[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[WEB SECURITY] RE: New Whitepaper - .NET Framework Rootkits: Backdoors inside your Framework

From: "Erez Metula" <erezmetula@xxxxxxxxxxxxxx>
Subject: [WEB SECURITY] RE: New Whitepaper - .NET Framework Rootkits: Backdoors inside your Framework
Date: Fri, 14 Nov 2008 12:10:46 +0200
------_=_NextPart_001_01C94641.4321CA03
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Hi Ragan,

Performance seems to be the main cause for the lack of signature check
(although the overhead penalty occurs once per loaded DLL).

I also believe that Microsoft did some threat modeling and came to the
right conclusion that since the checking mechanism is in the hands of
the attacker anyway, and he is able to disable it regardless of how it
works, it would be pointless to trust it like you mentioned.=20

This is the reason why I believe that even if they do change the
signature mechanism (which will probably be broken shortly) the idea of
modifying .NET Framework DLL will last for a long time.. :-)

=20

And it's also important to mention - I think the main issue is not the
mechanism itself but the fact that now he know that attackers have
another place to hide malicious code - it's not just the BIOS, Kernel,
Drivers, etc. but also .NET Framework core DLL.

=20

Cheers,

Erez.

________________________________

From: Ragan, Rob R [mailto:rob.ragan@hp.com]=20
Sent: Thursday, November 13, 2008 10:18 PM
To: Erez Metula; websecurity@webappsec.org;
webappsec@lists.securityfocus.com
Subject: RE: New Whitepaper - .NET Framework Rootkits: Backdoors inside
your Framework

=20

Nice presentation and paper. When a signed assembly is installed in the
GAC, the system hashes the contents of the file containing the manifest
and compares the hash with the digital signature embedded in the PE
file, after unsigning it with the public key. It is interesting that the
assembly isn't part of the hash with framework DLLs. Perhaps this is the
case for performance reasons. Is there too much overhead to check the
signature of these files as they're used so often? Let's say performance
isn't an issue, would it be a pointless gesture to trust the checking
mechanism on a machine that has been victimized by a rootkit? Modifying
the framework in the way described does require admin privileges.=20

=20

By the way, Reflexil is a Reflector plug-in designed for easy
modification of assemblies based on Mono.Cecil.
http://www.mono-project.com/Cecil  "With Cecil, you can load existing
managed assemblies, browse all the contained types, modify them on the
fly and save back to the disk the modified assembly."

=20

I prefer it to a text editor. It might save a couple steps from the
modify and recompile sections of your paper. Also it has a feature for
removing strong naming.=20

=20

http://sebastien.lebreton.free.fr/reflexil/=20

http://www.codeproject.com/KB/msil/reflexil.aspx=20

=20

Enjoy,

=20

Rob Ragan

HP Application Security Center

770.343.7050 Tel

=20

From: Erez Metula [mailto:erezmetula@2bsecure.co.il]=20
Sent: Thursday, November 13, 2008 10:39 AM
To: websecurity@webappsec.org; webappsec@lists.securityfocus.com
Subject: [WEB SECURITY] New Whitepaper - .NET Framework Rootkits:
Backdoors inside your Framework

=20

Paper Name

=3D=3D=3D=3D=3D=3D=3D=3D=3D

=20

.NET Framework Rootkits - Backdoors inside your Framework (Author: Erez
Metula)

=20

=20

Paper Description

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

=20

The paper introduces a new method that enables an attacker to change the
.NET language, and to hide malicious code inside its core.

It covers various ways to develop rootkits for the .NET framework, so
that every EXE/DLL that runs on a modified Framework will behave
differently than what it's supposed to do. Code reviews will not detect
backdoors installed inside the Framework since the payload is not in the
code itself, but rather it is inside the Framework implementation.
Writing Framework rootkits will enable the attacker to install a reverse
shell inside the framework, to steal valuable information, to fixate
encryption keys, disable security checks and to perform other nasty
things as described in this paper.=20

=20

=20

=20

Paper Summary

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

=20

Framework modification can be achieved by tampering with a Framework DLL
and "pushing" it back into the Framework.

