Tom Olzak

.NET-Sploit ‘rootkit’: Easy to install, hard to defend against

In Cybercrime, Hacking on April 17, 2009 at 13:57


Microsoft’s .NET framework apparently contains a weakness which allows a rootkit-like malware infection, difficult to prevent and detect.  Apparently, the only solution is removal of the weakness from .NET.

The tool, called .Net-Sploit 1.0, allows for modification of .Net, a piece of software installed on most Windows machines that allows the computers to execute certain types of applications.

Microsoft makes a suite of developer tools for programmers to write applications compatible with the framework. It offers developers the advantage of writing programs in several different high-level languages that will all run on a PC.

.Net-Sploit allows a hacker to modify the .Net framework on targeted machines, inserting rootkit-style malicious software in a place untouched by security software and where few security people would think to look, said Erez Metula, the software security engineer for 2BSecure who wrote the tool.

“You’ll be amazed at how easy it is to devise an attack,” Metula said during a presentation at the Black Hat security conference in Amsterdam on Friday.

.Net-Sploit essentially lets an attacker replace a legitimate piece of code within .Net with a malicious one. Since some applications depend on parts of the .Net framework in order to run, it means the malware can affect the function of many applications.

For example, an application that has an authentication mechanism could be attacked if the tampered .Net framework were to intercept user names and passwords and send them to a remote server, Metula said.

Source: Researcher offers tool to hide malware in .Net, Jeremy Kirk, IT World, 17 April 2009

%d bloggers like this: