Penetration Testing mailing list archives
Re: Using viruses in pen-test
From: intel96 <intel96 () bellsouth net>
Date: Thu, 02 Nov 2006 13:27:56 -0500
Christoph, What does using the "eicar" signatures really get you? All anti-virus vendors should be able to spot this signature correct? If the client's anti-virus application fails to identify the "eicar" signature using one of the compression techniques you cited what is your next step to contact the vendor? Personally I only use custom virus code when the client has authorized a social engineering exercise and understands what I will try. All these custom attacks are targeted at certain people within the organization. Example: The network team may will only get code that looks like router updates or tools to help them manage the network. This works VERY well. All this code can be written to target a single person and will not run if Joe Network is not the logon to his system. Intel96 Christoph Puppe wrote:
Omar Herrera wrote:Hi Neo, You should really think what needs to be tested. I.e. is it the replication capability or the infection vectors and defences against unauthorized code?Important point. To test the real world capabilities of anti virus posture of a company you should not only use the eicar-string. In all audits of internal networks I test the av as well. For this I use the eicar, compressed versions of it (zippped, g-zipped, b-zipped, tar, rar etc) and a real world, working and full featured backdoor *without* a proliferation engine. Another test is the same backdoor protected with some binary self-encrypting tool. This always succeeds and the customer understands, that av is only good against known threats. New or custom made malware will sneak by her defenses and do evil. In my opinion a very important point. If the customer doesn't believes me, I even start the backdoor, show the open port, connect with the client and let their ppl have some script-kiddy fun with the test pc. Very convincing! I can do that because the backdoor is tested, tried and proven to be free of any self propagating, installing, registry modifying, infecting or deleting capabilities. At least it has never done anything like that :)
------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- Re: Using viruses in pen-test intel96 (Nov 02)
- Re: Using viruses in pen-test Christoph Puppe (Nov 02)
- <Possible follow-ups>
- Re: Using viruses in pen-test Petr . Kazil (Nov 03)