Windows .NET rootkits are easy
A researcher has published details and tools helpful for installing rootkits into the Windows .NET framework.
Like the various Windows OSs themselves, the .NET framework uses cryptographic signatures for libraries and other components to identify unauthorized alteration. However, Microsoft chose to ignore them. From the paper:
…the SN [strong name] mechanism does not check the actual signature of a loaded DLL but just blindly loads a DLL from inside a directory containing the DLL signature string.
So although components in the .NET runtime are cryptographically signed by Microsoft, the signature is ignored. An attacker can insert their own modified library just by putting it into a directory that has the right name and voila! the malware is completely trusted.
I can guess that Microsoft chose this shortcut to speed up the framework. The .NET framework was created to destroy compete with Java, which is often criticized for taking too long to initialize. By ignoring signatures, .NET apps can start up faster, with the minor disadvantage of not being able to trust anything written in .NET.
Subverting the .NET class libraries is a fantastic vector of attack:
- MS has long been pushing developers to use the .NET framework rather than create native Windows executables. Most corporate in-house apps (often considered the most trustworthy) are now written for .NET.
- The framework is a standard part of Windows 2003 server, Windows Vista and higher.
- Though an optional download for XP, most people have installed it because an application required it.
- Forensic investigators ignore the framework when trying to find how a Windows machine was compromised.
- Anti-virus and other malware scanners may also ignore the framework libraries or cannot scan MSIL / CIL bytecode (but I need to research this)
Microsoft has dismissed this vulnerability as not a concern since an attacker needs to have administrator privileges. Well, since nearly all Windows desktop users run with full administrative rights (and therefore so do all their apps, including email client and web browser), administrator privileges is a given. So why does the Windows OSs bother with any self protection mechanisms at all?
Related posts: