First (proof-of-concept) .NET virus 384
Juergen Kreileder writes "Symantec
says they've received W32.Donut, the first .NET virus: 'This virus targets EXE files that were created for the Microsoft .NET framework. W32.Donut is a concept virus. It does not have any significant chance to become wide spread. However it shows that virus writers are paying close attention to the new .NET architecture and attempting to learn how to exploit it before the Framework will be available on most systems.'"
.NET? (Score:2, Interesting)
Also at El Reg (Score:5, Informative)
More details also at The Register [theregister.co.uk].
Sick of this sh*t (Score:3, Insightful)
However experts say emergence of the "proof of concept" virus means the industry needs to invest in changing the way antivirus software works and adapt it to new environments.
Sigh. I must be in the minority thinking that the applications themselves can be written with security in mind.
I hope the latest search [slashdot.org] for ET intelligence is fruitful so that we can be saved from ourselves.
Re:Sick of this sh*t (Score:5, Funny)
Sigh. I must be in the minority thinking that the applications themselves can be written with security in mind. "
What the "experts" really mean is they have to completely rewrite their anti-virus software to be .NET compatible, and that everyone will have to buy brand new copies of those programs. So when M$ says that .NET is good for business, we know they're right about at least one business (anti-virus software).
Re:Sick of this sh*t (Score:2, Insightful)
My guess is that when Symantec says they have received this proof-of-concept virus what they really mean is that they wrote it.
And CNET also has an (Score:2, Informative)
heh (Score:5, Funny)
A concept virus? (Score:4, Funny)
Yay (Score:2, Insightful)
So
Re:Yay (Score:2, Insightful)
Wouldn't the virus still be a seqence of bytes? I mean, it's not like the virus scanners run the code in a virtual machine to determine if it's a virus.
Also, what about macro viruses and e-mail viruses. Isn't this how AV software scans those files?
Maybe I'm missing the boat here...
The real question at hand: (Score:2, Funny)
Is Microsoft
a) Yes
b) No
c) Hell No
Would a) be the most popular choice because of Microsoft Vote-Rigging and Ballot Stuffing?
Re:The real question at hand: (Score:4, Funny)
Is Microsoft
a) Yes
b) Sure
c) You bet!
Re:The real question at hand: (Score:4, Funny)
f) CowboyNeal.NET
Even if I hate .NET, I have to be realistic... (Score:4, Interesting)
.NET is dangerous. It's a security disaster waiting to happen. I don't want to use it if I can avoid it...
See last sentence. WILL we be able to avoid it, realistically? A lot of /.'ers might be able to, but folks who still have to live and work with Microsoft products in the workplace or even at home and want to get things done online might not have a choice. If online shopping services convert over to .NET or god forbid my bill payment services, it's going to be very difficult to avoid having to make that Passport account and start using .NET.
So, taking the hypothetical stance that one would need to eventually get registered to use .NET services they can't avoid using, what can be done to protect yourself and your data? Are there any .NET developers out there who can comment on how much risk is involved and how it can be minimized beyond 'Don't use it'?
Re:Even if I hate .NET, I have to be realistic... (Score:3, Informative)
Re:Even if I hate .NET, I have to be realistic... (Score:3, Insightful)
Re:Even if I hate .NET, I have to be realistic... (Score:3, Insightful)
Jaysyn
Re:Even if I hate .NET, I have to be realistic... (Score:2)
I'm of the opinion that ANY of these technologies that automate/facilitate transparent communication between computers is, in itself, a virus platform. I mean, we'll get to a time where we won't even be sure what's a virus and whats not; I guess this is the idea behind 'trusted signing authorities', but really, doesn't this confirm the whole orwellian push towards trusting and serving corperate entities more so than our friend and his/her computer? I really don't mind wasting a few megabytes and engaging in application updates/downloads/installs/deinstalls/exports/imp
What's the point of running a fatclient if all it ends up being is a thinclient with something to lose?
Maybe this is where it should go. Your HD becomes your 'computer', then way we think of it now, and you still have to authorize things going from/to disk. Other than that, I dont want my OS acting as a thin client to a network when I have fatclient-style sensitive or important data on it.
Re:Even if I hate .NET, I have to be realistic... (Score:2)
Re:Even if I hate .NET, I have to be realistic... (Score:5, Interesting)
AOL will almost certainly throw their millions of users towards some other system, and web sites will be forced to support both AOL's system or Microsoft's, or neither (they will probably just stick with whatever they are doing now).
Trust me, Microsoft's Passport numbers look impressive, but that's almost entirely due to Hotmail (which Microsoft doesn't charge for). In other words they have a load of crap data, and they are just now trying to get folks to actually associate this information with useable information like credit card numbers. To make matters even more interesting, Microsoft has had several well published security exploits. Only the dimmest of dim bulbs is going to trust Microsoft with their billing information (especially since chances are good that all of the places that they purchase things online already have this information). AOL, on the other hand, already has billing information for each and every one of their customers. They have literally got exactly what they need to make Internet Shopping truly painless.
Better yet, there is at least some chance that AOL will share their Passport equivalent, which will almost certainly spread to other large ISPs.
And finally, every eCommerce site currently in existance already has a way to charge you money. They aren't likely to throw their old software away and change to a .NET only site. Microsoft is the only company I can think of that has a good reason to force paying customers towards .NET.
Re:Even if I hate .NET, I have to be realistic... (Score:4, Funny)
Repeat after me: AOL is not the internet.
Re:Even if I hate .NET, I have to be realistic... (Score:2)
If you are on AOL you can have the familiar AOL interface to do your shopping and those same companies can provide shopping by more traditional means (HTML, etc.) while still using a AOL account.
I am not an AOL user any more (I was about 5 years ago), so I could easily be mistaken. I thought AOL already does this for some of its partner stores. You could buy things at the partner store and they'd just end up on your aol bill.
But I could easily be misremembering from years ago.
Re:Even if I hate .NET, I have to be realistic... (Score:2)
Tthe last big Passport hack made the news, as did the recent problems with Windows XP. People notice these things.
Re:Even if I hate .NET, I have to be realistic... (Score:5, Informative)
The
In contrast, the
Re:Even if I hate .NET, I have to be realistic... (Score:2, Informative)
So, taking the hypothetical stance that one would need to eventually get registered to use
The whole world isn't online.
- Don't pay your bills online. Mail them like many people do.
- Don't shop online. Sometimes it is very convenient to do this, so in those cases look up the item online, and then call in the order over the phone using your credit card, or mail the vendor a check. If the online vendor you are looking at doesn't support this, choose another.
As far as being a developer, there isn't much you can do, but you can minimize the risks to yourself by not usingMark
Re:Even if I hate .NET, I have to be realistic... (Score:2)
As a .NET developer... (Score:2)
1. That right there makes a
2. Passport and
I would honestly predict that very few
Remember Passport is just an authentication service with extras. This is a commodity technology with a lot of players, and if it does get hot I'm sure Yahoo or AOL are very capable of making thier own competiting authenication services...
Re:Even if I hate .NET, I have to be realistic... (Score:2)
Where you are wrong... (Score:4, Informative)
1.
.NET is a virtual machine. It's as dangerous a Java or any other programming platform. (Yes,
2.
3. Microsoft isn't looking to put everything on the Server. This would jeopardize thier client monopoly, and plus it makes absolutely no sense.
If Microsoft wants to insure a steady revenue stream, they have two ways of doing this.
A. Change the license to require companies to renew thier license after x years.
B. Add new features to the next version causing customers to salivate and upgrade.
They're pretty much doing a good job with B, but if they happen to fail, they can always revert to A.
If you would like me to clarify on any further points, feel free to respond.
Even before you have a proof-of-concept app? (Score:2, Troll)
Re:Even before you have a proof-of-concept app? (Score:2)
Re:Even before you have a proof-of-concept app? (Score:3, Informative)
Re:Even before you have a proof-of-concept app? (Score:3, Informative)
.NET is a platform. There are many applications and services that make up the platform. Some parts of the platform have been/are being rolled out.
Passport/.NET my services is one
Visual Studio.NET has "gone gold" and will be shipping soon.
various bits of
.NET alerts are included in the latest MSN Messenger.
