[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[WEB SECURITY] RE: New Whitepaper - .NET Framework Rootkits: Backdoors inside your Framework

From: "Ragan, Rob R" <rob.ragan@xxxxxx>
Subject: [WEB SECURITY] RE: New Whitepaper - .NET Framework Rootkits: Backdoors inside your Framework
Date: Thu, 13 Nov 2008 20:18:14 +0000
--_000_1BF0773DAF711244B173C38E2B0508B452EFA9F669GVW1119EXCame_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Nice presentation and paper. When a signed assembly is installed in the GAC=
, the system hashes the contents of the file containing the manifest and co=
mpares the hash with the digital signature embedded in the PE file, after u=
nsigning it with the public key. It is interesting that the assembly isn't =
part of the hash with framework DLLs. Perhaps this is the case for performa=
nce reasons. Is there too much overhead to check the signature of these fil=
es as they're used so often? Let's say performance isn't an issue, would it=
 be a pointless gesture to trust the checking mechanism on a machine that h=
as been victimized by a rootkit? Modifying the framework in the way describ=
ed does require admin privileges.

By the way, Reflexil is a Reflector plug-in designed for easy modification =
of assemblies based on Mono.Cecil.  http://www.mono-project.com/Cecil  "Wit=
h Cecil, you can load existing managed assemblies, browse all the contained=
 types, modify them on the fly and save back to the disk the modified assem=
bly."

I prefer it to a text editor. It might save a couple steps from the modify =
and recompile sections of your paper. Also it has a feature for removing st=
rong naming.

http://sebastien.lebreton.free.fr/reflexil/
http://www.codeproject.com/KB/msil/reflexil.aspx

Enjoy,

Rob Ragan
HP Application Security Center
770.343.7050 Tel

From: Erez Metula [mailto:erezmetula@2bsecure.co.il]
Sent: Thursday, November 13, 2008 10:39 AM
To: websecurity@webappsec.org; webappsec@lists.securityfocus.com
Subject: [WEB SECURITY] New Whitepaper - .NET Framework Rootkits: Backdoors=
 inside your Framework

Paper Name
=3D=3D=3D=3D=3D=3D=3D=3D=3D

.NET Framework Rootkits - Backdoors inside your Framework (Author: Erez Met=
ula)


Paper Description
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

The paper introduces a new method that enables an attacker to change the .N=
ET language, and to hide malicious code inside its core.
It covers various ways to develop rootkits for the .NET framework, so that =
every EXE/DLL that runs on a modified Framework will behave differently tha=
n what it's supposed to do. Code reviews will not detect backdoors installe=
d inside the Framework since the payload is not in the code itself, but rat=
her it is inside the Framework implementation. Writing Framework rootkits w=
ill enable the attacker to install a reverse shell inside the framework, to=
 steal valuable information, to fixate encryption keys, disable security ch=
ecks and to perform other nasty things as described in this paper.



Paper Summary
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

Framework modification can be achieved by tampering with a Framework DLL an=
d "pushing" it back into the Framework.
The process is composed of several steps, described thoroughly at the corre=
sponding whitepaper.
It also exposes a flaw in the manner in which a .NET Framework DLL is loade=
d, and how it is possible to bypass its signature mechanism.
Instead of re-signing tampered DLL's with a spoofed Microsoft signature key=
 - surprisingly, it was found during this research that the modified DLL ca=
n be directly copied to the correct location at the file system, because th=
e SN mechanism does not check the actual signature of a loaded DLL but blin=
dly loads the DLL based on the directory name with the corresponding signat=
ure name!
It is important to mention that this technique does not requires "full trus=
t" permissions, which further proves the fact that the GAC / CAS protection=
 mechanisms are broken.

This paper also introduces ".Net-Sploit" - a new tool for building MSIL roo=
tkits that will enable the user to inject preloaded/custom payload to the F=
ramework core DLL.

You can find the detailed whitepaper, .NET-Sploit tool, source code, and th=
e OWASP presentation at:
http://www.applicationsecurity.co.il/.NET-Framework-Rootkits.aspx


--_000_1BF0773DAF711244B173C38E2B0508B452EFA9F669GVW1119EXCame_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr=
osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:x=3D"urn:schemas-microsoft-com:office:excel" xmlns:p=3D"urn:schemas-m=
icrosoft-com:office:powerpoint" xmlns:a=3D"urn:schemas-microsoft-com:office=
:access" xmlns:dt=3D"uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:s=3D"=
uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" xmlns:rs=3D"urn:schemas-microsof=
t-com:rowset" xmlns:z=3D"#RowsetSchema" xmlns:b=3D"urn:schemas-microsoft-co=
m:office:publisher" xmlns:ss=3D"urn:schemas-microsoft-com:office:spreadshee=
t" xmlns:c=3D"urn:schemas-microsoft-com:office:component:spreadsheet" xmlns=
:odc=3D"urn:schemas-microsoft-com:office:odc" xmlns:oa=3D"urn:schemas-micro=
soft-com:office:activation" xmlns:html=3D"http://www.w3.org/TR/REC-html40"; =
xmlns:q=3D"http://schemas.xmlsoap.org/soap/envelope/"; xmlns:D=3D"DAV:" xmln=
s:x2=3D"http://schemas.microsoft.com/office/excel/2003/xml"; xmlns:ois=3D"ht=
tp://schemas.microsoft.com/sharepoint/soap/ois/" xmlns:dir=3D"http://schema=
s.microsoft.com/sharepoint/soap/directory/" xmlns:ds=3D"http://www.w3.org/2=
000/09/xmldsig#" xmlns:dsp=3D"http://schemas.microsoft.com/sharepoint/dsp"; =
xmlns:udc=3D"http://schemas.microsoft.com/data/udc"; xmlns:xsd=3D"http://www=
.w3.org/2001/XMLSchema" xmlns:sub=3D"http://schemas.microsoft.com/sharepoin=
t/soap/2002/1/alerts/" xmlns:ec=3D"http://www.w3.org/2001/04/xmlenc#"; xmlns=
:sp=3D"http://schemas.microsoft.com/sharepoint/"; xmlns:sps=3D"http://schema=
s.microsoft.com/sharepoint/soap/" xmlns:xsi=3D"http://www.w3.org/2001/XMLSc=
hema-instance" xmlns:udcxf=3D"http://schemas.microsoft.com/data/udc/xmlfile=
" xmlns:wf=3D"http://schemas.microsoft.com/sharepoint/soap/workflow/"; xmlns=
:mver=3D"http://schemas.openxmlformats.org/markup-compatibility/2006"; xmlns=
:m=3D"http://schemas.microsoft.com/office/2004/12/omml"; xmlns:mrels=3D"http=
://schemas.openxmlformats.org/package/2006/relationships" xmlns:ex12t=3D"ht=
tp://schemas.microsoft.com/exchange/services/2006/types" xmlns:ex12m=3D"htt=
p://schemas.microsoft.com/exchange/services/2006/messages" xmlns:Z=3D"urn:s=
chemas-microsoft-com:" xmlns:st=3D"&#1;" xmlns=3D"http://www.w3.org/TR/REC-=
html40">

<head>
<meta http-equiv=3DContent-Type content=3D"text/html; charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 12 (filtered medium)">
<style>
<!--
 /* Font Definitions */
 @font-face
	{font-family:"Cambria Math";
	panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
	{font-family:Tahoma;
	panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
	{font-family:Consolas;
	panose-1:2 11 6 9 2 2 4 3 2 4;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	text-align:right;
	direction:rtl;
	unicode-bidi:embed;
	font-size:12.0pt;
	font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:purple;
	text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
	{mso-style-priority:99;
	mso-style-link:"Plain Text Char";
	margin:0in;
	margin-bottom:.0001pt;
	font-size:10.5pt;
	font-family:Consolas;}
span.EmailStyle17
	{mso-style-type:personal;
	font-family:"Arial","sans-serif";
	color:windowtext;}
span.EmailStyle18
	{mso-style-type:personal;
	font-family:"Arial","sans-serif";
	color:navy;}
span.EmailStyle19
	{mso-style-type:personal-reply;
	font-family:"Calibri","sans-serif";
	color:#1F497D;}
span.PlainTextChar
	{mso-style-name:"Plain Text Char";
	mso-style-priority:99;
	mso-style-link:"Plain Text";
	font-family:Consolas;}
.MsoChpDefault
	{mso-style-type:export-only;
	font-size:10.0pt;}
@page Section1
	{size:595.3pt 841.9pt;
	margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
	{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
 <o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
 <o:shapelayout v:ext=3D"edit">
  <o:idmap v:ext=3D"edit" data=3D"1" />
 </o:shapelayout></xml><![endif]-->
</head>

<body lang=3DEN-US link=3Dblue vlink=3Dpurple>

<div class=3DSection1 dir=3DRTL>

<p class=3DMsoNormal dir=3DLTR style=3D'text-align:left;direction:ltr;unico=
de-bidi:
embed'><span style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Nice presentation and paper. When a signed assembly is insta=
lled
in the GAC, the system hashes the contents of the file containing the manif=
est
and compares the hash with the digital signature embedded in the PE file, a=
fter
unsigning it with the public key. It is interesting that the assembly isn&#=
8217;t
part of the hash with framework DLLs. Perhaps this is the case for performa=
nce
reasons. Is there too much overhead to check the signature of these files a=
s
they&#8217;re used so often? Let&#8217;s say performance isn&#8217;t an iss=
ue,
would it be a pointless gesture to trust the checking mechanism on a machin=
e
that has been victimized by a rootkit? Modifying the framework in the way
described does require admin privileges. <o:p></o:p></span></p>

<p class=3DMsoNormal dir=3DLTR style=3D'text-align:left;direction:ltr;unico=
de-bidi:
embed'><span style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<p class=3DMsoNormal dir=3DLTR style=3D'text-align:left;direction:ltr;unico=
de-bidi:
embed'><span style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>By the way, Reflexil is a Reflector plug-in designed for eas=
y
modification of assemblies based on Mono.Cecil. &nbsp;<a
href=3D"http://www.mono-project.com/Cecil";>http://www.mono-project.com/Ceci=
l</a> &nbsp;&#8220;With
Cecil, you can load existing managed assemblies, browse all the contained
types, modify them on the fly and save back to the disk the modified assemb=
ly.&#8221;<o:p></o:p></span></p>

<p class=3DMsoNormal dir=3DLTR style=3D'text-align:left;direction:ltr;unico=
de-bidi:
embed'><span style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<p class=3DMsoNormal dir=3DLTR style=3D'text-align:left;direction:ltr;unico=
de-bidi:
embed'><span style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>I prefer it to a text editor. It might save a couple steps f=
rom
the modify and recompile sections of your paper. Also it has a feature for
removing strong naming. <o:p></o:p></span></p>

<p class=3DMsoNormal dir=3DLTR style=3D'text-align:left;direction:ltr;unico=
de-bidi:
embed'><span style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<p class=3DMsoNormal dir=3DLTR style=3D'text-align:left;direction:ltr;unico=
de-bidi:
embed'><span style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><a href=3D"http://sebastien.lebreton.free.fr/reflexil/";>http=
://sebastien.lebreton.free.fr/reflexil/</a>
<o:p></o:p></span></p>

<p class=3DMsoNormal dir=3DLTR style=3D'text-align:left;direction:ltr;unico=
de-bidi:
embed'><span style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><a href=3D"http://www.codeproject.com/KB/msil/reflexil.aspx"=
>http://www.codeproject.com/KB/msil/reflexil.aspx</a>
<o:p></o:p></span></p>

<p class=3DMsoNormal dir=3DLTR style=3D'text-align:left;direction:ltr;unico=
de-bidi:
embed'><span style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<p class=3DMsoNormal dir=3DLTR style=3D'text-align:left;direction:ltr;unico=
de-bidi:
embed'><span style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Enjoy,<o:p></o:p></span></p>

