Antivirus researchers revealed on Wednesday that they have in their possession a virus apparently aimed at Microsofts .NET platform, the high-profile software-as-a-service initiative on which the Redmond, Wash., company is betting its collective future. Microsoft responded on Thursday by saying that the viruss aim is off.
The virus, sent by an author named “Benny” in an e-mail to several antivirus companies on January 9, was originally named “dotNet,” but has since been labeled by antivirus experts as W32.Donut or w32/Donut.
The new virus is written in Win32 assembly and some Microsoft Intermediate Language (MSIL) according to McAfee.com. It targets executable files created for the .NET Framework, in its own directory and twenty directories above it.
When infected files are run, there is a ten percent chance that a dialogue box will appear with the phrase: “This cell has been infected by the dotNet virus.” Other than that, however, there is no damage to the host computer.
The virus is considered a low-level threat, since .NET is not widely available, and because the virus can only be installed on a computer by directly copying it there after receipt through a floppy disk or e-mail. The Donut virus does not automatically replicate itself in e-mail like many current security threats.
According to Motoaki Yamamura, senior development manager at Symantecs security response division, virus authors often send their creations in to antivirus companies for the notoriety. “They want to write the first virus for a new platform or a new application. . . . To show the world that it can be done.” Benny is believed to be part of a larger Spanish-speaking virus writing group called “29A,” Yamamura added.
However, Bennys place in the record books may be in dispute.
“Because of how it affects the file, we have reason to believe that it may not even work with the final release that they [Microsoft] come out with,” said Yamamura.
Microsoft also disputed w32.Donuts penetration of .NET, which the company has touted as secure. Tony Goodhew, product manager for the .Net Framework, noted that the necessity to deliberately install the virus, which in turn attacks .NET code, hardly makes it a threat to the normal operation of .NET.
“They run it on their machine, and then it goes and just happens to target .NET Framework files for infection. Its not actually a .NET virus,” said Goodhew.
Calling the virus “an old trick” which normal antivirus software will detect, and one that exploits native code problems going back to DOS 1, Goodhew said, “a real .NET virus would be one that is written totally in managed code, and propagates by exploiting a security flaw in the .NET Framework.”
The Donut virus, “runs native code, and then it modifies the MSIL assembly. And then it tells .NET to actually go and execute it. Once .NET gets this, and looks at it, .NET will go and check and say OK, is it type-safe, is it secure?” said Goodhew. “And if any of this fails, it will throw a security exception and not run the code.”
“Web sites that are running their business off the .NET Framework will not be affected by this,” said Goodhew. .NET will not release native code executables for download, he said.
“I am not doing something that I think is safe and finding it not to be,” said Goodhew. “Im doing something which is unsafe and known to be unsafe by downloading this executable.”
Nevertheless, the delivery of the Donut virus to the antivirus companies shows Microsofts marquee project is a juicy target. Symantec warned on its Web site that the emergence of w32.Donut shows “that virus writers are paying close attention to the new .NET architecture and attempting to learn how to exploit it before the Framework will be available on most systems.”
“Having people come in and keep trying to crack us is just one of the prices to pay for being the market leader,” replied Goodhew.
As to how the virus writers get to practice their craft, Yamamura noted that they often rely on underground copies of software, or beta versions that they subscribe to receive directly from Microsoft.