Researcher offers tool to hide malware in .Net

A computer security researcher has released an upgraded tool that can simplify the placement of difficult-to-detect malicious software in Microsoft’s .Net framework on Windows computers.

The tool, called .Net-Sploit 1.0, allows for modification of .Net, a piece of software installed on most Windows machines that allows the computers to execute certain types of applications.

Microsoft makes a suite of developer tools for programmers to write applications compatible with the framework. It offers developers the advantage of writing programs in several different high-level languages that will all run on a PC.

.Net-Sploit allows a hacker to modify the .Net framework on targeted machines, inserting rootkit-style malicious software in a place untouched by security software and where few security people would think to look, said Erez Metula, the software security engineer for 2BSecure who wrote the tool.

“You’ll be amazed at how easy it is to devise an attack,” Metula said during a presentation at the Black Hat security conference in Amsterdam on Friday.

.Net-Sploit essentially lets an attacker replace a legitimate piece of code within .Net with a malicious one. Since some applications depend on parts of the .Net framework in order to run, it means the malware can affect the function of many applications.

For example, an application that has an authentication mechanism could be attacked if the tampered .Net framework were to intercept user names and passwords and send them to a remote server, Metula said.

.Net-Sploit automates some of the arduous coding tasks necessary to corrupt the framework, speeding up development of an attack. For example, it can help pull a relevant DLL (dynamic link library) from the framework and deploy the malicious DLL.

Metula said that an attacker would already have to have control of a machine before his tool could be used. The advantage of corrupting the .Net framework is that an attacker could clandestinely maintain control over the machine for a long time.

It could potentially be abused by rogue system administrators, who could abuse their access privileges to deploy so-called “backdoors” or malware than enables remote access, Metula said.

The Microsoft Security Response Center was notified of the issue in September 2008. The company’s position is that since an attacker would already have to have control over a PC, there is not a vulnerability in .Net. It doesn’t appear that Microsoft has any plans to issue a near-term fix.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

CDN Staff
CDN Staffhttps://channeldailynews.com
For over 25 years, CDN has been the voice of the IT channel community in Canada. Today through our digital magazine, e-mail newsletter, video reports, events and social media platforms, we provide channel partners with the information they need to grow their business.

Related Tech News

CDN in your inbox

CDN delivers a critical analysis of the competitive landscape detailing both the challenges and opportunities facing solution providers. CDN's email newsletter details the most important news and commentary from the channel.