<p class=3DMsoNormal dir=3DLTR style=3D'text-align:left;direction:ltr;unico=
de-bidi:
embed'><span style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<p class=3DMsoNormal dir=3DLTR style=3D'text-align:left;direction:ltr;unico=
de-bidi:
embed'><span style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Rob Ragan<o:p></o:p></span></p>

<p class=3DMsoNormal dir=3DLTR style=3D'text-align:left;direction:ltr;unico=
de-bidi:
embed'><span style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>HP Application Security Center<o:p></o:p></span></p>

<p class=3DMsoNormal dir=3DLTR style=3D'text-align:left;direction:ltr;unico=
de-bidi:
embed'><span style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>770.343.7050 Tel<o:p></o:p></span></p>

<p class=3DMsoNormal dir=3DLTR style=3D'text-align:left;direction:ltr;unico=
de-bidi:
embed'><span style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<div>

<div style=3D'border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in =
0in 0in'>

<p class=3DMsoNormal dir=3DLTR style=3D'text-align:left;direction:ltr;unico=
de-bidi:
embed'><b><span style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"=
'>From:</span></b><span
style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Erez Metula
[mailto:erezmetula@2bsecure.co.il] <br>
<b>Sent:</b> Thursday, November 13, 2008 10:39 AM<br>
<b>To:</b> websecurity@webappsec.org; webappsec@lists.securityfocus.com<br>
<b>Subject:</b> [WEB SECURITY] New Whitepaper - .NET Framework Rootkits:
Backdoors inside your Framework<o:p></o:p></span></p>

</div>

</div>

<p class=3DMsoNormal dir=3DLTR style=3D'text-align:left;direction:ltr;unico=
de-bidi:
embed'><o:p>&nbsp;</o:p></p>

<p class=3DMsoNormal dir=3DLTR style=3D'text-align:left;text-autospace:none=
;
direction:ltr;unicode-bidi:embed'><span style=3D'font-size:10.0pt;font-fami=
ly:
"Arial","sans-serif"'>Paper Name<o:p></o:p></span></p>

<p class=3DMsoNormal dir=3DLTR style=3D'text-align:left;text-autospace:none=
;
direction:ltr;unicode-bidi:embed'><span style=3D'font-size:10.0pt;font-fami=
ly:
"Arial","sans-serif"'>=3D=3D=3D=3D=3D=3D=3D=3D=3D<o:p></o:p></span></p>

<p class=3DMsoNormal dir=3DLTR style=3D'text-align:left;text-autospace:none=
;
direction:ltr;unicode-bidi:embed'><span style=3D'font-size:10.0pt;font-fami=
ly:
"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>

<p class=3DMsoNormal dir=3DLTR style=3D'text-align:left;text-autospace:none=
;
direction:ltr;unicode-bidi:embed'><span style=3D'font-size:10.0pt;font-fami=
ly:
"Arial","sans-serif"'>.NET Framework Rootkits - Backdoors inside your Frame=
work
(Author: Erez Metula)<o:p></o:p></span></p>

<p class=3DMsoNormal dir=3DLTR style=3D'text-align:left;text-autospace:none=
;
direction:ltr;unicode-bidi:embed'><span style=3D'font-size:10.0pt;font-fami=
ly:
"Arial","sans-serif"'>&nbsp;<o:p></o:p></span></p>

<p class=3DMsoNormal dir=3DLTR style=3D'text-align:left;text-autospace:none=
;
direction:ltr;unicode-bidi:embed'><span style=3D'font-size:10.0pt;font-fami=
ly:
"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>

<p class=3DMsoNormal dir=3DLTR style=3D'text-align:left;text-autospace:none=
;
direction:ltr;unicode-bidi:embed'><span style=3D'font-size:10.0pt;font-fami=
ly:
"Arial","sans-serif"'>Paper Description<o:p></o:p></span></p>

<p class=3DMsoNormal dir=3DLTR style=3D'text-align:left;text-autospace:none=
;
direction:ltr;unicode-bidi:embed'><span style=3D'font-size:10.0pt;font-fami=
ly:
"Arial","sans-serif"'>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<o:p></o:p></s=
pan></p>

<p class=3DMsoNormal dir=3DLTR style=3D'text-align:left;text-autospace:none=
;
direction:ltr;unicode-bidi:embed'><span style=3D'font-size:10.0pt;font-fami=
ly:
"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>

<p class=3DMsoNormal dir=3DLTR style=3D'text-align:left;text-autospace:none=
;
direction:ltr;unicode-bidi:embed'><span style=3D'font-size:10.0pt;font-fami=
ly:
"Arial","sans-serif"'>The paper introduces a new method that enables an
attacker to change the .NET language, and to hide malicious code inside its
core.<o:p></o:p></span></p>

<p class=3DMsoNormal dir=3DLTR style=3D'text-align:left;text-autospace:none=
;
direction:ltr;unicode-bidi:embed'><span style=3D'font-size:10.0pt;font-fami=
ly:
"Arial","sans-serif"'>It covers various ways to develop rootkits for the .N=
ET
framework, so that every EXE/DLL that runs on a modified Framework will beh=
ave
differently than what it's supposed to do. Code reviews will not detect
backdoors installed inside the Framework since the payload is not in the co=
de
itself, but rather it is inside the Framework implementation. Writing Frame=
work
rootkits will enable the attacker to install a reverse shell inside the
framework, to steal valuable information, to fixate encryption keys, disabl=
e
security checks and to perform other nasty things as described in this pape=
r. <o:p></o:p></span></p>

<p class=3DMsoNormal dir=3DLTR style=3D'text-align:left;text-autospace:none=
;
direction:ltr;unicode-bidi:embed'><span style=3D'font-size:10.0pt;font-fami=
ly:
"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>

<p class=3DMsoNormal dir=3DLTR style=3D'text-align:left;text-autospace:none=
;
direction:ltr;unicode-bidi:embed'><span style=3D'font-size:10.0pt;font-fami=
ly:
"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>

<p class=3DMsoNormal dir=3DLTR style=3D'text-align:left;text-autospace:none=
;
direction:ltr;unicode-bidi:embed'><span style=3D'font-size:10.0pt;font-fami=
ly:
"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>

<p class=3DMsoNormal dir=3DLTR style=3D'text-align:left;text-autospace:none=
;
direction:ltr;unicode-bidi:embed'><span style=3D'font-size:10.0pt;font-fami=
ly:
"Arial","sans-serif"'>Paper Summary<o:p></o:p></span></p>

<p class=3DMsoNormal dir=3DLTR style=3D'text-align:left;text-autospace:none=
;
direction:ltr;unicode-bidi:embed'><span style=3D'font-size:10.0pt;font-fami=
ly:
"Arial","sans-serif"'>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<o:p></o:p></span=
></p>

<p class=3DMsoNormal dir=3DLTR style=3D'text-align:left;text-autospace:none=
;
direction:ltr;unicode-bidi:embed'><span style=3D'font-size:10.0pt;font-fami=
ly:
"Arial","sans-serif"'>&nbsp;<o:p></o:p></span></p>

<p class=3DMsoNormal dir=3DLTR style=3D'text-align:left;text-autospace:none=
;
direction:ltr;unicode-bidi:embed'><span style=3D'font-size:10.0pt;font-fami=
ly:
"Arial","sans-serif"'>Framework modification can be achieved by tampering w=
ith
a Framework DLL and &quot;pushing&quot; it back into the Framework.<o:p></o=
:p></span></p>

<p class=3DMsoNormal dir=3DLTR style=3D'text-align:left;text-autospace:none=
;
direction:ltr;unicode-bidi:embed'><span style=3D'font-size:10.0pt;font-fami=
ly:
"Arial","sans-serif"'>The process is composed of several steps, described
thoroughly at the corresponding whitepaper.<o:p></o:p></span></p>

<p class=3DMsoNormal dir=3DLTR style=3D'text-align:left;text-autospace:none=
;
direction:ltr;unicode-bidi:embed'><span style=3D'font-size:10.0pt;font-fami=
ly:
"Arial","sans-serif"'>It also exposes a flaw in the manner in which a .NET
Framework DLL is loaded, and how it is possible to bypass its signature
mechanism.<o:p></o:p></span></p>