The process is composed of several steps, described thoroughly at the
corresponding whitepaper.

It also exposes a flaw in the manner in which a .NET Framework DLL is
loaded, and how it is possible to bypass its signature mechanism.

Instead of re-signing tampered DLL's with a spoofed Microsoft signature
key - surprisingly, it was found during this research that the modified
DLL can be directly copied to the correct location at the file system,
because the SN mechanism does not check the actual signature of a loaded
DLL but blindly loads the DLL based on the directory name with the
corresponding signature name!

It is important to mention that this technique does not requires "full
trust" permissions, which further proves the fact that the GAC / CAS
protection mechanisms are broken.

=20

This paper also introduces ".Net-Sploit" - a new tool for building MSIL
rootkits that will enable the user to inject preloaded/custom payload to
the Framework core DLL.

=20

You can find the detailed whitepaper, .NET-Sploit tool, source code, and
the OWASP presentation at:

http://www.applicationsecurity.co.il/.NET-Framework-Rootkits.aspx

=20


------_=_NextPart_001_01C94641.4321CA03
Content-Type: text/html;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:x=3D"urn:schemas-microsoft-com:office:excel" =
xmlns:p=3D"urn:schemas-microsoft-com:office:powerpoint" =
xmlns:a=3D"urn:schemas-microsoft-com:office:access" =
xmlns:dt=3D"uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" =
xmlns:s=3D"uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" =
xmlns:rs=3D"urn:schemas-microsoft-com:rowset" xmlns:z=3D"#RowsetSchema" =
xmlns:b=3D"urn:schemas-microsoft-com:office:publisher" =
xmlns:ss=3D"urn:schemas-microsoft-com:office:spreadsheet" =
xmlns:c=3D"urn:schemas-microsoft-com:office:component:spreadsheet" =
xmlns:odc=3D"urn:schemas-microsoft-com:office:odc" =
xmlns:oa=3D"urn:schemas-microsoft-com:office:activation" =
xmlns:html=3D"http://www.w3.org/TR/REC-html40"; =
xmlns:q=3D"http://schemas.xmlsoap.org/soap/envelope/"; xmlns:D=3D"DAV:" =
xmlns:x2=3D"http://schemas.microsoft.com/office/excel/2003/xml"; =
xmlns:ois=3D"http://schemas.microsoft.com/sharepoint/soap/ois/"; =
xmlns:dir=3D"http://schemas.microsoft.com/sharepoint/soap/directory/"; =
xmlns:ds=3D"http://www.w3.org/2000/09/xmldsig#"; =
xmlns:dsp=3D"http://schemas.microsoft.com/sharepoint/dsp"; =
xmlns:udc=3D"http://schemas.microsoft.com/data/udc"; =
xmlns:xsd=3D"http://www.w3.org/2001/XMLSchema"; =
xmlns:sub=3D"http://schemas.microsoft.com/sharepoint/soap/2002/1/alerts/"=
 xmlns:ec=3D"http://www.w3.org/2001/04/xmlenc#"; =
xmlns:sp=3D"http://schemas.microsoft.com/sharepoint/"; =
xmlns:sps=3D"http://schemas.microsoft.com/sharepoint/soap/"; =
xmlns:xsi=3D"http://www.w3.org/2001/XMLSchema-instance"; =
xmlns:udcxf=3D"http://schemas.microsoft.com/data/udc/xmlfile"; =
xmlns:st=3D"&#1;" xmlns=3D"http://www.w3.org/TR/REC-html40";
xmlns:ns0=3D"http://schemas.microsoft.com/sharepoint/soap/workflow/";
xmlns:ns1=3D"http://schemas.openxmlformats.org/markup-compatibility/2006"=

xmlns:ns2=3D"http://schemas.microsoft.com/office/2004/12/omml";
xmlns:ns3=3D"http://schemas.openxmlformats.org/package/2006/relationships=
"
xmlns:ns4=3D"http://schemas.microsoft.com/exchange/services/2006/types";
xmlns:ns5=3D"http://schemas.microsoft.com/exchange/services/2006/messages=
"
xmlns:ns6=3D"urn:schemas-microsoft-com:">

<head>
<meta http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<style>
<!--a:link
	{mso-style-priority:99;}
span.MSOHYPERLINK
	{mso-style-priority:99;}
a:visited
	{mso-style-priority:99;}
span.MSOHYPERLINKFOLLOWED
	{mso-style-priority:99;}
p.MSOPLAINTEXT
	{mso-style-priority:99;}
li.MSOPLAINTEXT
	{mso-style-priority:99;}
div.MSOPLAINTEXT
	{mso-style-priority:99;}
span.PLAINTEXTCHAR
	{mso-style-priority:99;}

 /* Font Definitions */
 @font-face
	{font-family:Wingdings;
	panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
	{font-family:Tahoma;
	panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
	{font-family:Consolas;
	panose-1:2 11 6 9 2 2 4 3 2 4;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	text-align:right;
	direction:rtl;
	unicode-bidi:embed;
	font-size:12.0pt;
	font-family:"Times New Roman";}
a:link, span.MsoHyperlink
	{color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{color:purple;
	text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:10.5pt;
	font-family:Consolas;}
span.PlainTextChar
	{font-family:Consolas;}
span.EmailStyle19
	{mso-style-type:personal;
	font-family:Arial;
	color:windowtext;}
span.EmailStyle20
	{mso-style-type:personal;
	font-family:Arial;
	color:navy;}
span.EmailStyle21
	{mso-style-type:personal;
	font-family:Calibri;
	color:#1F497D;}
span.EmailStyle22
	{mso-style-type:personal-reply;
	font-family:Arial;
	color:navy;}
@page Section1
	{size:595.3pt 841.9pt;
	margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
	{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
 <o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
 <o:shapelayout v:ext=3D"edit">
  <o:idmap v:ext=3D"edit" data=3D"1" />
 </o:shapelayout></xml><![endif]-->
</head>

<body lang=3DEN-US link=3Dblue vlink=3Dpurple>

<div class=3DSection1 dir=3DRTL>

<p class=3DMsoNormal dir=3DLTR =
style=3D'text-align:left;direction:ltr;unicode-bidi:
embed'><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial;color:navy'>Hi Ragan,<o:p></o:p></span></font></p>

<p class=3DMsoNormal dir=3DLTR =
style=3D'text-align:left;direction:ltr;unicode-bidi:
embed'><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial;color:navy'>Performance seems to be the main cause for =
the
lack of signature check (although the overhead penalty occurs once per =
loaded DLL).<o:p></o:p></span></font></p>

<p class=3DMsoNormal dir=3DLTR =
style=3D'text-align:left;direction:ltr;unicode-bidi:
embed'><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial;color:navy'>I also believe that Microsoft did some =
threat modeling
and came to the right conclusion that since the checking mechanism is in =
the
hands of the attacker anyway, and he is able to disable it regardless of =
how it
works, it would be pointless to trust it like you mentioned. =
<o:p></o:p></span></font></p>

<p class=3DMsoNormal dir=3DLTR =
style=3D'text-align:left;direction:ltr;unicode-bidi:
embed'><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial;color:navy'>This is the reason why I believe that even =
if
they do change the signature mechanism (which will probably be broken =
shortly) the
idea of modifying .NET Framework DLL will last for a long time.. =
</span></font><font
size=3D2 color=3Dnavy face=3DWingdings><span =
style=3D'font-size:10.0pt;font-family:
Wingdings;color:navy'>J</span></font><font size=3D2 color=3Dnavy =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial;color:navy'><o:p></o:p></span=
></font></p>

<p class=3DMsoNormal dir=3DLTR =
style=3D'text-align:left;direction:ltr;unicode-bidi:
embed'><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial;color:navy'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal dir=3DLTR =
style=3D'text-align:left;direction:ltr;unicode-bidi:
embed'><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial;color:navy'>And it's also important to mention - I =
think the
main issue is not the mechanism itself but the fact that now he know =
that attackers
have another place to hide malicious code &#8211; it's not just the =
BIOS,
Kernel, Drivers, etc. but also .NET Framework core =
DLL.<o:p></o:p></span></font></p>

<p class=3DMsoNormal dir=3DLTR =
style=3D'text-align:left;direction:ltr;unicode-bidi:
embed'><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial;color:navy'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal dir=3DLTR =
style=3D'text-align:left;direction:ltr;unicode-bidi:
embed'><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial;color:navy'>Cheers,<o:p></o:p></span></font></p>

<p class=3DMsoNormal dir=3DLTR =
style=3D'text-align:left;direction:ltr;unicode-bidi:
embed'><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial;color:navy'>Erez.<o:p></o:p></span></font></p>

<div>

<div class=3DMsoNormal align=3Dcenter dir=3DLTR =
style=3D'text-align:center;direction:
ltr;unicode-bidi:embed'><font size=3D3 face=3D"Times New Roman"><span
style=3D'font-size:12.0pt'>

<hr size=3D2 width=3D"100%" align=3Dcenter tabindex=3D-1>

</span></font></div>

<p class=3DMsoNormal dir=3DLTR =
style=3D'text-align:left;direction:ltr;unicode-bidi:
embed'><b><font size=3D2 face=3DTahoma><span =
style=3D'font-size:10.0pt;font-family:
Tahoma;font-weight:bold'>From:</span></font></b><font size=3D2 =
face=3DTahoma><span
style=3D'font-size:10.0pt;font-family:Tahoma'> Ragan, Rob R
[mailto:rob.ragan@hp.com] <br>
<b><span style=3D'font-weight:bold'>Sent:</span></b> Thursday, November =
13, 2008
10:18 PM<br>
<b><span style=3D'font-weight:bold'>To:</span></b> Erez Metula;
websecurity@webappsec.org; webappsec@lists.securityfocus.com<br>
<b><span style=3D'font-weight:bold'>Subject:</span></b> RE: New =
Whitepaper - .NET
Framework Rootkits: Backdoors inside your =
Framework</span></font><o:p></o:p></p>

</div>

<p class=3DMsoNormal dir=3DLTR =
style=3D'text-align:left;direction:ltr;unicode-bidi:
embed'><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal dir=3DLTR =
style=3D'text-align:left;direction:ltr;unicode-bidi:
embed'><font size=3D2 color=3D"#1f497d" face=3DCalibri><span =
style=3D'font-size:11.0pt;
font-family:Calibri;color:#1F497D'>Nice presentation and paper. When a =
signed
assembly is installed in the GAC, the system hashes the contents of the =
file
containing the manifest and compares the hash with the digital signature
embedded in the PE file, after unsigning it with the public key. It is
interesting that the assembly isn&#8217;t part of the hash with =
framework DLLs.
Perhaps this is the case for performance reasons. Is there too much =
overhead to
check the signature of these files as they&#8217;re used so often? =
Let&#8217;s
say performance isn&#8217;t an issue, would it be a pointless gesture to =
trust
the checking mechanism on a machine that has been victimized by a =
rootkit?
Modifying the framework in the way described does require admin =
privileges. <o:p></o:p></span></font></p>

<p class=3DMsoNormal dir=3DLTR =
style=3D'text-align:left;direction:ltr;unicode-bidi:
embed'><font size=3D2 color=3D"#1f497d" face=3DCalibri><span =
style=3D'font-size:11.0pt;
font-family:Calibri;color:#1F497D'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal dir=3DLTR =
style=3D'text-align:left;direction:ltr;unicode-bidi:
embed'><font size=3D2 color=3D"#1f497d" face=3DCalibri><span =
style=3D'font-size:11.0pt;
font-family:Calibri;color:#1F497D'>By the way, Reflexil is a Reflector =
plug-in
designed for easy modification of assemblies based on Mono.Cecil. =
&nbsp;<a
href=3D"http://www.mono-project.com/Cecil";>http://www.mono-project.com/Ce=
cil</a>
&nbsp;&#8220;With Cecil, you can load existing managed assemblies, =
browse all
the contained types, modify them on the fly and save back to the disk =
the
modified assembly.&#8221;<o:p></o:p></span></font></p>

<p class=3DMsoNormal dir=3DLTR =
style=3D'text-align:left;direction:ltr;unicode-bidi:
embed'><font size=3D2 color=3D"#1f497d" face=3DCalibri><span =
style=3D'font-size:11.0pt;
font-family:Calibri;color:#1F497D'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal dir=3DLTR =
style=3D'text-align:left;direction:ltr;unicode-bidi:
embed'><font size=3D2 color=3D"#1f497d" face=3DCalibri><span =
style=3D'font-size:11.0pt;
font-family:Calibri;color:#1F497D'>I prefer it to a text editor. It =
might save
a couple steps from the modify and recompile sections of your paper. =
Also it
has a feature for removing strong naming. <o:p></o:p></span></font></p>

<p class=3DMsoNormal dir=3DLTR =
style=3D'text-align:left;direction:ltr;unicode-bidi:
embed'><font size=3D2 color=3D"#1f497d" face=3DCalibri><span =
style=3D'font-size:11.0pt;
font-family:Calibri;color:#1F497D'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal dir=3DLTR =
style=3D'text-align:left;direction:ltr;unicode-bidi:
embed'><font size=3D2 color=3D"#1f497d" face=3DCalibri><span =
style=3D'font-size:11.0pt;
font-family:Calibri;color:#1F497D'><a
href=3D"http://sebastien.lebreton.free.fr/reflexil/";>http://sebastien.leb=
reton.free.fr/reflexil/</a>
<o:p></o:p></span></font></p>

<p class=3DMsoNormal dir=3DLTR =
style=3D'text-align:left;direction:ltr;unicode-bidi:
embed'><font size=3D2 color=3D"#1f497d" face=3DCalibri><span =
style=3D'font-size:11.0pt;
font-family:Calibri;color:#1F497D'><a
href=3D"http://www.codeproject.com/KB/msil/reflexil.aspx";>http://www.code=
project.com/KB/msil/reflexil.aspx</a>
<o:p></o:p></span></font></p>

<p class=3DMsoNormal dir=3DLTR =
style=3D'text-align:left;direction:ltr;unicode-bidi:
embed'><font size=3D2 color=3D"#1f497d" face=3DCalibri><span =
style=3D'font-size:11.0pt;
font-family:Calibri;color:#1F497D'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal dir=3DLTR =
style=3D'text-align:left;direction:ltr;unicode-bidi:
embed'><font size=3D2 color=3D"#1f497d" face=3DCalibri><span =
style=3D'font-size:11.0pt;
font-family:Calibri;color:#1F497D'>Enjoy,<o:p></o:p></span></font></p>

<p class=3DMsoNormal dir=3DLTR =
style=3D'text-align:left;direction:ltr;unicode-bidi:
embed'><font size=3D2 color=3D"#1f497d" face=3DCalibri><span =
style=3D'font-size:11.0pt;
font-family:Calibri;color:#1F497D'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal dir=3DLTR =
style=3D'text-align:left;direction:ltr;unicode-bidi:
embed'><font size=3D2 color=3D"#1f497d" face=3DCalibri><span =
style=3D'font-size:11.0pt;
font-family:Calibri;color:#1F497D'>Rob =
Ragan<o:p></o:p></span></font></p>

