« DNS inventor blames wrangling for insecure interweb | Main | Firefox 3.0.4 Released to address multiple security flaws »

.NET Framework rootkits - backdoors inside your framework

"The paper introduces a new method that enables an attacker to change the
.NET language, and to hide malicious code inside its core.

It covers various ways to develop rootkits for the .NET framework, so
that every EXE/DLL that runs on a modified Framework will behave
differently than what it's supposed to do. Code reviews will not detect
backdoors installed inside the Framework since the payload is not in the
code itself, but rather it is inside the Framework implementation.
Writing Framework rootkits will enable the attacker to install a reverse
shell inside the framework, to steal valuable information, to fixate
encryption keys, disable security checks and to perform other nasty
things as described in this paper."

Paper Link: http://www.applicationsecurity.co.il/.NET-Framework-Rootkits.aspx

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.


All Comments are Moderated and will be delayed!



This sounds like it would be better summarized as "covers a new method that enables an attacker to change the .NET RUNTIME, and to hide malicious code inside its core."

Saying "change the .NET language" doesn't make a lick of sense.


This text is from their announcement. We're in agreement.


This paper is completely worthless because you already have to have compromised the system to achieve the attack. It's no different than any other rootkit style attack. He might as well copy his PDF and call it the "Java rootkit attack". Then do the same and call it the "browser rootkit attack", etc.

*yawn*


Yes he states in the paper that you need admin privs. This is just yet another way to backdoor something in this case a popular development framework.


Looks like the time spent to write this paper should have been spent reading .net specs and how assemblies are managed by the GAC. Nothing new in this paper. Maybe his next paper will be about his new discovery that you can wipe strong name from assemblies and it's references and that you can use that to crack licensing in .net apps.

Post a comment







Remember personal info?