Yadda Yadda.
Anyway, I think calling this virus a ".NET virus" is mis-information. This virus is a Win32 virus. It doesn't work across all
Conference included .NET virus capabilities (Score:5, Informative)
Mono (Score:4, Funny)
Re:Mono (Score:2, Informative)
Mono is an implementaion of C# that is it.
Author is benny (Score:5, Informative)
http://benny29a.kgb.cz/ [benny29a.kgb.cz]
There was a interview with him for Softwarove Noviny (czech magazine), its translation is at:
http://benny29a.kgb.cz/articles/iigi.txt [benny29a.kgb.cz]
Origin? (Score:5, Interesting)
I wonder if this too, was a similar sort of event.
l337 hax0r (Score:4, Funny)
The virus. (Score:5, Insightful)
These kind of virus programs will probably not succeed in the NT world with user permissions or in any system with per-user permissions (Linux). Although theoretically possible (root runs the virus) in practice this kind of virus programs never succeed on the wild due to this kind of security mechanisms.
For
Re:The virus. (Score:2, Troll)
Re:The virus. (Score:3, Insightful)
.NET comes with a security system in place to enable to execute dynamically and untrusted code in your application domain.
For example, you could be running an untrusted math analysis tool that is downloaded from the network into say your spreadsheet program without having to worry about the plugin damaging your system (security system kicks in).
Miguel
Re:The virus. (Score:2, Informative)
Re:The virus. (Score:2, Insightful)
also (Score:2, Insightful)
Also CLR code can be signed and authenticated, so if you run code, the Framework can check for Authentication/Authorization and Integrity. That will surely but a cramp on viruses.
Also as far as buffer overflows are concerned,
And when the CLR/CLI goes through ECMA standardization, you may not even have to rely on MS to supply the framework. I know groups are already working on getting a CLR platform on Linux as an example....
Did anybody else.. (Score:5, Funny)
Now that's a business strategy.
Re:Did anybody else.. (Score:2)
sheesh...
Not particularly surprising (Score:4, Insightful)
Re:Not particularly surprising (Score:2)
And .NET... (Score:4, Funny)
lol
Virus Check every SWF, etc? (Score:5, Insightful)
It seems that while everyone says we have 'more than enough processing power' it is going to be sucked up by virus scanners and "do you want to run this" pop-up boxes.
Except of course (for now) on Linux.
A side point: everyone says "don't run as root, only run as a regular user". Sure. No problem. But suppose I run as a regular user, and get some virus/trojan/whatever. I've got a lot of stuff in my home directory. In fact, I'll even say that it's easier to replace / than
Or decent backup (Score:3, Informative)
Full backup every few days, and incrementals throughout the day. Bit of thrashing, but it will protect you from most problems.
Re:Or decent backup (Score:2)
But how do you know when the infection occured? At the very least, you'd have to check your crontab to ensure that you did set 'rm -rf ~/' to run every twenty minutes starting five days from now. IOW, yes, backups are nice, but wouldn't it be better to prevent the barn door from opening rather than closing it after the horses are out?
(Again, I'm not trying to flame. I just think that a back up is only one part of a useful anti-virus policy.)
Re:Virus Check every SWF, etc? (Score:5, Insightful)
This is the crux of the mater!
If anything Unix needs to push it over the top as far as a secure server operating systems is the ability to tell the OS that "This File can never be deleted and can only be appended to by Postmaster. Forever. No matter what. Even if I want to get rid of it later." If I could give my clints that, they would jump to UNIX no matter what hurdels thay had to jump - they have lost too many Outlook folders and too many database tables due to the insecurity of Windows. They would RUN to Unix.
Just me and my rambelings. And yes I know about backups and rsyncing from a locked down OpenBSD box.
Re:Virus Check every SWF, etc? (Score:2)
It's hard to know you *never* want to get rid of a file, or even rename it or move it somewhere else.
New viruses would just create a bunch of humongo crap files in your home directory (maybe called hardcoreporn.jpg for any admin/boss types happening to peruse your files) and then mark them undeletable.
Finally, if you want to achieve a crude approximation of your goal just chown the files to root and chmod them to 444 or something. Of course this scheme fails when you're running as root..
