From: Petr.Kazil@eap.nl
Date: Fri Nov 03 2006 - 11:38:58 EST
> > Personally I only use custom virus code when the client has authorized
a
> > social engineering exercise and understands what I will try. All these
> > custom attacks are targeted at certain people within the organization.
Very interesting! Do you mean "virus" or "spyware"? I assume you wouldn't
run the risk of infecting a client with a self-propagating program?
How do you couple it to a "normal" executable (I assume you add it to a
"self unzipper"?). I know you can download software to do that, or have you
another solution? Do you hide it in alternate data streams?
I've been playing around with that idea. Can you point me to some good
information sources? To get a grasp of the basics I'm reading the "black
books of computer viruses" and the (excellent!) book : Reversing: Secrets
of Reverse Engineering by Eldad Eilam. But I get the feeling that using
assembler is much too labor intensive. Maybe that knowing C and the
Windows-API's might be sufficient to write some attack programs? How did
you get started?
It would be a fun experiment to write a simple keylogger and see if it gets
detected by virus/malware checkers.
A bit off-subject:
And I hear interesting stories about virus checkers. I have colleagues who
run honeypots, and they tell me that a lot of the malware they catch, isn't
detected by two consecutive commercial virus checkers. And I've read
several articles that show how easy it is to build a non-detectable virus
using standard building virus-tools from INternet. (But surprisingly, I
don't hear a lot about virus outbreaks in my part of the industry - maybe
viruses got les aggressive and stealhier.)
> > What does using the "eicar" signatures really get you?
> I test the email, http and https gateways and with the latter,
> some successes are possible.
I have a small collection of (links to) files that should / might be
blocked by gateways here:
http://www.xs4all.nl/~kazil/testfiles/
The 42.zip is a fun one, but very dangerous. A few years ago it still
crashed some mailsweepers. Today most admins are aware of the risk. DOn't
use that without asking first! (In a nessus scan it will be sent to a
mailserver if you disable "safe checks").
Greetings, Petr
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:17 EDT