Though it is an uncommon attack, but it highlights the backdoor of Virtual Machine such as .NET, JVM.
Rootkit is a system which consists of programs designed to hide or obscure the fact that a system has been compromised. – Wikipedia
.NET-Sploit is a tool which is used to build MSIL rootkit that enables the user to inject malicious behavior to the framework DLLs (See the following picture). The only challenge for the hacker is to compromise the particular system with administrator rights.
What does it actually mean?
After the compromising a target system, a hacker can modify .NET framework DLL those are normally located in GAC by assembling and dessembling with regular .NET tools. This approach does not need to touch .NET applications. All the application invoke required tampered framework DLLs which will behave strangely. For example, using the rootkit, you can always print “Hacked” message in
System.Console.WriteLine(string v)
irrespective of any string value. Worst part is, if a hacker is tampered “Authenticate()” in System.Web.dll and he can capture the username and password. Ofcourse, he can send the details to someone else using SendToUrl().
What can you do with framework rootkit?
How is it possible?
Manually you can attack the framework by the following steps:
A surprising fact is GAC does not perform any additional check for verifying strong name of a DLL when coping the modified framework DLL into the actual folder path. For example, you can modify mscorlib.dll version 2.0 and place it into c:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089.
What is .NET-Sploit?
A generic framework modification tool to inject code. You can download at http://www.applicationsecurity.co.il/english/NETFrameworkRootkits/tabid/161/Default.aspx.