The difference here is that the .NET framework itself runs in user mode. Whilst you can patch the .NET framework to change the way it works (for .NET assemblies), the Framework itself runs in usermode (relying on Win32 etc), and it doesn't change the way the Windows kernel works. So, you can simply use a kernel mode system (sfc perhaps? or a detection/validation tool) to determine whether you have a legitimate version of the .NET framework installed.
To get around this, the attacker needs to patch the kernel first. But if they can do that, then they already own your system. This extra stuff is irrelevant. Cheers Ken ________________________________________ From: Ziots, Edward [EMAIL PROTECTED] Sent: Wednesday, 19 November 2008 8:03 PM To: NT System Admin Issues Subject: RE: New .NET Rootkits are you safe? I agree, its just an interesting new vector to an old problem. And you are right code execution is the "Key" here.. Z Edward E. Ziots Network Engineer Lifespan Organization Email: [EMAIL PROTECTED] Phone: 401-639-3505 MCSE, MCP+I, ME, CCA, Security +, Network + -----Original Message----- From: Ben Scott [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 18, 2008 4:13 PM To: NT System Admin Issues Subject: Re: New .NET Rootkits are you safe? On Tue, Nov 18, 2008 at 10:15 AM, Ziots, Edward <[EMAIL PROTECTED]> wrote: > Honestly, those library should be signed and the if the signature isn't > from Microsoft ... it should be removed from the system and reinstalled ... If Microsoft built that in to the .NET Framework code, that just means the bad guys would have to patch that binary before running their code. If they're running with system privileges, they can do anything they want. That's what a rootkit is all about. There's nothing Microsoft or anyone else can do about this. That's what makes the malware problem so intractable. "If somebody else can run their code [with system privileges] on your computer, it isn't your computer anymore." -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
