0day in {REA_TEAM}

« Trojan.Zhelatin.Pk Reverse Engineering
FastScanner v2.0 by AT4RE »

.NET Framework Rootkits

Posted by kienmanowar on November 14, 2008

This page covers a new method that enables an attacker to change the .NET language, and to hide malicious code inside its core.

Abstract

This paper introduces a new method that enables an attacker to change the .NET
language.

The paper covers various ways to develop rootkits for the .NET framework, so that
every EXE/DLL that runs on a modified Framework will behave differently than what
it’s supposed to do. Code reviews will not detect backdoors installed inside the
Framework since the payload is not in the code itself, but rather it is inside the
Framework implementation. Writing Framework rootkits will enable the attacker to
install a reverse shell inside the framework, to steal valuable information, to fixate
encryption keys, disable security checks and to perform other nasty things as
described in this paper.

This paper also introduces “.Net-Sploit” – a new tool for building MSIL rootkits that
will enable the user to inject preloaded/custom payload to the Framework core DLL.

………

Download full paper here:

http://www.applicationsecurity.co.il/LinkClick.aspx?fileticket=ycIS1bewMBI%3d&tabid=161&mid=555

Regards

This entry was posted on November 14, 2008 at 2:09 am and is filed under Other Tutorials. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <pre> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

« Trojan.Zhelatin.Pk Reverse Engineering
FastScanner v2.0 by AT4RE »