Re:Virus Check every SWF, etc? (Score:2)
I'm a clueless linux user mostly, but wouldn't a root cron job to tar up your home directory and store it in a place not accessable by your user account work?
Wow, that's a spiffy idea. I think I'll patent it with the name "backup". :)
Re:Virus Check every SWF, etc? (Score:2)
But, that's basically what I do.
Re: (Score:2)
Re:Virus Check every SWF, etc? (Score:2)
I do think that it's amazing that the sun jvm hasn't had any really bad security problems with Java yet. At least after version 1.2 (afaik).
Re:Virus Check every SWF, etc? (Score:5, Insightful)
Imagine you are a virus. Now tell me how exactly are you going to spread using the stuff found in your home directory. Viruses spread by attaching themselves to executables, but I don't have any executables in my home directory, and if I did there is almost no chance that some other user is going to run them. If by some amazing obscure fluke I did have some binaries in my home directory, and I just so happened to mail one of those infected binaries to a friend, even if my friend did run this binary the virus is stuck with the same low chances for infection. It can only infect files that my friend has read access to, and it can only carry out tasks that my friend has permission to do.
In other words such a beast has almost no chance of actually spreading.
Now, someone could send you a malicious email attachment. Something along the lines of:
#!/bin/sh
rm -rf ~/
Of course, this sort of binary has very little chance of getting run. After all, there isn't an email client for Linux that I am aware of that would make this sort of attachment easy to run. You would have to save it to your home directory, set the executable bit, and then run it.
And even if you did run it, how would it spread. It might try and email itself to everyone in your address book, but Linux doesn't have a default address book, nor is it likely to ever have one. Some folks use mutt, others use Pine, Evolution has it's own format, as does Aethera, and for folks like me that use Emacs to read our mail there are several possible places to put our address book.
Windows has a ton of viruses for four basic reasons:
1) There are no sensible file permissions. Users can write to system files.
2) Microsoft has made it easy to do some incredibly stupid things. For example, getting the contents of your address book is dead simple.
3) Microsoft has blended the line between executable content and data. Double clicking on an icon can either launch a program or open a document. Some documents (like MS Word files) can even contain executable content with full access to your system.
4) Microsoft is a ubiquitous mono-culture. A Microsoft exploit has plenty of susceptible victims, making it easier for viruses to spread. Even if someone did write a Linux mail virus, the chance of it working on both my Emacs/Gnus set up and someone else's Evolution setup is highly unlikely. Without enough susceptible victims viruses can't spread.
Even if all of the Joe Sixpacks in the world were running Linux it still would be a good deal less dangerous than what Windows users currently face.
Re: (Score:3, Informative)
Re:Virus Check every SWF, etc? (Score:3, Insightful)
Absolute security wouldn't be any fun. It would entail turning off the computer, burying it in concrete and firing it off towards the center of the sun. Linux gives the user a great deal of security without being unusable. It's pretty close to the "ideal form" IMHO.
Of course, I am not too paranoid. You might prefer OpenBSD :).
Re:Virus Check every SWF, etc? (Score:2)
For some reason, I seem to remember that there was something special about ports1024 other than that they need root access, but I don't know the specifics. Little help?
I agree that it should be harder to create virii for Linux. Not only do the plethora of distros make this more difficult, but so do the version numbers of programs within a distro (some Debian packages seem to update at least once or twice per week). But this also strikes me as at least a little bit 'security through obscurity'.
And I'm not arguing for a change in that. What I'm arguing for (and not strongly at that) is that while the Linux community is relatively safe, wouldn't now be the time to put in various safety features? Wouldn't now be the time to put in virus scanners? Because of the small number, it should be easier to compile a fairly comprehensive list of signatures, so work can be devoted to the signature checker, rather than on writing signatures.
Just a thought.
Re:Virus Check every SWF, etc? (Score:2)
20:45 viktor@bart:~ $ which su
/bin/su
21:03 viktor@bart:~ $ echo "virus" >
bash:
21:03 viktor@bart:~ $ ls -l
-rwsr-xr-x 1 root root 23276 22. Okt 17:25
21:04 viktor@bart:~ $ id
uid=1000(viktor) gid=1000(viktor) groups=1000(viktor),24(cdrom),25(floppy),29(audio
Darn!
