Penetration Testing mailing list archives
RE: Using viruses in pen-test
From: "Hagen, Eric" <hagene () DenverNewspaperAgency com>
Date: Wed, 11 Oct 2006 15:13:50 -0600
I wouldn't advise a penetration test by worm/virus. First of all, the test would require you to unleash known viruses "in the wild" which is a crime in most places. Since you cannot control live virus code, these viruses will almost always affect hosts beyond your original target. Second, a successful virus infection is very damaging, and undermines the spirit of "good" penetration testing, since machines may have to be rebuilt or cleaned and network infrastructure may be substantially affected by these infections. If you successfully infect a network with a self-propagating worm to which the entire company's virus scanner is vulnerable, the company's IT resources could be completely shut down for a significant period of time. Of course, if your penetration test fails, you have learned little about their network other than the fact that their computers protect against that specific virus. Because of the way most virus scanners use signature-based detection, you must use a "known" virus for this test. Writing your own virus code or substantially modifying an existing virus renders much of the signature-based detection ineffective and therefore will be an anomaly on the report. I think it is extremely unwise for a company to ask you check their virus policy by attempting to unleash 3rd party, known malicious code, on the network. They are surely aware that being on the Internet subjects their outside-facing systems and components to thousands of "attacks" and probes per day. They must also be made to recognize that your attempting to "insert" a known malware application into their network through less standard means is probably an unwanted danger to their business. The only way to test antivirus settings that I know if while being reasonably safe is to mirror one of their production systems to a secure machine (preferably a virtual machine) and unlease viruses against machine. this must be done with the awareness that virus code may be illegal in many jurisdictions to posess and it is definately illegal in MOST places to willingly expose it to live networks. So take your secure machine and mirror one of their live systems and see how it responds. Then, if it is affected it is not 1) crashed or destroyed, 2) not spewing infections payloads over the rest of the world and 3) not a threat to business continuity (network stability, data security, etc) If your client does not understand that you cannot "black box" test live virus code safely on a production system, he needs an education in the saftey and importance of corporate IT infrastructure. Eric -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]On Behalf Of neo anderson Sent: Wednesday, October 11, 2006 1:08 AM To: pen-test () securityfocus com Subject: Using viruses in pen-test Hi List, I wish to know your views on "Using viruses in pen-test"I I've been working in the infosec domain for over 2 years with a couple of infosec certs including CEH and conducting pen-tests for my clients for about a year. My recent client has hired me for carrying out "every possible" type of pen test. This includes testing organizations defence mechanism against viruses as well, this includes to test whether anti-virus administrators have up-to-date virus definitions etc. I'm supposed to gather this information by means of thorough penetration tests only. As we all are aware that how the viruses (worms/trojans included) enter into the corporate network propagate over LAN. There are many ways like email attachments or infected content brought in by employee.It spreads on itself thereafter. Now my question: Is there any standard procedure to test the posture of organizations network security against potential virus threats? I mean i wish to know about pen-test carried out against Antivirus-product. In order to replicate itself, a virus must be permitted to execute code and/or write to memory. Thus this pen-test should also tests that. And do I need to use some known viruses for this kind of pen-test? Have your thoughts on this topic please. Thanking you all. ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------ ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- Using viruses in pen-test neo anderson (Oct 11)
- RE: Using viruses in pen-test lists (Oct 11)
- Re: Using viruses in pen-test David Swafford (Oct 11)
- RE: Using viruses in pen-test Clint Laskowski (Oct 12)
- Re: Using viruses in pen-test c0redump (Oct 13)
- RE: Using viruses in pen-test Clint Laskowski (Oct 12)
- RE: Using viruses in pen-test Omar Herrera (Oct 11)
- Re: Using viruses in pen-test Christoph Puppe (Oct 12)
- <Possible follow-ups>
- RE: Using viruses in pen-test Hagen, Eric (Oct 11)