RE: virus product pentest

From: Debasis Mohanty (mail@hackingspirits.com)
Date: Mon Sep 13 2004 - 12:58:52 EDT


Anti-Viruses have become much smarter these days as the malicious code
writers are using various ways and means to get past them undetected.

If I have understood your statement correctly then I believe you want
some technique to evade anti-viruses to test their ability. Then I must
tell you there are various ways to evade any anti-virus products but
that doesn't mean they are inefficient in protecting against malicious
codes. It is just a matter of signature to be updated and the AV will
definitely be smart enough to detect the malcode unless it is just a
static AV scanner.

Now days, most of the AVs use heuristics scan techniques to find the
malicious patterns in the code but still those techniques can be
defended. Most popular techniques used by malicious worms coders to
defend AV products is code obfuscation. There are different methods to
do an obfuscation of code which can get past AV security but again it is
just a matter of signature to be updated.

There are several viruses which has inbuilt obfuscator, which keeps
encrypting its body and creating a mutant of its own before infecting
any files. These are called polymorphic viruses. They have a in-built
mutation engine which creates a different signature for its every copy.

A very well known tool called MistFall (by z0mbie) is used by
hackers/malicious coders/scipt kiddies to obfuscate malicious codes.
Most of the AV does the reverse work to identify the malicious; it has
to deobfuscate the code before making a pattern matching. There are also
other techniques called Binding or Packing where the malcode is hidden
in encrypted form in another exe. When the resultant EXE is executed the
malcode is first extracted before it gets executed. These are enough of
knowledge (gyan... ;o), now I believe you have got the right info.

I am currently working on few tool sets which can be used for testing AV
gateway securities. I shall release them on my homepage in couple of
months. But before that I shall publish an Article on "AV Evasion
Techniques and various countermeasures". It is almost 75% finished; hope
to finish it by the end of this month. Hope that will help you.

It has always been fun for me debugging and hunting such malicious
codes.... :)

Debasis Mohanty
http://www.hackingspirits.com
 

-----Original Message-----
From: 4secure@web.de [mailto:4secure@web.de]
Sent: Friday, September 10, 2004 6:49 PM
To: pen-test@securityfocus.com
Subject: virus product pentest

Hello,

can someone give me tips, how I can run a virus protection tests.
This is this also interesting, if one must accomplish a virus audit. So
far I examined only functionality with an EICAR test virus. I need
however still procedures for the performance of a virus protection. I
would examine also, which viruses the product (e.g. viruses, which are
specified at http://www.wildlist.org/WildList/RTWL.htm) recognizes.
Gives it in addition a kind collection of virus identifications (defused
viruses) or have I to search the internet for some real viruses in the
internet. Perhaps is there a finished virus collection, if so where?

Yours sincerely
Istvan

------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:05 EDT