[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [DotGNU]Virus writers take an early crack at .Net
From: |
Gopal.V |
Subject: |
Re: [DotGNU]Virus writers take an early crack at .Net |
Date: |
Thu, 10 Jan 2002 12:09:46 +0530 |
User-agent: |
Mutt/1.2.5i |
Hi,
> Had to happen sooner or later ...
>
> http://news.cnet.com/news/0-1003-200-8424382.html?tag=mn_hd
Doesn't surprise me. Writing a virus in IL is much more
easier than in Java . The unmanaged support in IL helps quite
a bit.To push in support for non-type safe languages M$ has
added this which sticks out like a sore-thumb (IMHO). But the
code I got for donut is *not* a PE/COFF executable ?. It is a
standard 32 bit EXE . This is what I could decode of it. It
uses the CLR as a COM object to execute inline IL code which
has a secure certifcate signature (dunno how they faked it).
This in infects the mscorlib.dll in the CLR's path. This goes
on to infect all the .NET programs run. (the signature turns
out to be *very* similar to windows-update ;-). This is what
I infer from the code/strings in the program. Afterall I'm
not *crazy* to test it out on a w*n*o*s box !
Rhys , you should consider you are lucky that the stuff
happened to be a Win32 Executable. I got that especially to
run it on Pnet inside a sandbox (VMWare GNU inside GNU).
Since that failed, does Pnet verify code for umanaged section
of IL code ?. Also I guess that the certifcate verifcation and
stuff like that comes in the domain of SEE ?. So currently
anyone foolish enough to run a IL virus explicitly as root
(ie ilrun imavirus.exe) is the only person really vulnerable
to the virus. Talk about curiosity killing the computer !
Gopal.V
--
The difference between insanity and genius is only measured by success
//===<=>===\\
|| GNU RULEZ ||
\\===<=>===//
Re: [DotGNU]Virus writers take an early crack at .Net, Rhys Weatherley, 2002/01/10