<p class=3DMsoNormal dir=3DLTR =
style=3D'text-align:left;direction:ltr;unicode-bidi:
embed'><font size=3D2 color=3D"#1f497d" face=3DCalibri><span =
style=3D'font-size:11.0pt;
font-family:Calibri;color:#1F497D'>HP Application Security =
Center<o:p></o:p></span></font></p>

<p class=3DMsoNormal dir=3DLTR =
style=3D'text-align:left;direction:ltr;unicode-bidi:
embed'><font size=3D2 color=3D"#1f497d" face=3DCalibri><span =
style=3D'font-size:11.0pt;
font-family:Calibri;color:#1F497D'>770.343.7050 =
Tel<o:p></o:p></span></font></p>

<p class=3DMsoNormal dir=3DLTR =
style=3D'text-align:left;direction:ltr;unicode-bidi:
embed'><font size=3D2 color=3D"#1f497d" face=3DCalibri><span =
style=3D'font-size:11.0pt;
font-family:Calibri;color:#1F497D'><o:p>&nbsp;</o:p></span></font></p>

<div>

<div style=3D'border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt =
0in 0in 0in'>

<p class=3DMsoNormal dir=3DLTR =
style=3D'text-align:left;direction:ltr;unicode-bidi:
embed'><b><font size=3D2 face=3DTahoma><span =
style=3D'font-size:10.0pt;font-family:
Tahoma;font-weight:bold'>From:</span></font></b><font size=3D2 =
face=3DTahoma><span
style=3D'font-size:10.0pt;font-family:Tahoma'> Erez Metula
[mailto:erezmetula@2bsecure.co.il] <br>
<b><span style=3D'font-weight:bold'>Sent:</span></b> Thursday, November =
13, 2008
10:39 AM<br>
<b><span style=3D'font-weight:bold'>To:</span></b> =
websecurity@webappsec.org;
webappsec@lists.securityfocus.com<br>
<b><span style=3D'font-weight:bold'>Subject:</span></b> [WEB SECURITY] =
New
Whitepaper - .NET Framework Rootkits: Backdoors inside your =
Framework<o:p></o:p></span></font></p>

</div>

</div>

<p class=3DMsoNormal dir=3DLTR =
style=3D'text-align:left;direction:ltr;unicode-bidi:
embed'><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal dir=3DLTR =
style=3D'text-align:left;text-autospace:none;
direction:ltr;unicode-bidi:embed'><font size=3D2 face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'>Paper =
Name<o:p></o:p></span></font></p>

<p class=3DMsoNormal dir=3DLTR =
style=3D'text-align:left;text-autospace:none;
direction:ltr;unicode-bidi:embed'><font size=3D2 face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'>=3D=3D=3D=3D=3D=3D=3D=3D=3D<=
o:p></o:p></span></font></p>

<p class=3DMsoNormal dir=3DLTR =
style=3D'text-align:left;text-autospace:none;
direction:ltr;unicode-bidi:embed'><font size=3D2 face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'><o:p>&nbsp;</o:p></span></fo=
nt></p>

<p class=3DMsoNormal dir=3DLTR =
style=3D'text-align:left;text-autospace:none;
direction:ltr;unicode-bidi:embed'><font size=3D2 face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'>.NET Framework Rootkits - =
Backdoors
inside your Framework (Author: Erez Metula)<o:p></o:p></span></font></p>

<p class=3DMsoNormal dir=3DLTR =
style=3D'text-align:left;text-autospace:none;
direction:ltr;unicode-bidi:embed'><font size=3D2 face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'>&nbsp;<o:p></o:p></span></fo=
nt></p>

<p class=3DMsoNormal dir=3DLTR =
style=3D'text-align:left;text-autospace:none;
direction:ltr;unicode-bidi:embed'><font size=3D2 face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'><o:p>&nbsp;</o:p></span></fo=
nt></p>