Re:Virus Check every SWF, etc? (Score:2)
Symantec. (Score:3, Interesting)
I know most people won't agree, but doesn't Symantec stand to make a mint if this is true?
I guess they needed a virus before they released anti-virus software.
I tossed .NET in the fire and this came up! (Score:3, Funny)
Re:I tossed .NET in the fire and this came up! (Score:2)
Re:I tossed .NET in the fire and this came up! (Score:2)
In the Land of Redmond where the Shadows lie.
Re:I tossed .NET in the fire and this came up! (Score:2)
Please stop saying nasty things about my precious Emacs.
Re:I tossed .NET in the fire and this came up! (Score:2)
Wow... (Score:5, Funny)
- A.P.
Homer Sez (Score:4, Funny)
No sandbox = .NET security (Score:5, Informative)
"Normally .NET files do not have any platform dependent code, but a small 5 byte stub. This stub executes the mscoree.dll _CorExeMain() function and thus the .NET MISL (intermediate language) gets control if the .NET framework is installed."
"The virus infects .NET executables by attacking the 5 byte jump to the _CorExeMain() function. It replaces this jump, with another one to point into the last section of the executable, it overwrites its .reloc section with itself and nullifies the relocation directory."
Interesting. I predict we will be seeing many, many attacks on .NET somewhat similar to this, since Microsoft kept function pointers (which are unverifiable) in the mix. Good for the checkbox battles, but fatal for security.
Re:No sandbox = .NET security (Score:2, Insightful)
The paragraph in between that you deleted read:
Thus currently a .NET application executes native code before it will execute the platform independent code. According to Microsoft this native code will be removed and the operating system itself will recognize and execute .NET images.
So, supposedly, this only infects Beta 2 of .NET. It also states this attack does not work against Beta 1.
The torch has been passed (Score:5, Funny)
Outlook ->
Concept Virus?? (Score:2, Informative)
Virii are money making entities in themselves and I'm tired of seeing companies encourging the creation of Virii. I don't remember when, but I do remember a scandal typeness on the net a LONG while ago about McAffee going out to software writers to see if they would be interested in writing virii to test out their detector ... then they just happen to get released out into the wild.
The other thing that I see wrong with Virii and Worms is that it kills the IT world. IT department heads are forced to clean up after end user mistakes when they could be developing. And when a worm like nimbda is released my bandwidth was cut by a third almost.
It's rediculous ... and I'm really sick of it ... virii writers are the lowest of lows when it comes to software. A monkey can code, but a true hacker can realize when his code could harm something or someone.
Re:Concept Virus?? (Score:2, Insightful)
Really, this virus was written to demonstrate the flaws in
The virus is, already known to the virus protection people. The virus was not released nor spread in the wild and would have a damn hard time propagating about the Internet seeings how most people don't have the framework available...
Jeremy
Re:Concept Virus?? (Score:2)
And again ... why are virus scanning companies encouraging the creation of virii ?? I would think the world would be a better place with no Virii out there ... but then ... how would Symantec make any money??
Re:Concept Virus?? (Score:2)
Ethics. Though hacker ethics may be skewed from the status-quo, but they are still there. And any true hacker knows what their ethics are ... and I have yet to see someone who is truly a hacker make a virus. You think Torvalds couldn't screw quite a few people by putting some type of a backdoor in the kernel? ... of course ... but he doesn't because like a million other coders/hackers ... they have ethics that say something like this is wrong ... and they DON'T DO IT.
so it shouldn't be encoraged is all I'm saying.
Re:Concept Virus?? (Score:2)
But thanks for the support.
.NET virus not such a big deal (Score:5, Insightful)
Don't get all worked up, guys. Executable files that can modify other executable files to self-replicate are nothing new, and
(Regardless, kudos to the creator for the cool hack and for not unleashing it on the world!)
