Managed Code Rootkits - Hooking into Runtime Environments

DEF CON 17

Presented by: Marc Weber Tobias
Date: Sunday August 02, 2009
Time: 10:00 - 10:50
Location: Track 3
Track: Track 3

This presentation introduces a new concept of application level rootkit attacks on managed code environments, enabling an attacker to change the language runtime implementation, and to hide malicious code inside its core. Taking the ".NET Rootkits" concepts a step further, while covering generic methods of malware development (rootkits,backdoors,logic manipulation, etc.) for the .NET framework and Java's JVM, by changing its behavior. It includes demos of information logging, reverse shells, backdoors, encryption keys fixation, and other nasty things.

This presentation will introduce the new version of ".Net-Sploit" - a generic language modification tool, used to implement the rootkit concepts. Information about .NET modification - The Whitepaper, .NET-Sploit, and source code can be found here:

http://www.applicationsecurity.co.il/.NET-Framework-Rootkits.aspx

Erez Metula

<strong>Erez</strong> is an application security researcher, specializing in secure development practices, penetration testing, code reviews, and security training for developers. He has extensive hands-on experience performing security assessments and training for worldwide organizations. He works as the manager of the application security department at 2BSecure, Israel. Erez is also a leading instructor for many information security trainings. He is a constant speaker at security conferences, and had previously talked at BlackHat, CanSecWest, OWASP and more. He holds a CISSP certification and is toward graduation of Msc in computer science.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats