also has an (Score:2, Informative)

      by inerte (452992)
      article here. [cnet.com]
  • heh (Score:5, Funny)

    by kitts (545683) on Thursday January 10, 2002 @03:16PM (#2818219) Homepage
    This is, of course, not counting the slightly philosophical argument that .NET is the first .NET virus.
  • by k98sven (324383) on Thursday January 10, 2002 @03:17PM (#2818232) Journal
    Sounds like the vaporware phenomenon has extended to virii.
  • Yay (Score:2, Insightful)

    by 1g$man (221286)
    And this is different from any other Win32 virus how?

    So .net code is either compiled to native .exe code or into intermediate code, which a virus could, yes, infect. how is this more or less dangerous than compiling normal C/C++ code into an .exe which can spread viruses?
  • If Symantec were to host a poll that asked:

    Is Microsoft .NET secure, after we found the first virus to infect the software:
    a) Yes
    b) No
    c) Hell No

    Would a) be the most popular choice because of Microsoft Vote-Rigging and Ballot Stuffing? ;)
  • by 2Flower (216318) on Thursday January 10, 2002 @03:18PM (#2818239) Homepage

    .NET is dangerous. It's a security disaster waiting to happen. I don't want to use it if I can avoid it...

    See last sentence. WILL we be able to avoid it, realistically? A lot of /.'ers might be able to, but folks who still have to live and work with Microsoft products in the workplace or even at home and want to get things done online might not have a choice. If online shopping services convert over to .NET or god forbid my bill payment services, it's going to be very difficult to avoid having to make that Passport account and start using .NET.

    So, taking the hypothetical stance that one would need to eventually get registered to use .NET services they can't avoid using, what can be done to protect yourself and your data? Are there any .NET developers out there who can comment on how much risk is involved and how it can be minimized beyond 'Don't use it'?

    • The day i'm FORCED to use a passport, to do business with a NON-MICROSOFT company, is the day I stop doing business with that company.
      • That's my first thought too, but... what if "that company" is the power company, or the garbage company, or the phone company (the only one to provide service in my area), or something like that? As much as I would love to live "off the grid" I'm not in position to do it yet, so if "essential" -- but privately owned -- services start forcing consumers to use Passport "to provide betteer service" (puke), I'm screwed, as would many people be.
        • umm...I still know lots of people without computers. If infrastructure companies decided to do this, how would they recieve payment from the less tech inclined. I don't think they would me handing out emachines to the constituents or anything like that.

          Jaysyn
    • um .. throw our clothes off, and climb back up into the trees?

      I'm of the opinion that ANY of these technologies that automate/facilitate transparent communication between computers is, in itself, a virus platform. I mean, we'll get to a time where we won't even be sure what's a virus and whats not; I guess this is the idea behind 'trusted signing authorities', but really, doesn't this confirm the whole orwellian push towards trusting and serving corperate entities more so than our friend and his/her computer? I really don't mind wasting a few megabytes and engaging in application updates/downloads/installs/deinstalls/exports/impo rts/etc if it means I can actually keep knowing whats going on under the hood.

      What's the point of running a fatclient if all it ends up being is a thinclient with something to lose?

      Maybe this is where it should go. Your HD becomes your 'computer', then way we think of it now, and you still have to authorize things going from/to disk. Other than that, I dont want my OS acting as a thin client to a network when I have fatclient-style sensitive or important data on it.
    • by Jason Earl (1894) on Thursday January 10, 2002 @03:50PM (#2818503) Homepage Journal

      AOL will almost certainly throw their millions of users towards some other system, and web sites will be forced to support both AOL's system or Microsoft's, or neither (they will probably just stick with whatever they are doing now).

      Trust me, Microsoft's Passport numbers look impressive, but that's almost entirely due to Hotmail (which Microsoft doesn't charge for). In other words they have a load of crap data, and they are just now trying to get folks to actually associate this information with useable information like credit card numbers. To make matters even more interesting, Microsoft has had several well published security exploits. Only the dimmest of dim bulbs is going to trust Microsoft with their billing information (especially since chances are good that all of the places that they purchase things online already have this information). AOL, on the other hand, already has billing information for each and every one of their customers. They have literally got exactly what they need to make Internet Shopping truly painless.

      Better yet, there is at least some chance that AOL will share their Passport equivalent, which will almost certainly spread to other large ISPs.

      And finally, every eCommerce site currently in existance already has a way to charge you money. They aren't likely to throw their old software away and change to a .NET only site. Microsoft is the only company I can think of that has a good reason to force paying customers towards .NET.

    • by CaptainSuperBoy (17170) on Thursday January 10, 2002 @03:54PM (#2818536) Homepage Journal
      When you say .NET, you seem to be referring to the .NET initiative, a company-wide push for XML web services. This is separate from the .NET framework, which is what the virus is about.

      The .NET framework is an executable platform, with an intermediate language runtime (much like Java bytecode). This is the platform the virus was found on. For compatibility, a 5 byte stub of native code is used to start the execution of MSIL code. The virus infects this stub. You could compare this to a 'java' virus that infected your JVM.

      In contrast, the .NET initiative has its own problems. It seems like that's what you're thinking of - the issues with Passport, etc. That's a separate issue and it deserves a lot of evaluation before it's declared a safe platform for storing sensitive information.
    • If online shopping services convert over to .NET or god forbid my bill payment services, it's going to be very difficult to avoid having to make that Passport account and start using .NET.

      So, taking the hypothetical stance that one would need to eventually get registered to use .NET services they can't avoid using, what can be done to protect yourself and your data?

      The whole world isn't online.
      • Don't pay your bills online. Mail them like many people do.
      • Don't shop online. Sometimes it is very convenient to do this, so in those cases look up the item online, and then call in the order over the phone using your credit card, or mail the vendor a check. If the online vendor you are looking at doesn't support this, choose another.
      As far as being a developer, there isn't much you can do, but you can minimize the risks to yourself by not using .NET (or computers in general) to handle your money transactions.

      Mark
    • How is the .NET framework (what this article is about) dangerous? This is like saying "J2EE" is dangerous. What you are saying, is regardless of Sun, IBM, or MS (.NET services), that Web Services are dangerous. A Web Service is an open standard that .NET, J2EE, and other platforms support. Unfortunatly the .NET marketing campaign has greatly confused the issue.
    • .NET is just like Java. It's a virtual machine environment that executes pseudo-machine code that is very readable, thus making it easy for the VM to indentify and prevent malicious code from running (giving your running in applet mode)...

      1. That right there makes a .NET a safer application environment than conventional executables.

      2. Passport and .NET aren't tied together.

      I would honestly predict that very few .NET applications will use Passport. Passport is already available today and pretty easy to implement with VB and ASP, but nobody is really using it. People just don't trust it, and there's not that much to gain from using it...

      Remember Passport is just an authentication service with extras. This is a commodity technology with a lot of players, and if it does get hot I'm sure Yahoo or AOL are very capable of making thier own competiting authenication services...
  • And you already had a proof-of-concept virus before you have a proof-of-concept application? Now, you have to wonder if this .NET framework was developed for applications or for virus. Or there's no distinction between the two, as far as .NET is concerned?

    • Technically, a virus is an application, just usually one that does something you don't want it to do.
    • people have been writing .NET apps for well over a year. There are web sites (including some of MSDN, for instance), running on .NET .aspx pages. You can by books on .NET for pete's sake.
  • by Dancing_monkey_boy (549901) on Thursday January 10, 2002 @03:19PM (#2818248)
    AV companies have been aware of the possibility for a while. It was discussed at the 2001 Virus Bulliten Conference [virusbtn.com]. Here are the abstracts from two papers: MSIL For The .NET Framework: The Next Battleground? [virusbtn.com] amd The Effects of Microsoft .NET on Malicious Threats [virusbtn.com].
  • Mono (Score:4, Funny)

    by gordon_schumway (154192) on Thursday January 10, 2002 @03:20PM (#2818249)
    But does it work in Mono?
  • Author is benny (Score:5, Informative)

    by jtra (525331) on Thursday January 10, 2002 @03:20PM (#2818251) Homepage
    His home page is at:
    http://benny29a.kgb.cz/ [benny29a.kgb.cz]

    There was a interview with him for Softwarove Noviny (czech magazine), its translation is at:
    http://benny29a.kgb.cz/articles/iigi.txt [benny29a.kgb.cz]

  • Origin? (Score:5, Interesting)

    by jbailey999 (146222) on Thursday January 10, 2002 @03:20PM (#2818252) Homepage
    If I remember right, the original word-macro "concept" viruses infected all of the inside of Microsoft within days and had a total payload of "See, I told you it could be done." Several news sources suggested that it was written inside Microsoft by a tech to prove a point.

    I wonder if this too, was a similar sort of event.
  • l337 hax0r (Score:4, Funny)

    by xg0blin (547154) on Thursday January 10, 2002 @03:20PM (#2818253)
    Wow, he managed to make a virus that infects MICROSOFT software? Holy crap....
  • The virus. (Score:5, Insightful)

    by miguel (7116) on Thursday January 10, 2002 @03:21PM (#2818258) Homepage
    Well, this virus really does not do anything interesting. .NET as any other complete programming environment will allow you to create replicating code (oh big surprise).

    These kind of virus programs will probably not succeed in the NT world with user permissions or in any system with per-user permissions (Linux). Although theoretically possible (root runs the virus) in practice this kind of virus programs never succeed on the wild due to this kind of security mechanisms.

    For .NET "applets" or any other .NET code that is downloaded from the network and executed, the virus would throw an exception because it would not have permission to touch your file system.
    • by gergi (220700)
      um... have you ever looked at Microsoft track records about stuff like that? I would not trust the permissions surrounding .NET's applets (e.g. lock on file system access)... I can't wait for the first applet with a buffer overflow access violation that gives a hacker full access to a Windows server.
    • Re:The virus. (Score:2, Informative)

      by archen (447353)
      Like the other worms (code red, nimda) that didn't infect NT? Security is more than running junk with user permissions. While users of NT might not be as prone to spread it, the virus itself might use other means (like the aforesaid worms) to spread itself. Who knows what in the hell is going to happen once there is a server version of Windows XP (gag).
    • Re:The virus. (Score:2, Insightful)

      by chrysrobyn (106763)
      These kind of virus programs will probably not succeed in the NT world with user permissions or in any system with per-user permissions (Linux). Although theoretically possible (root runs the virus) in practice this kind of virus programs never succeed on the wild due to this kind of security mechanisms. I must confess that I disagree that per-user security permissions halt this type of virus (re)productivity. Sure, %USER1% can't alter the files of %USER2%, but can't you see that %USER1% can use more than his/her share of the processor, hindering %USER2% in some way? Or, if %USER1% sends an e-mail to %USER2% containing self-replicating code, and %USER2% executes it (either through automation or ignorance), that has effectively circumvented per-user security. Now, you don't have just one virus on your system, but two.
    • also (Score:2, Insightful)

      by _avs_007 (459738)
      The virus wasn't even written in CLR. Basic security measures are similar to Java. Apps run in a sandboxed, and can only access what they have permission to access. So as an example, if you download code from the internet, or load an app from a non-local resource, by default it won't have access to System.Net, which contains the Networking classes...

      Also CLR code can be signed and authenticated, so if you run code, the Framework can check for Authentication/Authorization and Integrity. That will surely but a cramp on viruses.

      Also as far as buffer overflows are concerned, .NET is a lot more strict on memory, so I don't think that should be a concern. Besides, code sections don't even stay in the same place in memory. The garbage collector can actually move your objects around in memory if needed. With that in mind, a traditional buffer-overflow exploit probably wouldn't be garaunteed to work anyways. And thats if there even was a buffer-overflow problem to exploit.