<p class=3DMsoNormal dir=3DLTR style=3D'text-align:left;text-autospace:none=
;
direction:ltr;unicode-bidi:embed'><span style=3D'font-size:10.0pt;font-fami=
ly:
"Arial","sans-serif"'>Instead of re-signing tampered DLL's with a spoofed
Microsoft signature key - surprisingly, it was found during this research t=
hat
the modified DLL can be directly copied to the correct location at the file
system, because the SN mechanism does not check the actual signature of a
loaded DLL but blindly loads the DLL based on the directory name with the
corresponding signature name!<o:p></o:p></span></p>

<p class=3DMsoNormal dir=3DLTR style=3D'text-align:left;text-autospace:none=
;
direction:ltr;unicode-bidi:embed'><span style=3D'font-size:10.0pt;font-fami=
ly:
"Arial","sans-serif"'>It is important to mention that this technique does n=
ot
requires &quot;full trust&quot; permissions, which further proves the fact =
that
the GAC / CAS protection mechanisms are broken.<o:p></o:p></span></p>

<p class=3DMsoNormal dir=3DLTR style=3D'text-align:left;text-autospace:none=
;
direction:ltr;unicode-bidi:embed'><span style=3D'font-size:10.0pt;font-fami=
ly:
"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>

<p class=3DMsoNormal dir=3DLTR style=3D'text-align:left;text-autospace:none=
;
direction:ltr;unicode-bidi:embed'><span style=3D'font-size:10.0pt;font-fami=
ly:
"Arial","sans-serif"'>This paper also introduces &quot;.Net-Sploit&quot; - =
a
new tool for building MSIL rootkits that will enable the user to inject
preloaded/custom payload to the Framework core DLL.<o:p></o:p></span></p>

<p class=3DMsoNormal dir=3DLTR style=3D'text-align:left;text-autospace:none=
;
direction:ltr;unicode-bidi:embed'><span style=3D'font-size:10.0pt;font-fami=
ly:
"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>

<p class=3DMsoNormal dir=3DLTR style=3D'text-align:left;text-autospace:none=
;
direction:ltr;unicode-bidi:embed'><span style=3D'font-size:10.0pt;font-fami=
ly:
"Arial","sans-serif"'>You can find the detailed whitepaper, .NET-Sploit too=
l,
source code, and the OWASP presentation at:<o:p></o:p></span></p>

<p class=3DMsoNormal dir=3DLTR style=3D'text-align:left;text-autospace:none=
;
direction:ltr;unicode-bidi:embed'><span style=3D'font-size:10.0pt;font-fami=
ly:
"Arial","sans-serif"'><a
href=3D"http://www.applicationsecurity.co.il/.NET-Framework-Rootkits.aspx";>=
http://www.applicationsecurity.co.il/.NET-Framework-Rootkits.aspx</a><o:p><=
/o:p></span></p>

<p class=3DMsoNormal dir=3DRTL><span dir=3DLTR><o:p>&nbsp;</o:p></span></p>

</div>

</body>

</html>

--_000_1BF0773DAF711244B173C38E2B0508B452EFA9F669GVW1119EXCame_--
Follow-Ups:
- [WEB SECURITY] RE: New Whitepaper - .NET Framework Rootkits: Backdoors inside your Framework
  - From: Erez Metula
References:
- [WEB SECURITY] New Whitepaper - .NET Framework Rootkits: Backdoors inside your Framework
  - From: Erez Metula
Prev by Date: [WEB SECURITY] Malicious Code time-line 1980-2008
Next by Date: Re: [WEB SECURITY] Fwd: hi, need help
Previous by thread: [WEB SECURITY] New Whitepaper - .NET Framework Rootkits: Backdoors inside your Framework
Next by thread: [WEB SECURITY] RE: New Whitepaper - .NET Framework Rootkits: Backdoors inside your Framework
Index(es):
- Date
- Thread
Brought to you by http://www.webappsec.org
Search this site