Back from Brussels, where I attended a ISSA/OWASP local chapter meeting tonight. As usual, it was very interesting! Thanks to the organizers! There was two presentations on the planning.
- Spam (quite old)
- Phishing (via Forms Data Format)
- Information disclosure
- Incremental updates
- Security features bypass
The second presentation was performed by Erez Metula, 2BSecure. He talked about .Net rootkits: with the help of several live demos, he showed to the attenders how it’s quite simple to change or add features in .Net DLLs (code reverse-engineering, adapt code, recompile, deploy the new DLL).
During the presentation, the way Microsoft handles DLL signature left me perplex… Indeed, .Net don’t check for a signature in the DLL itself, the signature is part of the directory like:
“b03f5f7f11d50a3a” is the DLL signature. If you overwirte the DLL inside this directory by a compromised one, .Net will not complain and just load it without extra checks! Here are examples of attacks that can be performed using functions change:
- Web push to a remote server (credentials, sensitive data, etc)
- Reverse shells
- Key stealing, fixed key generation, SecureString stealing
To perform this kind of attacks, you need administrative privileges! So, the classic attack path will be: compromise the server, get admin privileges, and then install the “bad” DLLs. A tool exists to automatically build rootkits: .net-Sploit. Conclusion: there is no bullet-proof method to avoid such rootkits. A good idea is to use Tripwire to detect changes made on system files but, assuming you run Tripwire once a day, it will only reduce the attack surface and not fully protect you!
Once again, a very nice evening, I learned a lot!