Penetration Testing mailing list archives
RE: virus product pentest
From: "Debasis Mohanty" <mail () hackingspirits com>
Date: Mon, 13 Sep 2004 22:28:52 +0530
Anti-Viruses have become much smarter these days as the malicious code writers are using various ways and means to get past them undetected. If I have understood your statement correctly then I believe you want some technique to evade anti-viruses to test their ability. Then I must tell you there are various ways to evade any anti-virus products but that doesn't mean they are inefficient in protecting against malicious codes. It is just a matter of signature to be updated and the AV will definitely be smart enough to detect the malcode unless it is just a static AV scanner. Now days, most of the AVs use heuristics scan techniques to find the malicious patterns in the code but still those techniques can be defended. Most popular techniques used by malicious worms coders to defend AV products is code obfuscation. There are different methods to do an obfuscation of code which can get past AV security but again it is just a matter of signature to be updated. There are several viruses which has inbuilt obfuscator, which keeps encrypting its body and creating a mutant of its own before infecting any files. These are called polymorphic viruses. They have a in-built mutation engine which creates a different signature for its every copy. A very well known tool called MistFall (by z0mbie) is used by hackers/malicious coders/scipt kiddies to obfuscate malicious codes. Most of the AV does the reverse work to identify the malicious; it has to deobfuscate the code before making a pattern matching. There are also other techniques called Binding or Packing where the malcode is hidden in encrypted form in another exe. When the resultant EXE is executed the malcode is first extracted before it gets executed. These are enough of knowledge (gyan... ;o), now I believe you have got the right info. I am currently working on few tool sets which can be used for testing AV gateway securities. I shall release them on my homepage in couple of months. But before that I shall publish an Article on "AV Evasion Techniques and various countermeasures". It is almost 75% finished; hope to finish it by the end of this month. Hope that will help you. It has always been fun for me debugging and hunting such malicious codes.... :) Debasis Mohanty http://www.hackingspirits.com -----Original Message----- From: 4secure () web de [mailto:4secure () web de] Sent: Friday, September 10, 2004 6:49 PM To: pen-test () securityfocus com Subject: virus product pentest Hello, can someone give me tips, how I can run a virus protection tests. This is this also interesting, if one must accomplish a virus audit. So far I examined only functionality with an EICAR test virus. I need however still procedures for the performance of a virus protection. I would examine also, which viruses the product (e.g. viruses, which are specified at http://www.wildlist.org/WildList/RTWL.htm) recognizes. Gives it in addition a kind collection of virus identifications (defused viruses) or have I to search the internet for some real viruses in the internet. Perhaps is there a finished virus collection, if so where? Yours sincerely Istvan ------------------------------------------------------------------------------ Ethical Hacking at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Check out our Advanced Hacking course, learn to write exploits and attack security infrastructure. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. http://www.infosecinstitute.com/courses/ethical_hacking_training.html -------------------------------------------------------------------------------
Current thread:
- virus product pentest 4secure (Sep 12)
- Re: virus product pentest buzz (Sep 13)
- RE: virus product pentest Aleksander P. Czarnowski (Sep 13)
- RE: virus product pentest Debasis Mohanty (Sep 13)
- RE: virus product pentest Omar Herrera (Sep 13)
- <Possible follow-ups>
- RE: virus product pentest Ferino Mardo (Sep 13)