Have fun planting virus signatures in strange places that touch remote disks somehow/somewhere.

Example:

Change your mail sig to:
X5O!P%@ap[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Or send it in a browser var, as a password (quickly find the sites that don't encrypt passwords), send to open syslogs, etc.

The some AV actually delete/quarantine the file (weblogs, mailspool, {u,w}tmp etc.)!

What are your ideas?

Inspired by: sec.cs.tu-bs.de/pubs/2017-asia

@Mudge I'll actually be showing a hilarious Erlang trick with this at next week based on your initial bump of the post. Trust me, you'll plotz :>

Follow

@donb cool, please share with me earlier if you can.

Other off the top of the head tricks (some need a different sig):

Password: quarantine pw files that aren't encrypted

username: utmp/wtmp

syslog to local/remote: zorch certain logs based on log level etc.

Browser strings: logs

DNS additional records: local lookup caches

SMTP X-headers: mail files/spools

Anything across the net to bork IDSes running AV.

This is a gift that keeps on giving!

Other ideas?

@Mudge At a high level is you insert the EICAR test string into the Erlang virtual machine's memory.

When BEAM (the VM) crashes, it automatically writes out a crash file (not a core dump, an Erlang specific format file). The EICAR sig will be written into it, causing it to be auto-deleted in certain A/V.

This is a useful in environments where you can get code execution within Erlang, but you can't alter files outside of the VM, and you can't maintain persistence once the VM exits.

@Tanuki @Mudge yes, if you plant the EICAR string in files then when they cross the boundaries you can see them trigger even basic rules on clamAV (i.e. use ClamAV purely as an exfiltration detection mechanism without the other rules).

It is similar in concept to CanaryTokens (canarytokens.org/).

Sign in to participate in the conversation
Mastodon

The original server operated by the Mastodon gGmbH non-profit