Researcher offers tool to hide malware in .Net

.Net-sploit can hide rootkits in a framework untouched by security software, where they can affect many applications

A computer security researcher has released an upgraded tool that can simplify the placement of difficult-to-detect malicious software in Microsoft's .Net framework on Windows computers.

The tool, called .Net-Sploit 1.0, allows for modification of .Net, a piece of software installed on most Windows machines that allows the computers to execute certain types of applications.

Microsoft makes a suite of developer tools for programmers to write applications compatible with the framework. It offers developers the advantage of writing programs in several different high-level languages that will all run on a PC.

.Net-Sploit allows a hacker to modify the .Net framework on targeted machines, inserting rootkit-style malicious software in a place untouched by security software and where few security people would think to look, said Erez Metula, the software security engineer for 2BSecure who wrote the tool.

"You'll be amazed at how easy it is to devise an attack," Metula said during a presentation at the Black Hat security conference in Amsterdam on Friday.

.Net-Sploit essentially lets an attacker replace a legitimate piece of code within .Net with a malicious one. Since some applications depend on parts of the .Net framework in order to run, it means the malware can affect the function of many applications.

For example, an application that has an authentication mechanism could be attacked if the tampered .Net framework were to intercept user names and passwords and send them to a remote server, Metula said.

.Net-Sploit automates some of the arduous coding tasks necessary to corrupt the framework, speeding up development of an attack. For example, it can help pull a relevant DLL (dynamic link library) from the framework and deploy the malicious DLL.

Metula said that an attacker would already have to have control of a machine before his tool could be used. The advantage of corrupting the .Net framework is that an attacker could clandestinely maintain control over the machine for a long time.

It could potentially be abused by rogue system administrators, who could abuse their access privileges to deploy so-called "backdoors" or malware than enables remote access, Metula said.

The Microsoft Security Response Center was notified of the issue in September 2008. The company's position is that since an attacker would already have to have control over a PC, there is not a vulnerability in .Net. It doesn't appear that Microsoft has any plans to issue a near-term fix.

At least one Microsoft official chatted with Metula after his presentation, defending the company's position. Metula said he also doesn't consider the issue a vulnerability but rather a weakness, albeit one that Microsoft could take measures to make such an attack more difficult.

"No bulletproof solution will fix it," Metula said.

Also, security vendors should upgrade their software in order to detect tampering with the .Net framework, Metula said. .Net isn't the only application framework that is vulnerable to the attack, as variations could also be applied to other application frameworks, such the Java Virtual Machine (JVM) used for running programs written in Java.

Metula has published a white paper on the technique as well as the latest version of .Net-Sploit.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags malware.net

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers

MSI P65

This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang

MSI GT76

It really doesn’t get more “gaming laptop” than this.

Jack Jeffries

MSI GS75

As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr

MSI PS63

The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?