[ Pobierz całość w formacie PDF ]

being solved far in the past. Interpreted programming languages are the solution.
475
Zs. Zs. Kurdi " Viruses using .NET Framework
In this case, the source code is the program which is executed by another program
(interpreter). These codes can be executed with each operating system has the
required interpreter.
But the interpreted programs have disadvantages: the executing procedure is too
slow and the source code's syntax can not be checked fully. Sun Microsystems
Inc. has given a solution for this. The programmers of Sun have created the Java
programming language which integrate interpretation and compilation during
software development and execution. After the Java source code has been written,
it has to be compiled (the result is a sequence of Java Byte Code), so the syntax
and semantics of the source code can be checked, and the code can be made more
efficient. The Java Byte Code constitutes the instrument set of the Java Virtual
Machine (JVM), so the result of compilation can be interpreted by a JVM.
Because Sun has published JVMs for the most common operating systems, the
once written and compiled program can be executed by all the computers run
JVM.
Programmers of Microsoft solved the problem otherwise. They created the
Microsoft .NET Framework. This solution is very similar to Java, JVM and Java
Byte Code, but it is much more. It exploits the hidden power of JVM, and
eliminates its weaknesses. The .NET Framework is development and execution
environment for several programming languages (C\#, C++, Visual Basic etc.), so
software component written in different programming languages can be assembled
by .NET Framework. Moreover, the compiled source would not be interpreted; it
will be compiled to native code before execution using the Just-In-Time (JIT)
compiling strategy. The first compilation produces a code written using Microsoft
Intermediate Language (MSIL).
The .NET Framework  as the Java environment  constitutes a new layer  over
the operating system  which hides the dissimilarities of various operating systems
(this architecture is shown on Figure 1).
Figure 1
Layered Architecture
476
SISY 2006 " 4th Serbian-Hungarian Joint Symposium on Intelligent Systems
4 .NET Viruses
Executable files written for .NET Framework can be infected by viruses as other
executables. In this case there are two ways for the infection: malicious code can
be added to the file contains MSIL code-sequence or to the native code after the
JIT compilation (see Figure 2).
Figure 2
Infection types
If the virus infects an MSIL file, the infection will be platform independent too.
The infected PE (portable executable) file can execute  without any changes  by
other operating systems, so the infection can be spread very fast. While the
infection of native code is  localized for the operating system using the same
executable format.
Because lot of web services use the .NET architecture, they create new infection
mechanisms unwittingly or almost unwittingly ([2]). Anti-virus professionals'
opinion is the security model of .NET Framework can stop several attacks of
viruses, but not all. There are other possible ways to take advantages of .NET
services. Still the malwares and .NET Framework's  collaboration is an
unanswered question.
There are several viruses using the .NET Framework in the info-space. The firs
one was  Donut (also known as  dotNET ) which was exposed in 2002. It is a
native executable targets PE files written for .NET Framework. It overwrites the
initial jump to the _CorExeMain() function (located in mscoree.dll) with a jump to
the end of the file where the malicious code is located. (This process is similar to
the standard infection of native executables.) The virus also injects short MSIL
code into the PE file for display a message that akes the fact of infection known to
the user (source: virus escription from Symantec).
The basic form of Donut is a native executable which is an e-mail irus (it uses the
address book in Microsoft Outlook to spread via -mails sent without the user's will
477
Zs. Zs. Kurdi " Viruses using .NET Framework
([3]). If this file is executed on a local computer, it infects the executables in the
same folder and up to 20 parent folder.
However Donut is defined as a low-risk virus, it is a good example, that the viral
infection of .NET executables are possible indeed.
Conclusions
The efforts make the program development easier faster and comfortable draw
down the simply way to develop viruses and other malwares. So developers of
programming frameworks (e.g. .NET) and creators of programming languages
interpreted by virtual machines (e.g. Java) have to care the security leaks and
features of these development tools through all ages.
The popularity of Internet and the new computing model  based on .NET
Framework  used for web application creates fresh vulnerabilities can be exploit
by virus (and malware) writers day-by-day. Donut is an example that good
security conception (as the security of .NET Framework) can reduce this
vulnerabilities, but they can be never completely removed.
References
[1] B. Krebs: A Short History of Computer Viruses and Attacks, The
Washington Post, 14th February 2003
[2] J. Layden: .NET may Lead to Fewer Viruses, The Register, 28th September
2001
[3] J. Layden: C\# Virus Pitched against .NET, The Register, 4th March 2002
[4] Microsoft Knowledge Base: Information About the .NET W32.Donut
Virus, Q316287, 8th July 2005
478 [ Pobierz całość w formacie PDF ]

  • zanotowane.pl
  • doc.pisz.pl
  • pdf.pisz.pl
  • drakonia.opx.pl