Re: [DotGNU]Virus writers take an early crack at .Net

[Rhys Weatherley]

"Gopal.V" wrote:

>         Rhys , you should consider you are lucky that the stuff
> happened to be a Win32 Executable.

PE/COFF files *are* Win32 executables.  They're the same
thing.  IL bytecode is just a special section that is embedded
into the middle of an otherwise normal native Win32 exe.

This is one of the biggest weaknesses of Microsoft's approach.
Because an IL program must go through the regular Windows
execution engine *before* it gets to the CLR, there are plenty
of interesting things that a virus can do before the security
kicks in.  More recent versions of Windows are a bit better,
but backwards-compatibility features in IL binaries provide
excellent ways to attack pre-existing systems.

> I got that especially to
> run it on Pnet inside a sandbox (VMWare GNU inside GNU).
> Since that failed, does Pnet verify code for umanaged section
> of IL code ?.

If pnet comes across something that isn't 100% IL, it will
ignore it.  There's no much that I can do with the native
code anyway.  However, that doesn't give perfect security.
The IL program could still access files, the network, etc.
Other security features come into play for managing that.

I'll need to get my hands on a copy of the virus to figure
out how it works and exactly why pnet avoids contamination.
Feel free to e-mail my GNU/Linux box something that can't
affect it. :-)

Cheers,

Rhys.