rootkits in your .net framework

Over a year ago, a paper flew out across Full-Disclosure from Erez Metula talking about .NET rootkits. I promptly lost my notes on it, but after finding and reading up on it, I have to say this is pretty exciting stuff (check the whitepaper, skim the pdf if you want, but it is less detailed). Two take-aways I got from a quick skimming:

1. You can replace .NET .dll files that Microsoft trusts just by deploying to the proper “folder” (bypassing the GAC process). Sure, this requires admin rights, but what then? This isn’t a penetration or priv escalation technique so much as it is a persistance technique.

2. You can do lots of cool shit inside a .dll file, whether you’re subverting the framework or some app that uses ASP.NET on top of the framework.

This brings up a few ideas on how to protect systems that run such code.

a. File integrity monitoring on framework files or files inside the general assembly.

b. Egress monitoring on network perimeters (not necessarily external!) to detect if something is being shipped out (such as with SendToURL or ReverseShell). To an extreme, this could be also done on the server itself so it is only talking to systems it should be talking to, not just network-prohibiting.

c. Do you know what code your developers are writing and executing on your servers? Code reviews and lifecycle integrity… I don’t know enough to speak about what privilege level .NET code is executed under, but I would be willing to bet an interested developer can do whatever he wants on a server that executes his code. This holds true for anyone that has access to the server to install something or run code or get administrative rights.

d. Um, don’t run as an administrator. This applies more to users, as they may visit a web page and allow code to run, which then rootkits their framework. Then again, this isn’t the only reason to stop running as admin while browsing the web.

e. If you can spare the energy, tracking regularly accumulating files/folders may help as well. If an attacker is gathering credentials on the server, they either need to ship them out or store-and-retrieve them. This point helps detect the “store” part.