Managed Code Rootkits - Hooking into Runtime Environments

Presented at DEF CON 17 (2009), Aug. 2, 2009, 10 a.m. (50 minutes).

This presentation introduces a new concept of application level rootkit attacks on managed code environments, enabling an attacker to change the language runtime implementation, and to hide malicious code inside its core. Taking the ".NET Rootkits" concepts a step further, while covering generic methods of malware development (rootkits,backdoors,logic manipulation, etc.) for the .NET framework and Java's JVM, by changing its behavior. It includes demos of information logging, reverse shells, backdoors, encryption keys fixation, and other nasty things. This presentation will introduce the new version of ".Net-Sploit" - a generic language modification tool, used to implement the rootkit concepts. Information about .NET modification - The Whitepaper, .NET-Sploit, and source code can be found here: http://www.applicationsecurity.co.il/.NET-Framework-Rootkits.aspx

Presenters:

  • Erez Metula - Application Security Department manager, 2BSecure
    Erez is an application security researcher, specializing in secure development practices, penetration testing, code reviews, and security training for developers. He has extensive hands-on experience performing security assessments and training for worldwide organizations. He works as the manager of the application security department at 2BSecure, Israel. Erez is also a leading instructor for many information security trainings. He is a constant speaker at security conferences, and had previously talked at BlackHat, CanSecWest, OWASP and more. He holds a CISSP certification and is toward graduation of Msc in computer science.

Links:

Similar Presentations: