First (proof-of-concept) .NET virus

Juergen Kreileder writes "Symantec says they've received W32.Donut, the first .NET virus: 'This virus targets EXE files that were created for the Microsoft .NET framework. W32.Donut is a concept virus. It does not have any significant chance to become wide spread. However it shows that virus writers are paying close attention to the new .NET architecture and attempting to learn how to exploit it before the Framework will be available on most systems.'"

Yay

[1g$man]

And this is different from any other Win32 virus how?

So .net code is either compiled to native .exe code or into intermediate code, which a virus could, yes, infect. how is this more or less dangerous than compiling normal C/C++ code into an .exe which can spread viruses?

The virus.

[miguel]

Well, this virus really does not do anything interesting. .NET as any other complete programming environment will allow you to create replicating code (oh big surprise).

These kind of virus programs will probably not succeed in the NT world with user permissions or in any system with per-user permissions (Linux). Although theoretically possible (root runs the virus) in practice this kind of virus programs never succeed on the wild due to this kind of security mechanisms.

For .NET "applets" or any other .NET code that is downloaded from the network and executed, the virus would throw an exception because it would not have permission to touch your file system.

Not particularly surprising

[gergi]

I'd find it more surprising that hackers weren't already at work trying to hack .NET. Imagine the free pickings some criminally-inclined hacker could have... all the credit card numbers, personal info, etc they ever desired about people who are on average probably pretty clueless (otherwise, they wouldn't be using .NET most likely)

Virus Check every SWF, etc?

[gmhowell]

Do virus checkers currently check SWF, java, etc files that are downloaded through web browsers?

It seems that while everyone says we have 'more than enough processing power' it is going to be sucked up by virus scanners and "do you want to run this" pop-up boxes.

Except of course (for now) on Linux.

A side point: everyone says "don't run as root, only run as a regular user". Sure. No problem. But suppose I run as a regular user, and get some virus/trojan/whatever. I've got a lot of stuff in my home directory. In fact, I'll even say that it's easier to replace / than /home/*. Are people doing development work under one account, reading email in another, browsing the web in a third, and ripping CD's in a fourth account? Didn't think so. And for that reason, sooner or later, we need more helpful Linux virus solutions than "don't run as root".

Sick of this sh*t

[whovian]

From said Reigster article:

However experts say emergence of the "proof of concept" virus means the industry needs to invest in changing the way antivirus software works and adapt it to new environments.

Sigh. I must be in the minority thinking that the applications themselves can be written with security in mind.

I hope the latest search [slashdot.org] for ET intelligence is fruitful so that we can be saved from ourselves.

Re:Even if I hate .NET, I have to be realistic...

[SnakeStu]

That's my first thought too, but... what if "that company" is the power company, or the garbage company, or the phone company (the only one to provide service in my area), or something like that? As much as I would love to live "off the grid" I'm not in position to do it yet, so if "essential" -- but privately owned -- services start forcing consumers to use Passport "to provide betteer service" (puke), I'm screwed, as would many people be.

Re:The virus.

[chrysrobyn]

These kind of virus programs will probably not succeed in the NT world with user permissions or in any system with per-user permissions (Linux). Although theoretically possible (root runs the virus) in practice this kind of virus programs never succeed on the wild due to this kind of security mechanisms. I must confess that I disagree that per-user security permissions halt this type of virus (re)productivity. Sure, %USER1% can't alter the files of %USER2%, but can't you see that %USER1% can use more than his/her share of the processor, hindering %USER2% in some way? Or, if %USER1% sends an e-mail to %USER2% containing self-replicating code, and %USER2% executes it (either through automation or ignorance), that has effectively circumvented per-user security. Now, you don't have just one virus on your system, but two.

Re:Even if I hate .NET, I have to be realistic...

[Jaysyn]

umm...I still know lots of people without computers. If infrastructure companies decided to do this, how would they recieve payment from the less tech inclined. I don't think they would me handing out emachines to the constituents or anything like that.

Jaysyn

Re:Virus Check every SWF, etc?

[zulux]

In fact, I'll even say that it's easier to replace / than /home/*.

This is the crux of the mater! /home/* has all of my carfully handmade files. The rest of the tree is all GPL/BSD stuff that I can get off the net and have reinstalled in under an hour. Trash my /usr/local/bin directory and I really won't cry. Trash my /home/posgres directory and I'll loose my billable hours for today.

