Using Malware In Penetration Testing

Huh? That's the exact reaction I had when I first read the title for the blog entry "Pentest Evolution: Malware Under Control."The blog is by Gunter Ollmann and covers pen-testing from a historical perspective, with discussions about how the art (and science) of pen-testing has branched out during the years into specialized areas. It's an interesting read, but I think the article's point is going to be missed or skewed by many because Ollmann uses the term "malware" when talking about exploiting users and client-side applications.

If you were told the company performing pen-testing against your organization was planning to use malware to try and penetrate your systems, then how would your CIO/CISO respond? Probably with a resounding, "Hell, no!" The truth is, we as security professionals use "malware" all the time. I can't tell you how many times I've had my tools folder decimated because my antivirus software decided to forget its exclusion rules and instead deleted a bunch of my tools it deemed malicious.

But in information security, one man's tool is another man's malware. What Ollmann is describing as a pen-test using malware is what Chris Gates of the Carnal0wnage blog has referred to as many times as full-scope penetration testing. In the simplest of terms, instead of limiting a pen-test to only include Internet-facing systems, systems containing sensitive information, or some other arbitrary limitation, a full scope pen-test includes ALL systems -- including users.

Gunter is using the term malware to refer to the tools that currently exist for creating custom code that can be used to compromise systems the same way an attacker would with a malicious Website. His example is saying, "Prove it" when confronted by a statement like: "Drive-by downloads are a fact of life, and all it takes is one unpatched host to browse a dangerous site to infect our network. But that's okay, because we have anomaly detection systems and DLP, and we'll stop them that way."

In truth, there are many do-it-yourself malware creation kits that attacks use, but I don't think any reputable pen-tester is going to go out and get one of them. Instead, we have well-known and well-respected tools, like the Metasploit Framework and Core IMPACT, that provide us with the same capabilities to exploit users and systems through phishing and client-side attacks.

We don't need malware creation kits and the risks of using them....or is that what Ollmann was calling tools like Metasploit or IMPACT? It certainly wouldn't be the first time a tool like netcat or Sysinternals pstools was labeled as malware and deleted by AV, because tools we've used for good as infosec pros were also used for malicious purposes. No matter the distinction, the reality is that comprehensive, full-scope pen-tests using the methods described in Ollmann's blog are taking place, and have been for a couple of years now.

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.