<p class=3DMsoNormal dir=3DLTR =
style=3D'text-align:left;text-autospace:none;
direction:ltr;unicode-bidi:embed'><font size=3D2 face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'>Paper =
Description<o:p></o:p></span></font></p>

<p class=3DMsoNormal dir=3DLTR =
style=3D'text-align:left;text-autospace:none;
direction:ltr;unicode-bidi:embed'><font size=3D2 face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D<o:p></o:p></span></font></p>

<p class=3DMsoNormal dir=3DLTR =
style=3D'text-align:left;text-autospace:none;
direction:ltr;unicode-bidi:embed'><font size=3D2 face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'><o:p>&nbsp;</o:p></span></fo=
nt></p>

<p class=3DMsoNormal dir=3DLTR =
style=3D'text-align:left;text-autospace:none;
direction:ltr;unicode-bidi:embed'><font size=3D2 face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'>The paper introduces a new =
method
that enables an attacker to change the .NET language, and to hide =
malicious
code inside its core.<o:p></o:p></span></font></p>

<p class=3DMsoNormal dir=3DLTR =
style=3D'text-align:left;text-autospace:none;
direction:ltr;unicode-bidi:embed'><font size=3D2 face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'>It covers various ways to =
develop
rootkits for the .NET framework, so that every EXE/DLL that runs on a =
modified
Framework will behave differently than what it's supposed to do. Code =
reviews
will not detect backdoors installed inside the Framework since the =
payload is
not in the code itself, but rather it is inside the Framework =
implementation.
Writing Framework rootkits will enable the attacker to install a reverse =
shell
inside the framework, to steal valuable information, to fixate =
encryption keys,
disable security checks and to perform other nasty things as described =
in this
paper. <o:p></o:p></span></font></p>

<p class=3DMsoNormal dir=3DLTR =
style=3D'text-align:left;text-autospace:none;
direction:ltr;unicode-bidi:embed'><font size=3D2 face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'><o:p>&nbsp;</o:p></span></fo=
nt></p>

<p class=3DMsoNormal dir=3DLTR =
style=3D'text-align:left;text-autospace:none;
direction:ltr;unicode-bidi:embed'><font size=3D2 face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'><o:p>&nbsp;</o:p></span></fo=
nt></p>

<p class=3DMsoNormal dir=3DLTR =
style=3D'text-align:left;text-autospace:none;
direction:ltr;unicode-bidi:embed'><font size=3D2 face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'><o:p>&nbsp;</o:p></span></fo=
nt></p>

<p class=3DMsoNormal dir=3DLTR =
style=3D'text-align:left;text-autospace:none;
direction:ltr;unicode-bidi:embed'><font size=3D2 face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'>Paper =
Summary<o:p></o:p></span></font></p>

<p class=3DMsoNormal dir=3DLTR =
style=3D'text-align:left;text-autospace:none;
direction:ltr;unicode-bidi:embed'><font size=3D2 face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D<o:p></o:p></span></font></p>

<p class=3DMsoNormal dir=3DLTR =
style=3D'text-align:left;text-autospace:none;
direction:ltr;unicode-bidi:embed'><font size=3D2 face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'>&nbsp;<o:p></o:p></span></fo=
nt></p>

<p class=3DMsoNormal dir=3DLTR =
style=3D'text-align:left;text-autospace:none;
direction:ltr;unicode-bidi:embed'><font size=3D2 face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'>Framework modification can =
be
achieved by tampering with a Framework DLL and &quot;pushing&quot; it =
back into
the Framework.<o:p></o:p></span></font></p>

<p class=3DMsoNormal dir=3DLTR =
style=3D'text-align:left;text-autospace:none;
direction:ltr;unicode-bidi:embed'><font size=3D2 face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'>The process is composed of =
several
steps, described thoroughly at the corresponding =
whitepaper.<o:p></o:p></span></font></p>

