Hacker Develops Tool To Hide Malware in .NET Framework

Outsmart Malicious Hackers


Once again something is wrong with part of the Microsoft suite of software and once again they are denying it’s anything to do with them.

This time a researcher has developed a rootkit style infection tool aimed at the .Net framework.

Most modern computers come with .Net of some description installed so this could be quite a widespread threat, especially if it gets into the hands of the bad guys and they use it for something like Conficker.

A computer security researcher has released an upgraded tool that can simplify the placement of difficult-to-detect malicious software in Microsoft’s .Net framework on Windows computers.

The tool, called .Net-Sploit 1.0, allows for modification of .Net, a piece of software installed on most Windows machines that allows the computers to execute certain types of applications.

Microsoft makes a suite of developer tools for programmers to write applications compatible with the framework. It offers developers the advantage of writing programs in several different high-level languages that will all run on a PC.

.Net-Sploit allows a hacker to modify the .Net framework on targeted machines, inserting rootkit-style malicious software in a place untouched by security software and where few security people would think to look, said Erez Metula, the software security engineer for 2BSecure who wrote the tool.

It an interesting attack vector, attacking a different part of the OS that isn’t usually targeted. It offers better protection from AV software and from being found and it’s pretty much guaranteed all Windows computers will have .Net installed.

I’d guess some pretty interesting stuff can be gathered by tapping into .Net.

.Net-Sploit essentially lets an attacker replace a legitimate piece of code within .Net with a malicious one. Since some applications depend on parts of the .Net framework in order to run, it means the malware can affect the function of many applications.

For example, an application that has an authentication mechanism could be attacked if the tampered .Net framework were to intercept user names and passwords and send them to a remote server, Metula said.

.Net-Sploit automates some of the arduous coding tasks necessary to corrupt the framework, speeding up development of an attack. For example, it can help pull a relevant DLL (dynamic link library) from the framework and deploy the malicious DLL.

Metula said that an attacker would already have to have control of a machine before his tool could be used. The advantage of corrupting the .Net framework is that an attacker could clandestinely maintain control over the machine for a long time.

It could potentially be abused by rogue system administrators, who could abuse their access privileges to deploy so-called “backdoors” or malware than enables remote access, Metula said.

Of course the disadvantage is you already need to have control over the machine to execute this kind of attack, I guess it’s for when you’ve hacked the machine and you want to keep control or gather more data.

Metula has published a white paper on the technique as well as the latest version of .Net-Sploit.

Source: CIO (Thanks Navin)

Posted in: Exploits/Vulnerabilities, Malware, Windows Hacking

, , ,


Latest Posts:


OWASP ZSC - Obfuscated Code Generator Tool OWASP ZSC – Obfuscated Code Generator Tool
OWASP ZSC is an open source obfuscated code generator tool in Python which lets you generate customized shellcodes and convert scripts to an obfuscated script.
A Look Back At 2017 – Tools & News Highlights A Look Back At 2017 – Tools & News Highlights
So here we are in 2018, taking a look back at 2017, quite a year it was. Here is a quick rundown of some of the best hacking/security tools released in 2017, the biggest news stories and the 10 most viewed posts on Darknet as a bonus.
Spectre & Meltdown Checker - Vulnerability Mitigation Tool For Linux Spectre & Meltdown Checker – Vulnerability Mitigation Tool For Linux
Spectre & Meltdown Checker is a simple shell script to tell if your Linux installation is vulnerable against the 3 "speculative execution" CVEs that were made public early 2018.
Hijacker - Reaver For Android Wifi Hacker App Hijacker – Reaver For Android Wifi Hacker App
Hijacker is a native GUI which provides Reaver for Android along with Aircrack-ng, Airodump-ng and MDK3 making it a powerful Wifi hacker app.
Sublist3r - Fast Python Subdomain Enumeration Tool Sublist3r – Fast Python Subdomain Enumeration Tool
Sublist3r is a Python-based tool designed to enumerate subdomains of websites using OSINT. It helps penetration testers and bug hunters collect and gather subdomains for the domain they are targeting.
coWPAtty Download - Audit Pre-shared WPA Keys coWPAtty Download – Audit Pre-shared WPA Keys
coWPAtty is a C-based tool for running a brute-force dictionary attack against WPA-PSK and audit pre-shared WPA keys.


2 Responses to Hacker Develops Tool To Hide Malware in .NET Framework

  1. Navin April 22, 2009 at 2:57 am #

    cheers!! :)

  2. Dave April 23, 2009 at 1:46 am #

    Give me a break. Someone replaces .NET framework files with something malicious, and suddenly it’s a problem with .NET? If someone compromises your computer, they can do near anything.

    Next we’ll hear about the big security hole in VBScript because someone made a tool that replaces CScript/WScript with their own version.