      And when the CLR/CLI goes through ECMA standardization, you may not even have to rely on MS to supply the framework. I know groups are already working on getting a CLR platform on Linux as an example....
  • by mandolin (7248) on Thursday January 10, 2002 @03:21PM (#2818262)
    ..read that as "Symantec says they've released W32.Donut, the first .NET virus"?

    Now that's a business strategy.

  • by gergi (220700) on Thursday January 10, 2002 @03:21PM (#2818264)
    I'd find it more surprising that hackers weren't already at work trying to hack .NET. Imagine the free pickings some criminally-inclined hacker could have... all the credit card numbers, personal info, etc they ever desired about people who are on average probably pretty clueless (otherwise, they wouldn't be using .NET most likely)
  • And .NET... (Score:4, Funny)

    by xanadu-xtroot.com (450073) <xanadu@NoSPAM.inorbit.com> on Thursday January 10, 2002 @03:22PM (#2818270) Homepage Journal
    ...was "voted" [slashdot.org] to be the "Platform of Choice" [zdnet.co.uk].

    lol
  • by gmhowell (26755) <gmhowell@gmail.com> on Thursday January 10, 2002 @03:23PM (#2818275) Homepage Journal
    Do virus checkers currently check SWF, java, etc files that are downloaded through web browsers?

    It seems that while everyone says we have 'more than enough processing power' it is going to be sucked up by virus scanners and "do you want to run this" pop-up boxes.

    Except of course (for now) on Linux.

    A side point: everyone says "don't run as root, only run as a regular user". Sure. No problem. But suppose I run as a regular user, and get some virus/trojan/whatever. I've got a lot of stuff in my home directory. In fact, I'll even say that it's easier to replace / than /home/*. Are people doing development work under one account, reading email in another, browsing the web in a third, and ripping CD's in a fourth account? Didn't think so. And for that reason, sooner or later, we need more helpful Linux virus solutions than "don't run as root".
    • Or decent backup (Score:3, Informative)

      by doublem (118724)
      Set a Cron Job that does a backup every hour or two. Have the file time stamped and rotate out the oldest backups in a way that you hard drive space allows.

      Full backup every few days, and incrementals throughout the day. Bit of thrashing, but it will protect you from most problems.
      • Wish I had included this in my earlier post. I do okay backups, but backing all of that up is expensive for my broke ass. (Of course, I guess I could do the cheap hard drive bit.)

        But how do you know when the infection occured? At the very least, you'd have to check your crontab to ensure that you did set 'rm -rf ~/' to run every twenty minutes starting five days from now. IOW, yes, backups are nice, but wouldn't it be better to prevent the barn door from opening rather than closing it after the horses are out?

        (Again, I'm not trying to flame. I just think that a back up is only one part of a useful anti-virus policy.)
    • by zulux (112259) on Thursday January 10, 2002 @03:49PM (#2818486) Homepage Journal
      In fact, I'll even say that it's easier to replace / than /home/*.

      This is the crux of the mater! /home/* has all of my carfully handmade files. The rest of the tree is all GPL/BSD stuff that I can get off the net and have reinstalled in under an hour. Trash my /usr/local/bin directory and I really won't cry. Trash my /home/posgres directory and I'll loose my billable hours for today.

      If anything Unix needs to push it over the top as far as a secure server operating systems is the ability to tell the OS that "This File can never be deleted and can only be appended to by Postmaster. Forever. No matter what. Even if I want to get rid of it later." If I could give my clints that, they would jump to UNIX no matter what hurdels thay had to jump - they have lost too many Outlook folders and too many database tables due to the insecurity of Windows. They would RUN to Unix.

      Just me and my rambelings. And yes I know about backups and rsyncing from a locked down OpenBSD box.
      • If anything Unix needs to push it over the top as far as a secure server operating systems isthe ability to tell the OS that "This File can never be deleted and can only be appended to by Postmaster. Forever. No matter what. Even if I want to get rid of it later."

        It's hard to know you *never* want to get rid of a file, or even rename it or move it somewhere else.

        New viruses would just create a bunch of humongo crap files in your home directory (maybe called hardcoreporn.jpg for any admin/boss types happening to peruse your files) and then mark them undeletable.

