I found the paper .NET Framework Rootkits: Backdoors inside your Framework via the Security4All blog some time ago. It is an interesting article about modifying the basic .NET libraries such that they do other things than what they were intended (for example log any traffic going trough sockets).
However it seems to have created some confusion in people’s head who didn’t understand the implications of it and concluded that “.NET + Rootkit == MS is insecure!”. As it is correctly pointed out on the Paint.NET blog (an in the paper, not that anyone bothered to read it 🙁 ), this is not a method to to “p0wn” the computer. What it is:
- A method to remain on the computer once administrative access has been gained
- A method to steal / inject data in .NET programs
- A less usual method, meaning that automatic detection support is limited (although forensic analysis of the machines would uncover it)
- A general idea to subvert the library level of runtimes which can be applied to any language which brings a set of libraries with it (Java, Perl, Python, PHP, …) on any system.
In conclusion: it’s not as bad as the IE 0 day which seems to include IE 6 trough 8 :-(, but something to have in mind when looking at compromised systems…