Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: Using viruses in pen-test
From: Christoph Puppe <puppe () hisolutions com>
Date: Thu, 02 Nov 2006 22:23:25 +0100

intel96 wrote:
Christoph,

What does using the "eicar" signatures really get you?  All anti-virus
vendors should be able to spot this signature correct?   If the client's
anti-virus application fails to identify the "eicar" signature using one
of the compression techniques you cited what is your next step to
contact the vendor? 

Not all customers have a AV and some have accidentially disabled it. Sure,
this is not often met with success. But then I take pride in beeing
through. I test the email, http and https gateways and with the latter,
some successes are possible.

Personally I only use custom virus code when the client has authorized a
social engineering exercise and understands what I will try.  All these
custom attacks are targeted at certain people within the organization.

Example:  The network team may will only get code that looks like router
updates or tools to help them manage the network.  This works VERY well. 

All this code can be written to target a single person and will not run
if Joe Network is not the logon to his system. 

Kind of I do this as well, with the protected trojan, I show the customer,
that AV only helps against known malware. Could extend this to send the
code to some unsuspecting user, but then the customer understands the
problem very well after one of his secured PCs has a port open and nothings
shows in the process list.


Intel96

Christoph Puppe wrote:
Omar Herrera wrote:
  
Hi Neo,

You should really think what needs to be tested. I.e. is it the replication
capability or the infection vectors and defences against unauthorized code?
    
Important point. To test the real world capabilities of anti virus posture
of a company you should not only use the eicar-string.

In all audits of internal networks I test the av as well. For this I use
the eicar, compressed versions of it (zippped, g-zipped, b-zipped, tar, rar
etc) and a real world, working and full featured backdoor *without* a
proliferation engine.

Another test is the same backdoor protected with some binary
self-encrypting tool. This always succeeds and the customer understands,
that av is only good against known threats. New or custom made malware will
sneak by her defenses and do evil. In my opinion a very important point.

If the customer doesn't believes me, I even start the backdoor, show the
open port, connect with the client and let their ppl have some script-kiddy
fun with the test pc. Very convincing!

I can do that because the backdoor is tested, tried and proven to be free
of any self propagating, installing, registry modifying, infecting or
deleting capabilities. At least it has never done anything like that :)


  


-- 
Mit freundlichen Grüßen

Christoph Puppe
Security Consultant


We secure your business.(TM)
_______________________________________________________

HiSolutions AG     Phone:    +49 30 533289-0
Bouchéstrasse 12   Fax:      +49 30 533289-99
D-12435 Berlin     Internet: http://www.hisolutions.com
_______________________________________________________

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]