        Finally, if you want to achieve a crude approximation of your goal just chown the files to root and chmod them to 444 or something. Of course this scheme fails when you're running as root..

    • I'm a clueless linux user mostly, but wouldn't a root cron job to tar up your home directory and store it in a place not accessable by your user account work?

      Wow, that's a spiffy idea. I think I'll patent it with the name "backup". :)

      • Scan through the rest of the thread. It works, except that you don't necessarily know when you were infected. So restoring that backup might just mean that you've restored the virus.

        But, that's basically what I do.
    • No need to check Java class files. Unless they're run locally they've got rather limited capabilities. That's why there haven't been any Java virii. The sandbox concept works well.
      • Don't forget about class verification. Without that, it would be possiable to make a java class that could overrun or mess up the stack easily.

        I do think that it's amazing that the sun jvm hasn't had any really bad security problems with Java yet. At least after version 1.2 (afaik).
    • by Jason Earl (1894) on Thursday January 10, 2002 @05:00PM (#2819143) Homepage Journal

      Imagine you are a virus. Now tell me how exactly are you going to spread using the stuff found in your home directory. Viruses spread by attaching themselves to executables, but I don't have any executables in my home directory, and if I did there is almost no chance that some other user is going to run them. If by some amazing obscure fluke I did have some binaries in my home directory, and I just so happened to mail one of those infected binaries to a friend, even if my friend did run this binary the virus is stuck with the same low chances for infection. It can only infect files that my friend has read access to, and it can only carry out tasks that my friend has permission to do.

      In other words such a beast has almost no chance of actually spreading.

      Now, someone could send you a malicious email attachment. Something along the lines of:

      #!/bin/sh
      rm -rf ~/

      Of course, this sort of binary has very little chance of getting run. After all, there isn't an email client for Linux that I am aware of that would make this sort of attachment easy to run. You would have to save it to your home directory, set the executable bit, and then run it.

      And even if you did run it, how would it spread. It might try and email itself to everyone in your address book, but Linux doesn't have a default address book, nor is it likely to ever have one. Some folks use mutt, others use Pine, Evolution has it's own format, as does Aethera, and for folks like me that use Emacs to read our mail there are several possible places to put our address book.

      Windows has a ton of viruses for four basic reasons:

      1) There are no sensible file permissions. Users can write to system files.

      2) Microsoft has made it easy to do some incredibly stupid things. For example, getting the contents of your address book is dead simple.

      3) Microsoft has blended the line between executable content and data. Double clicking on an icon can either launch a program or open a document. Some documents (like MS Word files) can even contain executable content with full access to your system.

      4) Microsoft is a ubiquitous mono-culture. A Microsoft exploit has plenty of susceptible victims, making it easier for viruses to spread. Even if someone did write a Linux mail virus, the chance of it working on both my Emacs/Gnus set up and someone else's Evolution setup is highly unlikely. Without enough susceptible victims viruses can't spread.

      Even if all of the Joe Sixpacks in the world were running Linux it still would be a good deal less dangerous than what Windows users currently face.

      • There are lots of viruses because people do stupid things, and generally are dumb.

        1) There are no sensible file permissions. Users can write to system files.
        That is untrue. NTFS permissions can be used very easily to restrict this type of access. A good system-admin will set write/read/execute permissions for all the files on his or her system(s).

        2) Microsoft has made it easy to do some incredibly stupid things. For example, getting the contents of your address book is dead simple.
        Automation is a good and a bad thing. Bad when it automates bad things, good when it automates good things. Luckily these things are (MAPI for address books, etc) are COM based, which means, they are executable style DLL's, which means, again, that they can managed with standard permissions plus lame fixes for outlook (do yo wish to allow access)?

        3) Microsoft has blended the line between executable content and data. Double clicking on an icon can either launch a program or open a document. Some documents (like MS Word files) can even contain executable content with full access to your system.
        Again, no. Only if you give SYSTEM certain access and are running in elevated context. Binary code run from a Word file will be treated as the currently logged in user. If you edit documents are "root" then are you vulnerable. But none of these problems overide file permissions set by the Administrator.

