Managed Code Rootkits: Hooking into Runtime Environments 1

Imagine being able to change the languages for the applications that a computer is running and taking control over it. That is exactly what managed code rootkits can do when they are placed within a computer. This new type of rootkit is hiding in a place that had previously been safe from this type of attack—the application level. Code reviews do not currently look for back doors in the virtual machine (VM) where this new rootkit would be injected. An invasion of this magnitude allows an attacker to steal information on the infected computer, provide false information, and disable security checks. Erez Metula shows the reader how these rootkits are developed and inserted and how this attack can change the managed code that a computer is running, whether that be JAVA, .NET, Android Dalvik or any other managed code. Management development scenarios, tools like ReFrameworker, and countermeasures are covered, making this book a one stop shop for this new attack vector. Named a 2011 Best Hacking and Pen Testing Book by InfoSec Reviews Introduces the reader briefly to managed code environments and rootkits in general Completely details a new type of rootkit hiding in the application level and demonstrates how a hacker can change language runtime implementation Focuses on managed code including Java, .NET, Android Dalvik and reviews malware development scanarios Managed Code Rootkits 4 Copyright 5 Table of Contents 6 Acknowledgements 12 About the Author 14 Part I: Overview 16 Chapter 1. Introduction 18 The Problem of Rootkits and Other Types of Malware 19 Why Do You Need This Book? 21 Terminology Used in This Book 24 Technology Background: An Overview 25 Summary 36 Chapter 2. Managed Code Rootkits 38 What Can Attackers Do with Managed Code Rootkits? 39 Common Attack Vectors 41 Why Are Managed Code Rootkits Attractive to Attackers? 45 Summary 50 Endnotes 51 Part II: Malware Development 52 Chapter 3. Tools of the Trade 54 The Compiler 55 The Decompiler 57 The Assembler 61 The Disassembler 64 The Role of Debuggers 67 The Native Compiler 71 File Monitors 75 Summary 76 Chapter 4. Runtime Modification 78 Is It Possible to Change the Definition of a Programming Language? 78 Walkthrough: Attacking the Runtime Class Libraries 86 Summary 114 Chapter 5. Manipulating the Runtime 116 Manipulating the Runtime According to Our Needs 116 Reshaping the Code 144 Code Generation 154 Summary 157 Chapter 6. Extending the Language with a Malware API 158 Why Should We Extend the Language? 158 Extending the Runtime with a Malware API 161 Summary 194 Endnote 195 Chapter 7. Automated Framework Modification 196 What is ReFrameworker? 197 ReFrameworker Modules Concept 199 Using the Tool 211 Developing New Modules 221 Setting Up the Tool 227 Summary 231 Chapter 8. Advanced Topics 234 “Object-Oriented-Aware ” Malware 235 Thread Injection 246 State Manipulation 252 Covering the Traces As Native Code 262 Summary 272 Part III: Countermeasures 274 Chapter 9. Defending against MCRs 276 What Can We Do about This Kind of Threat ? 276 Awareness: Malware Is Everybody’s Problem 278 The Prevention Approach 283 The Detection Approach 287 The Response Approach 299 Summary 304 Endnote 305 Part IV: Where Do We Go from Here? 306 Chapter 10. Other Uses of Runtime Modification 308 Runtime Modification As an Alternative Problem-Solving Approach 308 Runtime Hardening 312 Summary 325 Index 326 Managed Code Rootkits is the first book to cover application-level rootkits and other types of malware inside the application VM, which runs a platform-independent programming environment for processes. The book, divided into four parts, points out high-level attacks, which are developed in intermediate language. The initial part of the book offers an overview of managed code rootkits. It explores environment models of managed code and the relationship of managed code to rootkits by studying how they use application VMs. It also discusses attackers of managed code rootkits and various attack scenarios. The second part of the book covers the development of managed code rootkits, starting with the tools used in producing managed code rootkits through their deployment. The next part focuses on countermeasures that can possibly be used against managed code rootkits, including technical solutions, prevention, detection, and response tactics. The book concludes by presenting techniques that are somehow similar to managed code rootkits, which can be used in solving problems. Named a 2011 Best Hacking and Pen Testing Book by InfoSec Reviews Introduces the reader briefly to managed code environments and rootkits in general Completely details a new type of rootkit hiding in the application level and demonstrates how a hacker can change language runtime implementation Focuses on managed code including Java,.NET, Android Dalvik and reviews malware development scanarios Imagine being able to change the languages for the applications & nbsp;that a computer is running and taking control over it. That is exactly what managed code rootkits can do when they are placed within a computer. This new type of rootkit is hiding in a place that had previously been safe from this type of attack, the application level. Code reviews do not currently look for back doors in the virtual machine (VM) where this new rootkit would be injected. An invasion of this magnitude allows an attacker to steal information on the infected computer, provide false information, and disable security checks. & nbsp;Erez Metula shows the reader how these rootkits are developed and inserted and how this attack can change the managed code & nbsp;that a computer & nbsp;is running whether that be JAVA, .NET, Android Dalvik or any other managed code. Management development scenarios, tools like ReFrameworker and countermeasures are covered, making & nbsp;this book a one stop shop for this new attack vector. Introduces the reader briefly to managed code environments and rootkits in general Completely details a new type of rootkit hiding in the application level and demonstrates how a hacker can change language runtime implementation Focuses on managed code, including Java, .NET, Android Dalvik and reviews malware development scanarios "Introduces the reader briefly to managed code environments and rootkits in general--Completely details a new type of rootkit hiding in the application level and demonstrates how a hacker can change language runtime implementation--Focuses on managed code including Java, .Net, Android Dalvik, and reviews malware development scenarios"-- Provided by publisher