First .NET Vulnerability Appears
- By Stephen Swoyer
- January 10, 2002
Targeting by virus writers is a sad but reliable measure of the prominence of any new Microsoft product or technology. By that standard, the software giant's fledgling .NET Web services infrastructure has arrived.
Antivirus vendors this week issued alerts about the existence of a new virus, W32/Donut, which they say targets .NET. "This is the first virus to make use of Microsoft's .NET architecture," McAfee.com noted in its virus description.
Calling W32/Donut a .NET virus would be a stretch.
Partly because Microsoft's .NET name for its Web services initiative covers so many technologies and components and partly because the technology is unfamiliar to many, labeling something a .NET virus really says very little about what it does.
W32/Donut has three .NET connections.Part of the virus was written in Microsoft Intermediate Language (MSIL). MSIL boils down to an abstraction layer in .NET. It means developers can write in one of many Microsoft and non-Microsoft programming languages, and the .NET infrastructure will convert the code to MSIL. Most of the code in W32/Donut was written in Win32 Assembly.
Another .NET connection is that the virus chooses to infect only .NET executables. The virus infects all .NET executables in the current directory and up to 20 directories above it, according to McAfee.
Finally, the virus writers chose to stick their finger in Microsoft's eye with a direct .NET reference. When the virus runs, there is a 10 percent chance it will display the following message: "This cell has been infected by dotNET virus."
Antivirus companies assign W32/Donut a "low" risk rating. "Due to the uncommon system requirements and replicating environment, the virus is unlikely to become widespread," a bulletin on McAfee’s Web page explained.
Although Microsoft has been telling its .NET story for almost two years, the Web services framework currently enjoys only limited support among Microsoft's product portfolio. Windows 2000, for example, offers no native support for .NET, and Windows XP Professional shipped in October with only base-level support. The Web services architecture is expected to get a big shot in the arm when Microsoft delivers its Visual Studio .NET rapid application development (RAD) environment in February.
Chances are that .NET is installed on more than a few corporate PCs, however. That’s because throughout 2001, Microsoft worked to get beta copies of Visual Studio .NET into the hands of as many developers and IT managers as possible. Microsoft sent attendees of its June 2001 Tech-Ed conference home with beta copies of Visual Studio .NET, for example.
Microsoft contends the virus doesn't exploit any native .NET functionality and is actually based on an older virus, W32/Winux.
"How it works is by doing something that’s really a very old exploit and not really anything to do with .NET," says Microsoft .NET product manager Tony Goodhew. "If you go download a native x86 application and you execute that application on your local machine, it then goes and looks for .NET framework assembly."
"What it does is the x86 code infects the x86 stub that’s used to load the .NET application. To call it a .NET virus is misleading. What it really is a virus that chooses to infect .NET [executables]," Goodhew says.
Microsoft’s Goodhew on Thursday was at pains to reassure customers that .NET is still a secure, reliable Web services framework. "Could something like this strike a user with them not knowing about it? The answer with the .NET framework is no," he says. "I go to a Web page and download [a .NET executable] to my machine. When it executes locally, it executes under the context of the .NET security framework. So a user going to a .NET site and downloading [.NET] controls is totally protected from this kind of action."
They’d better be, cautions analyst Rob Enderle of the Giga Information Group. W32/Donut was indeed a proof-of-concept virus, even if it did exploit a well-trod vulnerability. But the virus’ real proof-of-concept, Enderle argues, is that hackers have declared open season on .NET.
"We’re going to find more people targeting .NET components, much like we’ve found people targeting almost anything else that Microsoft [has] built," Enderle says. "Fundamentally, [.NET] needs to have a higher level of protection than other [competitive solutions] that won’t be targeted as much."
Stephen Swoyer is a Nashville, TN-based freelance journalist who writes about technology.