Personally, I think the idea of high-level languages and portable binaries is a good one, so I am actually excited about the Common Language Runtime (etc.) aspect of
Worrisome first volley (Score:5, Interesting)
OTOH, Microsoft, jealous of Java's success, is attempting a similar model and boasts similar security measures, claiming that with
The problem is that M$ is cutting a bunch of corners that make me very nervous. For example, the user only compiles a program the first time he runs it. After that a machine-code file is left on the user's machine for further runs. Also, M$ is attempting to mix "Managed Code" in with "Unmanaged Code". Their attempt is to make their apps run faster than Java code. But I'm afraid we're going to bear the misfortunes of their aggressive tactics, by being the real victims of a new wave of viruses exploiting these new holes...
Oldish news (Score:2, Informative)
Passport and .NET Security... (Score:4, Interesting)
Re:Passport and .NET Security... (Score:3, Informative)
Good and Bad (Score:2, Insightful)
Having a kid infect a .NET server makes it harder for those working with web services. Large institutions most likely will continue their web services plans, but it makes it harder for consumers to trust the services. Non technical people might thing all web services are full of security holes and decide none of it is any good.
In microsoft's race to get something out, they are doing more damage to the perception of the web services industry than anything else. Consumers are already freaked about big corp taking too much control. It's great the security hole has been revealed, but it shouldn't have been so easy. Like the kid says in his interview, "they are the idiots." Is the consumer going to agree with the kid or the company that just got hacked?
.NET pricing model (Score:5, Funny)
$1,000 per year +
$1,500 per application
Large Developer
$10,000 per year +
$1,500 per application
Virus Developers
$1,200 per year +
$0.25cents per computer infected*
* Tracking provided by Bill Gate's Email Tracking System(tm)
The Score So Far (Score:2, Interesting)
Java Virii: 0
Seriously, wouldn't a Java virus be great? I mean, it runs on just about anything (including your PlayStation 2). I wonder why there aren't any roaming the net . . .
Maybe because Sun actually put some effort into the security aspects of an inherently dangerous idea?
First Java virus in 1998 (Score:3, Informative)
Another article ".Net may lead to fewer viruses" (Score:2)
The article is dated 28/09/2001, 4 months ago.
They say:
".Net will almost undoubtedly create fresh infection mechanisms for virus writers to exploit."
"[.Net] not yet addressed by AV[AntiVirus] products."
"a
"Viruses that infect
"it might allow 'viruses to propagate to operating systems that were previously considered low risk'"
Why the HELL is the article titled ".Net may lead to fewer viruses"?!?!?!
-
Only in stub, not truely a .NET/CLR security hack (Score:3, Informative)
This is really not part of
The important thing to point out is that this hack does not foil CLR security. It's foiling standard Win32 security and only because of the afforementioned "optimization".
Later,
Drew
[1] http://discuss.develop.com/archives/wa.exe?A2=ind
Why .NET is doomed (Score:4, Insightful)
Microsoft has to get some of the
Rest assured that
You can count on it.
Go to jail, go directly to jail... (Score:3, Insightful)
For those unfamiliar with .NET assemblies, here's a little tip for wanna-be virus writers:
All .NET assemblies are digitally signed. The sig is put together by the complier and is guaranteed to be unique across space and time (ala a GUID).
So, if you write a virus and release it into the wild, keep in mind that you might as well have 'GUILTY AS CHARGED' stamped on your forehead.
Re:Donut? (Score:2, Informative)
Re:Might get modded as flamebait, but oh well... (Score:2)
Re: (Score:3, Interesting)
Re:Might get modded as flamebait, but oh well... (Score:3, Informative)
In past experience, I find it's typically best to consider stability issues to be the fault of the underlying hardware.
I've many times seen Linux perform flawlessly on motherboards that Windows was horribly unstable on. The reverse I've never seen (A Windows system stable on H/W that Linux was unstable on)
That's not to say that there's some misconfiguration or something in your setup, but I've just never seen it. And note that not all hardware works with Linux (duh!) but we're talking stability here, not compatability.
So, without any further ado:
YOU HAVE BAD HARDWARE, DUDE!
Re: (Score:3, Insightful)
Re:Makes me Shudder (Score:3, Funny)
I see this .NET stuff being unleashed upon us with holes in it before it even gets started.
Ermmm, which holes? You *did* read the article right? Or did you just not understand it?