Re: Using viruses in pen-test

From: Christoph Puppe (puppe@hisolutions.com)
Date: Thu Oct 12 2006 - 03:23:37 EDT


Omar Herrera wrote:
> Hi Neo,
>
> You should really think what needs to be tested. I.e. is it the replication
> capability or the infection vectors and defences against unauthorized code?

Important point. To test the real world capabilities of anti virus posture
of a company you should not only use the eicar-string.

In all audits of internal networks I test the av as well. For this I use
the eicar, compressed versions of it (zippped, g-zipped, b-zipped, tar, rar
etc) and a real world, working and full featured backdoor *without* a
proliferation engine.

Another test is the same backdoor protected with some binary
self-encrypting tool. This always succeeds and the customer understands,
that av is only good against known threats. New or custom made malware will
sneak by her defenses and do evil. In my opinion a very important point.

If the customer doesn't believes me, I even start the backdoor, show the
open port, connect with the client and let their ppl have some script-kiddy
fun with the test pc. Very convincing!

I can do that because the backdoor is tested, tried and proven to be free
of any self propagating, installing, registry modifying, infecting or
deleting capabilities. At least it has never done anything like that :)

-- 
Mit freundlichen Grüßen
Christoph Puppe
Security Consultant
We secure your business.(TM)
_______________________________________________________
HiSolutions AG     Phone:    +49 30 533289-0
Bouchéstrasse 12   Fax:      +49 30 533289-99
D-12435 Berlin     Internet: http://www.hisolutions.com
_______________________________________________________
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:11 EDT