1

I've been trying to research malware techniques lately, as malware analysis intrigues me. I've got a pretty heavy background in .NET, and based on my more than seven years experience in .NET, I feel that I could write a pretty complex piece of malware rather quickly if I was so inclined. Everything that I've seen suggests that malware written in .NET is for the "simple" or "unsophisticated" pieces of malware, why is that?

Obviously, I understand the differences between .NET and C/C++ in regards to the low level stuff. I also understand that .NET is much more easily reversible than C/C++, but still, I would think the benefit outweighs the cost here. Isn't it much quicker to write malware using .NET than C/C++? Especially now that all Windows 7 PCs ship with the .NET framework already installed.

Other than the "low level stuff", is there a reason that malware authors avoid .NET and use C/C++ instead that I'm not aware of? Why does it appear that in the underground "hacker" forums, everybody despises .NET?

For example, if I wanted to make a program that regularly checked a Twitter account for new commands to execute, I could easily do this in about an hour in .NET and just a few lines of code. In C/C++, this would be a lot more work, no?

forest
  • 64,616
  • 20
  • 206
  • 257
Boeckm
  • 127
  • 1
  • 4
  • 5
    Many good questions generate some degree of opinion based on expert experience, but answers to this question will tend to be almost entirely based on opinions, rather than facts, references, or specific expertise. – Lucas Kauffman Jul 01 '13 at 14:41
  • 1
    Well, a lot of the security-conscious community does not develop on a windows platform and C#/.NET is a poor fit for those users (yes there's Mono, but its not the same). Secondly, a lot of malware needs to either be written at a very low-level (specifically shell code, or brute-forcing hashes/keys using GPUs) like C or assembly. Other tasks can be written at a much higher level where dynamically-typed interpreter-friendly "scripting" languages (e.g., ruby/python) are generally preferred over more verbose "enterprise-friendly" languages like C# or Java. – dr jimbob Jul 01 '13 at 15:11
  • 1
    For example, say you are testing for SQL injection and need to make repeated HTTP post requests. Which is easier; python with a two-liner `import requests`, `resp = requests.post('http://example.com', {'username': "Robert'); DROP TABLE Students; --", 'password':''}` or the Java/C# equivalent: http://stackoverflow.com/a/3325065/457571 / http://stackoverflow.com/a/4015346/457571 (I had this as answer that got cut off when closed). – dr jimbob Jul 01 '13 at 15:14

1 Answers1

12

There is plenty of malware out there that is written in .NET, but as a C# dev I can see why many malware authors avoid it:

  • Easy to disassemble and reverse engineer.
  • Easy for AV to detect use of certain classes and functions.
  • Requires .NET on the box (older XP boxes might not have it, or might only have .NET 2.0)
  • Harder to do anti-debug tricks in .NET than in native code.
  • Executables are often larger than native.
Polynomial
  • 132,208
  • 43
  • 298
  • 379
  • Those are all pretty good points. I guess I just figured that with all the free stuff that .NET comes with, it would be more cost effective to write malware in .NET than C/C++. I suppose I should try to find some examples of infamous malware written in .NET. – Boeckm Jul 01 '13 at 15:07