The Experts below are selected from a list of 18 Experts worldwide ranked by ideXlab platform
Erez Metula - One of the best experts on this subject based on the ideXlab platform.
-
Managed Code Rootkits
Managed Code Rootkits, 2011Co-Authors: Erez MetulaAbstract:Managed Code Rootkits are different from traditional malware because they operate at the virtual machine abstraction layer, and not at “concrete” layers such as the operating system or hardware layer. Because Managed Code Rootkits act as part of the runtime, they influence the applications that use it. And because they're usually used after the attacker has full control of the system, they're not considered a danger by themselves, but rather a way to make the danger easier to inflict. Attackers can do many things with Managed Code Rootkits, from providing false information to the application and its users, to executing operating-system-level commands on behalf of users or application service accounts. Regardless of how they're used, Managed Code Rootkits pose a great risk to machines using Managed Code runtimes. This chapter discusses what attackers can do with Managed Code Rootkits, common attack vectors, and why Managed Code Rootkits are attractive to attackers.
-
Defending against MCRs
Managed Code Rootkits, 2011Co-Authors: Erez MetulaAbstract:Managed Code Rootkits can affect everyone from system administrators, security auditors, and forensic investigators to security product vendors, runtime vendors, operating system vendors, developers, and end users. Fortunately, there are several approaches to dealing with Managed Code Rootkits. In the prevention approach, runtime binaries are transformed in such a way that the attacker must perform additional tasks to complete his attack against the target machine. In the detection approach, software and hardware-based solutions are employed to detect the presence of Managed Code Rootkits on a system. And in the response approach, steps are taken to search for clues that a Managed Code rootkit is present on a machine, and then evidence of the Managed Code rootkit is gathered and the machine is restored to its prior state. Details of the prevention, detection, and response approaches are highlighted in this chapter, resulting in a defense-in-depth solution to preventing the threats imposed by Managed Code Rootkits.
-
Automated Framework Modification
Managed Code Rootkits, 2011Co-Authors: Erez MetulaAbstract:ReFrameworker is a general-purpose tool for framework runtime modification. Besides manipulating the runtime, ReFrameworker can also be used to inject Code, methods, and classes into the runtime and perform other tasks while generating modified binaries to replace the original binaries. Specifically, ReFrameworker allows researchers and attackers to quickly develop and deploy Managed Code Rootkits into a given framework, test the behavior of injected Code, return the Managed Code Rootkits to their original state, and automate the process of generating modified binaries for a target machine's framework. ReFrameworker can also be used to perform other tasks that are not malware-related, such as changing the framework to fit a specific task, modifying the behavior of internal classes, fine-tuning optimizations to their original implementation, and extending different language features. This chapter discusses ReFrameworker in depth, including how to set up and use the tool, as well as develop new modules for it.
-
Extending the Language with a Malware API
Managed Code Rootkits, 2011Co-Authors: Erez MetulaAbstract:Publisher Summary Many times, Code is injected into existing runtime methods as a Code block designed to perform a specific task throughout the execution flow. When writing Managed Code Rootkits, wrapping a Code block as a method provides a higher-level, abstracted view of the Code. It also can eliminate the use of custom Code, which means attackers no longer need to reinvent the wheel for each attack. Additional advantages of writing Managed Code rootkit Code are that more generic Code can be written through the use of method parameters and that calculations can be passed from these methods by popping the return value from the stack or returning it in a register. This chapter explains how to wrap injected Code blocks as new methods that will extend the runtime and provide a malware API that encapsulates a specific behavior and interacts with those methods rather than dealing with the Code block itself.
-
Chapter 3 – Tools of the Trade
Managed Code Rootkits, 2011Co-Authors: Erez MetulaAbstract:Publisher Summary This chapter discusses the tools used to analyze and modify virtual machine (VM) runtimes when deploying Managed Code Rootkits (MCRs). It starts with compilers that generate an executable from high-level source Code (such as Java, C#, VB.NET, etc.), and decompilers that generate source Code from a compiled executable. Assemblers that generate an executable from intermediate language (IL) Code, and disassemblers that reverse this operation by generating IL source Code from a given executable are also covered. These tools enable one to go from “human-readable” Code to an executable, and vice versa. Further, the chapter discusses native image generators that take one closer to the CPU instruction set, by compiling byteCode into machine-specific native Code. Following that, the chapter deals a bit with debuggers and examines how file monitoring tools help one to analyze framework behavior. This chapter serves as an introduction to each tool so that one has a better understanding of their use and the role they play.
