back to article Thanks for open sourcing .NET say Point of Sale villains

Trend Micro researcher Jay Yaneza says Point of Sales malware has begun using Microsoft .NET, following its release as open source last year. Yaneza found the new so-called GamaPoS malware being distributed to US organisations including credit unions, developers, and pet care businesses through the resurgent Andromeda botnet. …

  1. Anonymous Coward
    Anonymous Coward

    Is this story effectively saying: "Programming languages used to program bad stuff, so we shouldn't make/open source better programming languages because evil people will find it easier to make bad stuff."

    Also: "The malware combines two malicious features including PsExec"... PsExec is not a malicious feature, it's part of the SysInternals tools. Not saying it's not being abused, but it's not malicious:

    https://technet.microsoft.com/en-us/sysinternals/bb897553.aspx

  2. Roo
    Windows

    It's not clear whether Jay is asserting .NET is less secure and/or easier to use... I suspect Jay means the latter. Where were his wringing hands when boxes running VB plugged into the Interwebs ?

    1. TheVogon

      "It's not clear whether Jay is asserting .NET is less secure and/or easier to use... "

      There have been relatively few .Net security issues compared to other commonly used runtimes like Java, PHP, etc And no cases I am aware of where those .Net vulnerabilities have been actively exploited. So it must be option b)....

    2. thames

      @Roo - "It's not clear whether Jay is asserting .NET is less secure and/or easier to use"

      What Jay said was: "We can attribute this development to the fact that it is easier to create malware in the .NET platform and, now that Microsoft made it available as an open-source platform, more developers are expected to use it for their applications."

      To restate it, there are two reasons why. First making it open source somehow makes it easier to create malware. He doesn't really give an explanation for that. The other is that now it is open source, he expects more developers to use it to create POS applications.

      So the main line of reasoning may simply be that an open source Dotnet would be more widely used for these sorts of applications, which makes it a natural target. This market has been a stronghold for Java, which is what has made Java such a target. Now Dotnet may start to see some of the same malware developer love and attention.

      I'm not saying that I agree with his line of reasoning, but he may have a point on the second issue even if it was not clearly made.

  3. Anonymous Coward
    Anonymous Coward

    Well, now that Microsoft has released 'Visual Studio Code' that runs on OSX, I suppose we can blame them for all new Apple malware too.

    1. dogged

      It runs on linux too.

      Embrace, Extend, EmsomethingRegCommenterswillinevitablytrotout

  4. Anonymous Coward
    Anonymous Coward

    I remember once seeing a cartoon entitled "Why Microsoft doesn't participate in open source" (or something like that)

    It showed a bunch of geeks sitting around a computer terminal, pointing and laughing their heads off.

    I can't find it now - anyone know where it is?

  5. Destroy All Monsters Silver badge
    Linux

    Well, it happens

    Richard Stallman famously left his MIT user account open to world & dog because principles, causing rejects of society to misuse it.

    In other news, Linux is used to manage Concentration Camps in $BAD_COUNTRY etc.

  6. Richard Wharram

    How the fuck?

    How would an exploit on installation instructions be able to get into your POS network?

    It should be on a separate VLAN and firewalled to allow nothing in it doesn't expect or that it hasn't just requested. Who would open a PDF or Word document on the POS VLAN?

    Like, what the fuck?

    1. wolfetone Silver badge

      Re: How the fuck?

      Bad workmen blame tools etc etc

    2. Mark 65

      Re: How the fuck?

      Yep, I'd expect it to be locked down, segregated, running signed code only etc but alas not everyone sees it that way, going for simplicity above all else.

  7. David Goadby

    out of control

    .NET is out of control - that is why U$oft open sourced it. How many of have installed a new program only to be informed that a certain version of .NET is required? And they are all HUGE.

    I installed Nero a few years ago and after installed a very small executable, I remember the system informing me that I required .NET 3.5 to be installed. And that was over 300MB.

    Like Windoze, .NET has become bloated and bug ridden. And the compatibility between releases is appalling. By now, we should only need one version of .NET installed on our PC's but I seem to have FIVE! Grrrrr.

    1. Anonymous Coward
      Anonymous Coward

      Re: out of control

      What a fuckwit. So we should just stick with something released in 2002 and never improve upon it?

      1.1 was a replacement/augmentation for 1.0 (i.e. anything that needs 1.0 would run in 1.1)

      3.5 and 3.0 were augmentations for 2.0 (i.e. they just added extra features to 2.0)

      4.6 and the 4.5 branches were augmentations for 4.0.

      So the most number of .NET versions you actually have installed is 3, with varying levels of "service pack" (some of which were bugfixes, some of which are feature releases) if you want to look at it that way.

      3.5 was included in Windows 7.

      4.5 was included in Windows 8.

      It really isn't a problem for most people, you fucking moron, and it's far more manageable than the utter rat's nest of shite that is Java, and the ton of code that's in the wild and relies on 10-year-old unsupported versions of JRE that are as secure as going out leaving your front door wide open with your 50" telly on view through the front window in the middle of Toxteth...

      1. Richard Plinston

        Re: out of control

        > So the most number of .NET versions you actually have installed is 3,

        My website logs report that Windows machines machines have up to 4 versions installed and this does not include versions 4.0, 4.5 or 4.6. Presumably these are simply not reported by the browser.

        .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729

        > the utter rat's nest of shite that is Java

        Java VMs are backward compatible so only one version is required. The compiler can also create output for older versions of the VM so a later compiler can compile for old VMs.

        1. LeoP

          Re: out of control

          >> Java VMs are backward compatible so only one version is required.

          You owe me a keyboard.

          Just for the BMCs of a rackfull of servers, I need 5 VMs with different Java Versions. Would be delighted to hear, that those problems have now gone.

    2. Test Man

      Re: out of control

      Maybe install a more recent OS that contains .NET runtimes built in instead of obsessing over XP for years.

      Or just install that version of .NET once.

      Idiot.

      1. Anonymous Coward
        Anonymous Coward

        Re: out of control

        That doesn't fix the problem since .NET4 doesn't include .NET3 which doesn't include ...

        So if you have 3 .NET applications installed, in all likelyhood that means you've also got 3 versions of .NET.

        1. Anonymous Coward
          Anonymous Coward

          Re: out of control

          "That doesn't fix the problem since .NET4 doesn't include .NET3 which doesn't include ..."

          Yes it does.

  8. phil dude
    Mushroom

    It must be Friday...

    The El Reg FUD machine is in full flow, before heading to the pub.

    Security by Obscurity is no Security at all. Arguing that Open source some how reduces the non-existent security, is a bogus argument and missed the point.

    Bad people are always looking to do Bad Things with the toys on our side of the fence (i.e. Society)

    That's because criminals do not produce anything, which is why they look to pollute our world with their ignorance, greed and probably a health dose of depraved psychosis.

    </rant>

    P.

  9. Tim 11

    Let's ban anything that makes crims' lives easier

    A lot of bank robbers seem to use cars as getaway vehicles - let's ban them

    All kinds of criminals use mobile phones - they should be made illegal as well

    Our oxygen-rich atmosphere makes it easy for criminals to breathe - destroy it!

    etc. etc.

  10. Teiwaz
    WTF?

    .Net is 'open source', but not Open Source by OSI definition, No?

    Not that anybody misusing .net for nefarious reasons would be particularly worried about provisions to prevent code being used outside a .net runtime.

    Sloppy article writing, or seeking to put across the idea that any Open source software platform enables criminal activity.

    Was this written with the same naive assumptions the Conservative government has about encryption?

  11. tony2heads
    Trollface

    Programming languages have primary targets

    C for operating systems

    FORTRAN for science

    Smalltalk for A.I

    Javascript or PHP for web

    .NET for malware

  12. Ken Hagan Gold badge

    "...now that Microsoft made it available as an open-source platform have put it out to grass, more developers are expected to use it for their applications drop it like it's a turd that just talked back at you..."

    FTFY

  13. Sirius Lee

    Bullshit article

    The source for the whole of .NET has been available for years - just not on GitHub. If 'hackers' wanted to use the framework to perpetrate hacks, there has been no need to wait until now.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like