InfoSec Reviews – Managed Code Rootkits

Book Title: Managed Code Rootkits

Subtitle: Hooking into Runtime Environments

Author: Erez Metula

Publisher: Syngress

Date of Publishing: 25 November 2010

ISBN(13): 9781597495745

Price (UK&US): £26.34,   $33.41

URL of Publisher Site: Syngress

URL of Amazon UK web page: Managed Code Rootkits: Hooking into Runtime Environments

URL of Amazon US web page:

The book is just over 300 pages in length and is well structured with 10 chapters divided into four logical Parts: The first two chapters describe how the contents of the book are organised, and provide an overview and definition of Managed Code Rootkits (MCR). In this section the author defines ‘Managed Code’ as coded applications whose aspects, such as memory allocation, security, exception handling, etc. are managed by the application-level runtime environments provided by Virtual Machines (VM), as opposed to code compiled to run under the host operating system.  Also provided, is a good explanation of how a VM environment allows any appropriately coded application to run on a variety of host platforms with no modification. There is also a good indication of what advantages can be gained by injecting MCR malware into the VMs running on an organisation’s IT systems (and thus controlling their applications) and why attackers find MCRs so particularly attractive.Chapters 3-8 deal with the many ways in which MCR malware can be developed and deployed. The technical content of this section is excellent and the reader is provided with a wealth of information on how the popular VM runtimes of Windows .NET CLR, Unix Java JVM and Android’s Dalvik can be modified in such a way that applications dependent upon the VM inherit such modified behaviour. The tools to compile and reverse-engineer code are listed and explained along with examples of how these may be used to change the internal definition of a programming language. Chapter 5 is where the decisions are made on which aspects of the VM runtime are best modified depending upon what the attacker wants to achieve. Real world examples and case studies are provided and the reader is taken step-by-step through the options of modifying the logic, execution flow and/or literal values of the VM runtime.Chapter 6 shows how injected modified code blocks can be wrapped up as new methods, thus creating a malware Application Programming Interface (API) and extending the runtime. Chapter 7 explains how to automate the work of chapters 5 and 6 using an application called ReFrameworker (an Open Source project). This chapter also highlights the legitimate uses of MCRs for developers by allowing them to deploy an MCR into a given framework and test the behaviour of the injected code. Such a procedure could automate the process of generating modified binaries for frameworks of target machines.Chapter 8 explores the more advanced topics of thread injection, state manipulation and how to hide an MCR in the unmanaged code that is generated by the runtime using the Just in Time (JIT) complier. From a security professional’s viewpoint, these exploits are shown to be worryingly simple.Chapter 9 comprises a section that changes direction, focusing on the risks generated by MCRs and providing advice on how countermeasures can be deployed. Guidance on how to establish a defence-in-depth solution to mitigate such risks is provided to help combat these particular threats.Chapter 10 ends the book with a ‘Where do we go from here?’ piece in which alternate uses of modifying the runtime environments are explored. In particular – since it is made clear in the book the difficulties of detecting MCRs with standard code reviews – this section raises the reader’s awareness of the benefits of ensuring a more secure runtime environment for VM.

Overall the book is very well structured and presented in a way that maintains the reader’s interest as the author delves ever deeper into why hackers use MCRs to target an organisation’s applications. Continuity of the content is maintained by helpful summaries at the end of each chapter. Although a page of terminology is provided early in the book, it does not cater for the wealth of acronyms and esoteric terms. If I had one criticism, therefore, it would be the lack of a comprehensive glossary. Despite this single omission, Mr Metula is a consummate and talented security practitioner who knows his subject thoroughly. I consider this book to be excellent value for money and would recommend it to any security professional.

In today’s austere economic climate, modern IT solutions are being sought that are proven value for money. The use of virtual servers is rapidly increasing as they provide better utilisation and increased productivity of existing resources. This book highlights the risks of adopting such technology and provides valuable advice on countermeasures to mitigate those risks.

Marks: 5 out of 5


You don`t have permission to comment here!