Home page logo

pen-test logo Penetration Testing mailing list archives

Re: Using viruses in pen-test
From: Petr.Kazil () eap nl
Date: Fri, 3 Nov 2006 17:38:58 +0100

Personally I only use custom virus code when the client has authorized
social engineering exercise and understands what I will try.  All these
custom attacks are targeted at certain people within the organization.

Very interesting! Do you mean "virus" or "spyware"? I assume you wouldn't
run the risk of infecting a client with a self-propagating program?

How do you couple it to a "normal" executable (I assume you add it to a
"self unzipper"?). I know you can download software to do that, or have you
another solution? Do you hide it in alternate data streams?

I've been playing around with that idea. Can you point me to some good
information sources? To get a grasp of the basics I'm reading the "black
books of computer viruses" and the (excellent!) book : Reversing: Secrets
of Reverse Engineering by Eldad Eilam. But I get the feeling that using
assembler is much too labor intensive. Maybe that knowing C and the
Windows-API's might be sufficient to write some attack programs? How did
you get started?

It would be a fun experiment to write a simple keylogger and see if it gets
detected by virus/malware checkers.

A bit off-subject:

And I hear interesting stories about virus checkers. I have colleagues who
run honeypots, and they tell me that a lot of the malware they catch, isn't
detected by two consecutive commercial virus checkers. And I've read
several articles that show how easy it is to build a non-detectable virus
using standard building virus-tools from INternet. (But surprisingly, I
don't hear a lot about virus outbreaks in my part of the industry - maybe
viruses got les aggressive and stealhier.)

What does using the "eicar" signatures really get you?
I test the email, http and https gateways and with the latter,
some successes are possible.

I have a small collection of (links to) files that should / might be
blocked by gateways here:

The 42.zip is a fun one, but very dangerous. A few years ago it still
crashed some mailsweepers. Today most admins are aware of the risk. DOn't
use that without asking first! (In a nessus scan it will be sent to a
mailserver if you disable "safe checks").

Greetings, Petr

This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]