From: Hagen, Eric (hagene@DenverNewspaperAgency.com)
Date: Wed Oct 11 2006 - 17:13:50 EDT
I wouldn't advise a penetration test by worm/virus. First of all, the test would require you to unleash known viruses "in the wild" which is a crime in most places. Since you cannot control live virus code, these viruses will almost always affect hosts beyond your original target. Second, a successful virus infection is very damaging, and undermines the spirit of "good" penetration testing, since machines may have to be rebuilt or cleaned and network infrastructure may be substantially affected by these infections.
If you successfully infect a network with a self-propagating worm to which the entire company's virus scanner is vulnerable, the company's IT resources could be completely shut down for a significant period of time. Of course, if your penetration test fails, you have learned little about their network other than the fact that their computers protect against that specific virus.
Because of the way most virus scanners use signature-based detection, you must use a "known" virus for this test. Writing your own virus code or substantially modifying an existing virus renders much of the signature-based detection ineffective and therefore will be an anomaly on the report.
I think it is extremely unwise for a company to ask you check their virus policy by attempting to unleash 3rd party, known malicious code, on the network.
They are surely aware that being on the Internet subjects their outside-facing systems and components to thousands of "attacks" and probes per day. They must also be made to recognize that your attempting to "insert" a known malware application into their network through less standard means is probably an unwanted danger to their business.
The only way to test antivirus settings that I know if while being reasonably safe is to mirror one of their production systems to a secure machine (preferably a virtual machine) and unlease viruses against machine. this must be done with the awareness that virus code may be illegal in many jurisdictions to posess and it is definately illegal in MOST places to willingly expose it to live networks.
So take your secure machine and mirror one of their live systems and see how it responds. Then, if it is affected it is not 1) crashed or destroyed, 2) not spewing infections payloads over the rest of the world and 3) not a threat to business continuity (network stability, data security, etc)
If your client does not understand that you cannot "black box" test live virus code safely on a production system, he needs an education in the saftey and importance of corporate IT infrastructure.
Eric
-----Original Message-----
From: listbounce@securityfocus.com
[mailto:listbounce@securityfocus.com]On Behalf Of neo anderson
Sent: Wednesday, October 11, 2006 1:08 AM
To: pen-test@securityfocus.com
Subject: Using viruses in pen-test
Hi List,
I wish to know your views on "Using viruses in pen-test"I
I've been working in the infosec domain for over 2 years with a couple
of infosec certs including CEH and conducting pen-tests for my clients
for about a year.
My recent client has hired me for carrying out "every possible" type
of pen test.
This includes testing organizations defence mechanism against viruses
as well, this includes to test whether anti-virus administrators have
up-to-date virus definitions etc. I'm supposed to gather this
information by means of thorough penetration tests only.
As we all are aware that how the viruses (worms/trojans included)
enter into the corporate network propagate over LAN. There are many
ways like email attachments or infected content brought in by
employee.It spreads on itself thereafter.
Now my question:
Is there any standard procedure to test the posture of organizations
network security against potential virus threats? I mean i wish to
know about pen-test carried out against Antivirus-product. In order to
replicate itself, a virus must be permitted to execute code and/or
write to memory. Thus this pen-test should also tests that.
And do I need to use some known viruses for this kind of pen-test?
Have your thoughts on this topic please.
Thanking you all.
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:10 EDT