If anything Unix needs to push it over the top as far as a secure server operating systems is the ability to tell the OS that "This File can never be deleted and can only be appended to by Postmaster. Forever. No matter what. Even if I want to get rid of it later." If I could give my clints that, they would jump to UNIX no matter what hurdels thay had to jump - they have lost too many Outlook folders and too many database tables due to the insecurity of Windows. They would RUN to Unix.

Just me and my rambelings. And yes I know about backups and rsyncing from a locked down OpenBSD box.

also

[_avs_007]

The virus wasn't even written in CLR. Basic security measures are similar to Java. Apps run in a sandboxed, and can only access what they have permission to access. So as an example, if you download code from the internet, or load an app from a non-local resource, by default it won't have access to System.Net, which contains the Networking classes...

Also CLR code can be signed and authenticated, so if you run code, the Framework can check for Authentication/Authorization and Integrity. That will surely but a cramp on viruses.

Also as far as buffer overflows are concerned, .NET is a lot more strict on memory, so I don't think that should be a concern. Besides, code sections don't even stay in the same place in memory. The garbage collector can actually move your objects around in memory if needed. With that in mind, a traditional buffer-overflow exploit probably wouldn't be garaunteed to work anyways. And thats if there even was a buffer-overflow problem to exploit.

And when the CLR/CLI goes through ECMA standardization, you may not even have to rely on MS to supply the framework. I know groups are already working on getting a CLR platform on Linux as an example....

.NET virus not such a big deal

[Tom7]

Don't get all worked up, guys. Executable files that can modify other executable files to self-replicate are nothing new, and .NET is not "insecure" because viruses can be written for it. (Though it may be insecure for many other reasons! ;)) Linux has viruses too. The real question is how much damage such code can do once it's run -- on multi-user systems with permissions like linux and NT, presumably this is not much.

(Regardless, kudos to the creator for the cool hack and for not unleashing it on the world!)

Personally, I think the idea of high-level languages and portable binaries is a good one, so I am actually excited about the Common Language Runtime (etc.) aspect of .NET. I hate hate hate the web services and passport bit, though...

Re:Concept Virus??

[jallen02]

I think you missed the entire point of a "concept virus" on a non-widely distributed, or used, platform.

Really, this virus was written to demonstrate the flaws in .NET in a more vociferous manner than saying, "Hey there are potentially threatning flaws with .NET."

The virus is, already known to the virus protection people. The virus was not released nor spread in the wild and would have a damn hard time propagating about the Internet seeings how most people don't have the framework available...

Jeremy

Good and Bad

[f00zbll]

As much as I dislike M$, this type of behavior is a double edge. Any system and language can be exploited, so it's no surprise some one wrote a virus for .NET. I would rather professionals reveal the flaws and weaknesses of .NET through accepted channels with concrete proof.

Having a kid infect a .NET server makes it harder for those working with web services. Large institutions most likely will continue their web services plans, but it makes it harder for consumers to trust the services. Non technical people might thing all web services are full of security holes and decide none of it is any good.

In microsoft's race to get something out, they are doing more damage to the perception of the web services industry than anything else. Consumers are already freaked about big corp taking too much control. It's great the security hole has been revealed, but it shouldn't have been so easy. Like the kid says in his interview, "they are the idiots." Is the consumer going to agree with the kid or the company that just got hacked?

Re:Yay

[Archanagor]

But, isn't byte code related to assembly? (granted it's instructions for the .NET runtime, not an Intel x86 compatible machine, but it's still a sequence of instructions.)

Wouldn't the virus still be a seqence of bytes? I mean, it's not like the virus scanners run the code in a virtual machine to determine if it's a virus.

Also, what about macro viruses and e-mail viruses. Isn't this how AV software scans those files?

Maybe I'm missing the boat here...

Re:Sick of this sh*t

[Jason Earl]

My guess is that when Symantec says they have received this proof-of-concept virus what they really mean is that they wrote it.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Virus Check every SWF, etc?

[Jason Earl]

Imagine you are a virus. Now tell me how exactly are you going to spread using the stuff found in your home directory. Viruses spread by attaching themselves to executables, but I don't have any executables in my home directory, and if I did there is almost no chance that some other user is going to run them. If by some amazing obscure fluke I did have some binaries in my home directory, and I just so happened to mail one of those infected binaries to a friend, even if my friend did run this binary the virus is stuck with the same low chances for infection. It can only infect files that my friend has read access to, and it can only carry out tasks that my friend has permission to do.

In other words such a beast has almost no chance of actually spreading.

Now, someone could send you a malicious email attachment. Something along the lines of:

#!/bin/sh
rm -rf ~/

Of course, this sort of binary has very little chance of getting run. After all, there isn't an email client for Linux that I am aware of that would make this sort of attachment easy to run. You would have to save it to your home directory, set the executable bit, and then run it.