        4) Microsoft is a ubiquitous mono-culture. A Microsoft exploit has plenty of susceptible victims, making it easier for viruses to spread. Even if someone did write a Linux mail virus, the chance of it working on both my Emacs/Gnus set up and someone else's Evolution setup is highly unlikely. Without enough susceptible victims viruses can't spread.
        Yeap, good point.
        ,br> Sadly lacking in the WIndows world is a fundemental understanding of how to setup permissions on a typical Win2k workstation and server environment to prevent virus problems. In my little corner of the world we routinely get moronic virus emails to our staff - yet we havent had any problems with them because of a tight set of permissons throughout our network. Coupled with just a minimal understanding of what to and not to do (untrustred sources are bad, mostly) we are immune to most viruses in the wild and 100% of the ones that have come through our door in the past.

        Of course, a good set of firewall rules, nightly updated virus filters, effective user policies and proper administration have a lot to contribute to that.
  • Symantec. (Score:3, Interesting)

    by ImaLamer (260199) <john.lamar@gUMLAUTmail.com minus punct> on Thursday January 10, 2002 @03:23PM (#2818284) Homepage Journal
    Don't forget everytime a new version of Windows comes out Symantec gets to sell a million copies of it's software.

    I know most people won't agree, but doesn't Symantec stand to make a mint if this is true?

    I guess they needed a virus before they released anti-virus software.
  • by Dutchmaan (442553) on Thursday January 10, 2002 @03:25PM (#2818294) Homepage
    One OS to rule them all, one OS to find them, one OS to bring them all, and in the darkness bind them.
  • Wow... (Score:5, Funny)

    by Wakko Warner (324) on Thursday January 10, 2002 @03:26PM (#2818305) Homepage Journal
    ...this is also quite possibly the first .NET application!

    - A.P.
  • Homer Sez (Score:4, Funny)

    by ocie (6659) on Thursday January 10, 2002 @03:27PM (#2818311) Homepage
    MMMMM, W32.Donut.
  • by coltrane99 (545982) on Thursday January 10, 2002 @03:34PM (#2818366)
    (from the Symantec site)

    "Normally .NET files do not have any platform dependent code, but a small 5 byte stub. This stub executes the mscoree.dll _CorExeMain() function and thus the .NET MISL (intermediate language) gets control if the .NET framework is installed."

    "The virus infects .NET executables by attacking the 5 byte jump to the _CorExeMain() function. It replaces this jump, with another one to point into the last section of the executable, it overwrites its .reloc section with itself and nullifies the relocation directory."

    Interesting. I predict we will be seeing many, many attacks on .NET somewhat similar to this, since Microsoft kept function pointers (which are unverifiable) in the mix. Good for the checkbox battles, but fatal for security.

    • (from the Symantec site)

      "Normally .NET files do not have any platform dependent code, but a small 5 byte stub. This stub executes the mscoree.dll _CorExeMain() function and thus the .NET MISL (intermediate language) gets control if the .NET framework is installed."

      "The virus infects .NET executables by attacking the 5 byte jump to the _CorExeMain() function. It replaces this jump, with another one to point into the last section of the executable, it overwrites its .reloc section with itself and nullifies the relocation directory."

      The paragraph in between that you deleted read:

      Thus currently a .NET application executes native code before it will execute the platform independent code. According to Microsoft this native code will be removed and the operating system itself will recognize and execute .NET images.

      So, supposedly, this only infects Beta 2 of .NET. It also states this attack does not work against Beta 1.

  • by evilviper (135110) on Thursday January 10, 2002 @03:41PM (#2818420) Journal
    The torch has been passed...

    Outlook -> .NET
  • Concept Virus?? (Score:2, Informative)

    by SuperDuG (134989)
    Since when are viruses legal to make. Last I checked viruses were illegal and I'm actually quite tired of hearing about them in a glamourous manner. I don't care if it's MS's fault about code or poor software writers who make coding mistakes and leave holes open.

