Follow

Have fun planting virus signatures in strange places that touch remote disks somehow/somewhere.

Example:

Change your mail sig to:
X5O!P%@ap[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Or send it in a browser var, as a password (quickly find the sites that don't encrypt passwords), send to open syslogs, etc.

The some AV actually delete/quarantine the file (weblogs, mailspool, {u,w}tmp etc.)!

What are your ideas?

Inspired by: sec.cs.tu-bs.de/pubs/2017-asia

@Mudge I'll actually be showing a hilarious Erlang trick with this at next week based on your initial bump of the post. Trust me, you'll plotz :>

@donb cool, please share with me earlier if you can.

Other off the top of the head tricks (some need a different sig):

Password: quarantine pw files that aren't encrypted

username: utmp/wtmp

syslog to local/remote: zorch certain logs based on log level etc.

Browser strings: logs

DNS additional records: local lookup caches

SMTP X-headers: mail files/spools

Anything across the net to bork IDSes running AV.

This is a gift that keeps on giving!

Other ideas?

@Mudge At a high level is you insert the EICAR test string into the Erlang virtual machine's memory.

When BEAM (the VM) crashes, it automatically writes out a crash file (not a core dump, an Erlang specific format file). The EICAR sig will be written into it, causing it to be auto-deleted in certain A/V.

This is a useful in environments where you can get code execution within Erlang, but you can't alter files outside of the VM, and you can't maintain persistence once the VM exits.

@Tanuki @Mudge yes, if you plant the EICAR string in files then when they cross the boundaries you can see them trigger even basic rules on clamAV (i.e. use ClamAV purely as an exfiltration detection mechanism without the other rules).

It is similar in concept to CanaryTokens (canarytokens.org/).

@Dodge didn't you set your browser user-agent to the eicar string for a while? (re: @Mudge )

@emf @Mudge I don't recall doing that, but it's a good idea. Run a "host -t txt dmumford.com" though.

@Dodge Huh.. I thought it was you.. I know SOMEONE I know did that, and I'm pretty sure it was someone that worked at NFR.

@Mudge plz be sure to put one of those "This message has been virus-scanned" footers above or below the fake virus content. Seeing that helps me feel reassured.

Sign in to participate in the conversation
Mastodon

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!