Penetration Testing mailing list archives
Re: Using viruses in pen-test
From: Petr.Kazil () eap nl
Date: Fri, 3 Nov 2006 17:38:58 +0100
Personally I only use custom virus code when the client has authorized
a
social engineering exercise and understands what I will try. All these custom attacks are targeted at certain people within the organization.
Very interesting! Do you mean "virus" or "spyware"? I assume you wouldn't run the risk of infecting a client with a self-propagating program? How do you couple it to a "normal" executable (I assume you add it to a "self unzipper"?). I know you can download software to do that, or have you another solution? Do you hide it in alternate data streams? I've been playing around with that idea. Can you point me to some good information sources? To get a grasp of the basics I'm reading the "black books of computer viruses" and the (excellent!) book : Reversing: Secrets of Reverse Engineering by Eldad Eilam. But I get the feeling that using assembler is much too labor intensive. Maybe that knowing C and the Windows-API's might be sufficient to write some attack programs? How did you get started? It would be a fun experiment to write a simple keylogger and see if it gets detected by virus/malware checkers. A bit off-subject: And I hear interesting stories about virus checkers. I have colleagues who run honeypots, and they tell me that a lot of the malware they catch, isn't detected by two consecutive commercial virus checkers. And I've read several articles that show how easy it is to build a non-detectable virus using standard building virus-tools from INternet. (But surprisingly, I don't hear a lot about virus outbreaks in my part of the industry - maybe viruses got les aggressive and stealhier.)
What does using the "eicar" signatures really get you?I test the email, http and https gateways and with the latter, some successes are possible.
I have a small collection of (links to) files that should / might be blocked by gateways here: http://www.xs4all.nl/~kazil/testfiles/ The 42.zip is a fun one, but very dangerous. A few years ago it still crashed some mailsweepers. Today most admins are aware of the risk. DOn't use that without asking first! (In a nessus scan it will be sent to a mailserver if you disable "safe checks"). Greetings, Petr ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- Re: Using viruses in pen-test intel96 (Nov 02)
- Re: Using viruses in pen-test Christoph Puppe (Nov 02)
- <Possible follow-ups>
- Re: Using viruses in pen-test Petr . Kazil (Nov 03)