Have fun planting virus signatures in strange places that touch remote disks somehow/somewhere.

Example:

Change your mail sig to:
X5O!P%@ap[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Or send it in a browser var, as a password (quickly find the sites that don't encrypt passwords), send to open syslogs, etc.

The some AV actually delete/quarantine the file (weblogs, mailspool, {u,w}tmp etc.)!

What are your ideas?

Inspired by: sec.cs.tu-bs.de/pubs/2017-asia

@Mudge I'll actually be showing a hilarious Erlang trick with this at next week based on your initial bump of the post. Trust me, you'll plotz :>

@donb cool, please share with me earlier if you can.

Other off the top of the head tricks (some need a different sig):

Password: quarantine pw files that aren't encrypted

username: utmp/wtmp

syslog to local/remote: zorch certain logs based on log level etc.

Browser strings: logs

DNS additional records: local lookup caches

SMTP X-headers: mail files/spools

Anything across the net to bork IDSes running AV.

This is a gift that keeps on giving!

Other ideas?

Follow

@Mudge At a high level is you insert the EICAR test string into the Erlang virtual machine's memory.

When BEAM (the VM) crashes, it automatically writes out a crash file (not a core dump, an Erlang specific format file). The EICAR sig will be written into it, causing it to be auto-deleted in certain A/V.

This is a useful in environments where you can get code execution within Erlang, but you can't alter files outside of the VM, and you can't maintain persistence once the VM exits.

· · Web · 0 · 2 · 1
Sign in to participate in the conversation
Mastodon

The original server operated by the Mastodon gGmbH non-profit