    Virii are money making entities in themselves and I'm tired of seeing companies encourging the creation of Virii. I don't remember when, but I do remember a scandal typeness on the net a LONG while ago about McAffee going out to software writers to see if they would be interested in writing virii to test out their detector ... then they just happen to get released out into the wild.

    The other thing that I see wrong with Virii and Worms is that it kills the IT world. IT department heads are forced to clean up after end user mistakes when they could be developing. And when a worm like nimbda is released my bandwidth was cut by a third almost.

    It's rediculous ... and I'm really sick of it ... virii writers are the lowest of lows when it comes to software. A monkey can code, but a true hacker can realize when his code could harm something or someone.

    • Re:Concept Virus?? (Score:2, Insightful)

      by jallen02 (124384)
      I think you missed the entire point of a "concept virus" on a non-widely distributed, or used, platform.

      Really, this virus was written to demonstrate the flaws in .NET in a more vociferous manner than saying, "Hey there are potentially threatning flaws with .NET."

      The virus is, already known to the virus protection people. The virus was not released nor spread in the wild and would have a damn hard time propagating about the Internet seeings how most people don't have the framework available...

      Jeremy
      • But WHY? is my main question ... there's no real reason to be making this virus except to make the virus scanning software more needed or at least the manufactures of symantec can go and say "Hey ... this virus affects .NET so you know that there will be others ... time to upgrade".

        And again ... why are virus scanning companies encouraging the creation of virii ?? I would think the world would be a better place with no Virii out there ... but then ... how would Symantec make any money??

  • by Tom7 (102298) on Thursday January 10, 2002 @03:53PM (#2818526) Homepage Journal

    Don't get all worked up, guys. Executable files that can modify other executable files to self-replicate are nothing new, and .NET is not "insecure" because viruses can be written for it. (Though it may be insecure for many other reasons! ;)) Linux has viruses too. The real question is how much damage such code can do once it's run -- on multi-user systems with permissions like linux and NT, presumably this is not much.

    (Regardless, kudos to the creator for the cool hack and for not unleashing it on the world!)

    Personally, I think the idea of high-level languages and portable binaries is a good one, so I am actually excited about the Common Language Runtime (etc.) aspect of .NET. I hate hate hate the web services and passport bit, though...
  • by begonia (177694) on Thursday January 10, 2002 @03:55PM (#2818545)
    Java, of course, is composed of byte code that runs in a "sandbox" which is supposed to prevent malicious attacks on a user machine. Say what you want about Java, but from what I can tell Sun has been pretty successful in achieving their security goals.

    OTOH, Microsoft, jealous of Java's success, is attempting a similar model and boasts similar security measures, claiming that with .Net Framework driven applications, it will be possible to download apps from the internet and run them without security concerns.

    The problem is that M$ is cutting a bunch of corners that make me very nervous. For example, the user only compiles a program the first time he runs it. After that a machine-code file is left on the user's machine for further runs. Also, M$ is attempting to mix "Managed Code" in with "Unmanaged Code". Their attempt is to make their apps run faster than Java code. But I'm afraid we're going to bear the misfortunes of their aggressive tactics, by being the real victims of a new wave of viruses exploiting these new holes...
  • Oldish news (Score:2, Informative)

    by altan (519377)
    More details also at cNet News [cnet.com]. Its been there for a couple of hours, and I thought about posting it but was too lazy.
  • by slashkitty (21637) on Thursday January 10, 2002 @04:05PM (#2818638) Homepage
    Unfortunately, Passport, (which I believe offers the authentication for .NET services?) is really only secure as the least secure server it's deployed on. More unfortunately, it's deployed on microsoft.com. Even more unfortunately, there are still OPEN SECURITY HOLES [devitry.com] on microsoft.com... Oh, how many many ways are their to hijack cookies or script actions with Cross Site Scripting? A lot.
  • Good and Bad (Score:2, Insightful)

    by f00zbll (526151)
    As much as I dislike M$, this type of behavior is a double edge. Any system and language can be exploited, so it's no surprise some one wrote a virus for .NET. I would rather professionals reveal the flaws and weaknesses of .NET through accepted channels with concrete proof.

    Having a kid infect a .NET server makes it harder for those working with web services. Large institutions most likely will continue their web services plans, but it makes it harder for consumers to trust the services. Non technical people might thing all web services are full of security holes and decide none of it is any good.

    In microsoft's race to get something out, they are doing more damage to the perception of the web services industry than anything else. Consumers are already freaked about big corp taking too much control. It's great the security hole has been revealed, but it shouldn't have been so easy. Like the kid says in his interview, "they are the idiots." Is the consumer going to agree with the kid or the company that just got hacked?

  • by thrillbert (146343) on Thursday January 10, 2002 @04:21PM (#2818795) Homepage
    Small Developer

    $1,000 per year +

    $1,500 per application

    Large Developer

    $10,000 per year +

    $1,500 per application

    Virus Developers

    $1,200 per year +

    $0.25cents per computer infected*

    * Tracking provided by Bill Gate's Email Tracking System(tm)

  • The Score So Far (Score:2, Interesting)

    by White Roses (211207)
    .NET Virii: 1
    Java Virii: 0

    Seriously, wouldn't a Java virus be great? I mean, it runs on just about anything (including your PlayStation 2). I wonder why there aren't any roaming the net . . .

    Maybe because Sun actually put some effort into the security aspects of an inherently dangerous idea?

  • I'm rather amused by this article: .Net may lead to fewer viruses [theregister.co.uk], but I'm baffled by the name!!!

    The article is dated 28/09/2001, 4 months ago.

    They say:
    ".Net will almost undoubtedly create fresh infection mechanisms for virus writers to exploit."

    "[.Net] not yet addressed by AV[AntiVirus] products."

    "a .Net virus might contain only something that specifies where malicious code comes from."

    "Viruses that infect .Net binaries, Trojans written in .Net languages and malicious code taking advantages of .Net services are all possible."

    "it might allow 'viruses to propagate to operating systems that were previously considered low risk'"


    Why the HELL is the article titled ".Net may lead to fewer viruses"?!?!?!

    -
  • by dmarsh (143697) on Thursday January 10, 2002 @04:53PM (#2819090) Homepage
    This virus takes advantage of the fact that the PE for CLR executable assemblies includes a small stub to bootstrap itself into older platforms that do not recognize and or honor .NET PEs natively (i.e. older versions of Windows).

    This is really not part of .NET or the CLR, but rather a MS specific "optimization" that saves them from having to retrofit CLR PE recognition into their older platforms when the CLR is RTM. For more information, check out this thread[1] on the Developmentor .NET mailing list.

    The important thing to point out is that this hack does not foil CLR security. It's foiling standard Win32 security and only because of the afforementioned "optimization".

    Later,
    Drew

    [1] http://discuss.develop.com/archives/wa.exe?A2=ind0 107B&L=DOTNET&D=0&P=47726
  • Why .NET is doomed (Score:4, Insightful)

    by IGnatius T Foobar (4328) on Thursday January 10, 2002 @05:04PM (#2819203) Homepage Journal
    .NET is doomed to be a digital Petri dish for viruses. This is because Microsoft will rush it to market. Every day that passes without .NET being completed is another day that J2EE continues to entrench itself in the enterprise. This is happening because J2EE is actual good technology.

    Microsoft has to get some of the .NET framework rolled out quickly. And they're going to do that the same way they always do: by skipping most of the security QA they should be doing.

    Rest assured that .NET will be every bit as secure as Windows XP -- i.e. not secure at all.

    You can count on it.
  • by Duderstadt (549997) on Thursday January 10, 2002 @05:24PM (#2819445)

    For those unfamiliar with .NET assemblies, here's a little tip for wanna-be virus writers:

    All .NET assemblies are digitally signed. The sig is put together by the complier and is guaranteed to be unique across space and time (ala a GUID).

    So, if you write a virus and release it into the wild, keep in mind that you might as well have 'GUILTY AS CHARGED' stamped on your forehead.

You can observe a lot just by watching. -- Yogi Berra

Working...