And even if you did run it, how would it spread. It might try and email itself to everyone in your address book, but Linux doesn't have a default address book, nor is it likely to ever have one. Some folks use mutt, others use Pine, Evolution has it's own format, as does Aethera, and for folks like me that use Emacs to read our mail there are several possible places to put our address book.

Windows has a ton of viruses for four basic reasons:

1) There are no sensible file permissions. Users can write to system files.

2) Microsoft has made it easy to do some incredibly stupid things. For example, getting the contents of your address book is dead simple.

3) Microsoft has blended the line between executable content and data. Double clicking on an icon can either launch a program or open a document. Some documents (like MS Word files) can even contain executable content with full access to your system.

4) Microsoft is a ubiquitous mono-culture. A Microsoft exploit has plenty of susceptible victims, making it easier for viruses to spread. Even if someone did write a Linux mail virus, the chance of it working on both my Emacs/Gnus set up and someone else's Evolution setup is highly unlikely. Without enough susceptible victims viruses can't spread.

Even if all of the Joe Sixpacks in the world were running Linux it still would be a good deal less dangerous than what Windows users currently face.

Re:No sandbox = .NET security

[edbarrett]

(from the Symantec site)

"Normally .NET files do not have any platform dependent code, but a small 5 byte stub. This stub executes the mscoree.dll _CorExeMain() function and thus the .NET MISL (intermediate language) gets control if the .NET framework is installed."

"The virus infects .NET executables by attacking the 5 byte jump to the _CorExeMain() function. It replaces this jump, with another one to point into the last section of the executable, it overwrites its .reloc section with itself and nullifies the relocation directory."

The paragraph in between that you deleted read:

Thus currently a .NET application executes native code before it will execute the platform independent code. According to Microsoft this native code will be removed and the operating system itself will recognize and execute .NET images.

So, supposedly, this only infects Beta 2 of .NET. It also states this attack does not work against Beta 1.

Why .NET is doomed

[IGnatius T Foobar]

.NET is doomed to be a digital Petri dish for viruses. This is because Microsoft will rush it to market. Every day that passes without .NET being completed is another day that J2EE continues to entrench itself in the enterprise. This is happening because J2EE is actual good technology.

Microsoft has to get some of the .NET framework rolled out quickly. And they're going to do that the same way they always do: by skipping most of the security QA they should be doing.

Rest assured that .NET will be every bit as secure as Windows XP -- i.e. not secure at all.

You can count on it.

Go to jail, go directly to jail...

[Duderstadt]

For those unfamiliar with .NET assemblies, here's a little tip for wanna-be virus writers:

All .NET assemblies are digitally signed. The sig is put together by the complier and is guaranteed to be unique across space and time (ala a GUID).

So, if you write a virus and release it into the wild, keep in mind that you might as well have 'GUILTY AS CHARGED' stamped on your forehead.

Re:Even if I hate .NET, I have to be realistic...

[josh_miller]

Public utilities will never force you to pay online. They may offer the opportunity, and it may require .NET, but they'll always accept a check. Imagine requiring internet access to get a phone or electric service! Won't happen. Ever.

Re:Virus Check every SWF, etc?

[Jason Earl]

Absolute security wouldn't be any fun. It would entail turning off the computer, burying it in concrete and firing it off towards the center of the sun. Linux gives the user a great deal of security without being unusable. It's pretty close to the "ideal form" IMHO.

Of course, I am not too paranoid. You might prefer OpenBSD :).

Re:The virus.

[mrmag00]

Criminals are terrorists too. When people steal you car they are terrorists because you can't get to work to publish your paper. Drugs support the terrorist ideals too - they degrade our society! shut the hell up, christ.

I agree with the comment, but stop calling everybody terrorists. right now i could care less about my karma, just stop using this stupid word to describe everything.

Another "Concept Virus" that you've heard about

[yerricde]

Sounds like the vaporware phenomenon has extended to virii.

1. It's 'viruses' [dictionary.com]. ESR says so [tuxedo.org].

2. Concept Virus is also the name of the virus commonly [wired.com] known as Nimda [f-secure.com].

Re:The virus.

[miguel]

Although it is not well known, .NET includes the same kind of functionality to develop "applets".

.NET comes with a security system in place to enable to execute dynamically and untrusted code in your application domain.

For example, you could be running an untrusted math analysis tool that is downloaded from the network into say your spreadsheet program without having to worry about the plugin damaging your system (security system kicks in).

Miguel