Penetration Testing mailing list archives
RE: Using viruses in pen-test
From: Omar Herrera <oherrera () prodigy net mx>
Date: Wed, 11 Oct 2006 18:55:40 -0500
Hi Neo, You should really think what needs to be tested. I.e. is it the replication capability or the infection vectors and defences against unauthorized code? A while back I requested something similar (I was the client at that point), and we requested a malicious code without replication capabilities that could establish communication back to the attacker. At that point we already knew that an attacker could possibly steal information or perform activities with the privileges with which the malware was executed. We tested several attack vectors, including email attachments. Replication is very dangerous and difficult to test in a production environment (it might even be illegal if you use real viruses/worms), and I don't see the point of it unless you want to test specifically a solution to slow down network/file replication. Once you get access to an internal machine there are things with more potential impact that an attacker can do. Also, if the only controls you want to test are black list based antivirus software the test would be pointless in my opinion (You can code yourself a very simple trojan horse and make sure beforehand that most AV won't detect it). There is no way they can pass such a test unless you use old, well known, real viruses/worms, which of course they should detect. However, I would leave these kind of tests to the labs that have the resources to benchmark all the Anti-X (anyway, the results are only useful for marketing purposes of these companies). Still, if there are white list based controls in place (e.g. host based IPS) I would say that the test might be worth trying, because the security will depend more on their configuration (i.e. the white lists) than on the product. In any case you should never try other's code unless you have the source, have studied it and are completely sure that it will behave as you need. The best thing is to program and test it yourself. Remember that there are many ways to get a program into a machine other that using the network (e.g. a free CD or usb memory stick given to an employee with a nice "gift" included); in fact, these are likely in targeted attacks so I would suggest you take them into account. Contrary to what many people seem to think, you don't need real "malware" to test this as long as you plan it carefully, your client agrees completely and both understand perfectly the implications of such tests. I hope this is useful. Regards, Omar Herrera
-----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of neo anderson Hi List, I wish to know your views on "Using viruses in pen-test"I I've been working in the infosec domain for over 2 years with a couple of infosec certs including CEH and conducting pen-tests for my clients for about a year. My recent client has hired me for carrying out "every possible" type of pen test. This includes testing organizations defence mechanism against viruses as well, this includes to test whether anti-virus administrators have up-to-date virus definitions etc. I'm supposed to gather this information by means of thorough penetration tests only. As we all are aware that how the viruses (worms/trojans included) enter into the corporate network propagate over LAN. There are many ways like email attachments or infected content brought in by employee.It spreads on itself thereafter. Now my question: Is there any standard procedure to test the posture of organizations network security against potential virus threats? I mean i wish to know about pen-test carried out against Antivirus-product. In order to replicate itself, a virus must be permitted to execute code and/or write to memory. Thus this pen-test should also tests that. And do I need to use some known viruses for this kind of pen-test? Have your thoughts on this topic please. Thanking you all. ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600 000008bOW ------------------------------------------------------------------------
------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- Using viruses in pen-test neo anderson (Oct 11)
- RE: Using viruses in pen-test lists (Oct 11)
- Re: Using viruses in pen-test David Swafford (Oct 11)
- RE: Using viruses in pen-test Clint Laskowski (Oct 12)
- Re: Using viruses in pen-test c0redump (Oct 13)
- RE: Using viruses in pen-test Clint Laskowski (Oct 12)
- RE: Using viruses in pen-test Omar Herrera (Oct 11)
- Re: Using viruses in pen-test Christoph Puppe (Oct 12)
- <Possible follow-ups>
- RE: Using viruses in pen-test Hagen, Eric (Oct 11)