<p class=3DMsoNormal dir=3DLTR =
style=3D'text-align:left;text-autospace:none;
direction:ltr;unicode-bidi:embed'><font size=3D2 face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'>It also exposes a flaw in =
the manner
in which a .NET Framework DLL is loaded, and how it is possible to =
bypass its
signature mechanism.<o:p></o:p></span></font></p>

<p class=3DMsoNormal dir=3DLTR =
style=3D'text-align:left;text-autospace:none;
direction:ltr;unicode-bidi:embed'><font size=3D2 face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'>Instead of re-signing =
tampered DLL's
with a spoofed Microsoft signature key - surprisingly, it was found =
during this
research that the modified DLL can be directly copied to the correct =
location
at the file system, because the SN mechanism does not check the actual
signature of a loaded DLL but blindly loads the DLL based on the =
directory name
with the corresponding signature name!<o:p></o:p></span></font></p>

<p class=3DMsoNormal dir=3DLTR =
style=3D'text-align:left;text-autospace:none;
direction:ltr;unicode-bidi:embed'><font size=3D2 face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'>It is important to mention =
that this
technique does not requires &quot;full trust&quot; permissions, which =
further
proves the fact that the GAC / CAS protection mechanisms are =
broken.<o:p></o:p></span></font></p>

<p class=3DMsoNormal dir=3DLTR =
style=3D'text-align:left;text-autospace:none;
direction:ltr;unicode-bidi:embed'><font size=3D2 face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'><o:p>&nbsp;</o:p></span></fo=
nt></p>

<p class=3DMsoNormal dir=3DLTR =
style=3D'text-align:left;text-autospace:none;
direction:ltr;unicode-bidi:embed'><font size=3D2 face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'>This paper also introduces
&quot;.Net-Sploit&quot; - a new tool for building MSIL rootkits that =
will
enable the user to inject preloaded/custom payload to the Framework core =
DLL.<o:p></o:p></span></font></p>

<p class=3DMsoNormal dir=3DLTR =
style=3D'text-align:left;text-autospace:none;
direction:ltr;unicode-bidi:embed'><font size=3D2 face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'><o:p>&nbsp;</o:p></span></fo=
nt></p>

<p class=3DMsoNormal dir=3DLTR =
style=3D'text-align:left;text-autospace:none;
direction:ltr;unicode-bidi:embed'><font size=3D2 face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'>You can find the detailed
whitepaper, .NET-Sploit tool, source code, and the OWASP presentation =
at:<o:p></o:p></span></font></p>

<p class=3DMsoNormal dir=3DLTR =
style=3D'text-align:left;text-autospace:none;
direction:ltr;unicode-bidi:embed'><font size=3D2 face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'><a
href=3D"http://www.applicationsecurity.co.il/.NET-Framework-Rootkits.aspx=
">http://www.applicationsecurity.co.il/.NET-Framework-Rootkits.aspx</a><o=
:p></o:p></span></font></p>

<p class=3DMsoNormal dir=3DLTR =
style=3D'text-align:left;direction:ltr;unicode-bidi:
embed'><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt'><o:p>&nbsp;</o:p></span></font></p>

</div>

</body>

</html>

------_=_NextPart_001_01C94641.4321CA03--
References:
- [WEB SECURITY] New Whitepaper - .NET Framework Rootkits: Backdoors inside your Framework
  - From: Erez Metula
- [WEB SECURITY] RE: New Whitepaper - .NET Framework Rootkits: Backdoors inside your Framework
  - From: Ragan, Rob R
Prev by Date: Re: [WEB SECURITY] Fwd: hi, need help
Next by Date: RE: [WEB SECURITY] New Whitepaper - .NET Framework Rootkits: Backdoors inside your Framework
Previous by thread: [WEB SECURITY] RE: New Whitepaper - .NET Framework Rootkits: Backdoors inside your Framework
Next by thread: RE: [WEB SECURITY] New Whitepaper - .NET Framework Rootkits: Backdoors inside your Framework
Index(es):
- Date
- Thread
Brought to you by http://www.webappsec.org
Search this site