Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

7/22/2009
03:13 PM
John H. Sawyer
John H. Sawyer
Commentary
50%
50%

Using Malware In Penetration Testing

Huh? That's the exact reaction I had when I first read the title for the blog entry "Pentest Evolution: Malware Under Control."

Huh? That's the exact reaction I had when I first read the title for the blog entry "Pentest Evolution: Malware Under Control."The blog is by Gunter Ollmann and covers pen-testing from a historical perspective, with discussions about how the art (and science) of pen-testing has branched out during the years into specialized areas. It's an interesting read, but I think the article's point is going to be missed or skewed by many because Ollmann uses the term "malware" when talking about exploiting users and client-side applications.

If you were told the company performing pen-testing against your organization was planning to use malware to try and penetrate your systems, then how would your CIO/CISO respond? Probably with a resounding, "Hell, no!" The truth is, we as security professionals use "malware" all the time. I can't tell you how many times I've had my tools folder decimated because my antivirus software decided to forget its exclusion rules and instead deleted a bunch of my tools it deemed malicious.

But in information security, one man's tool is another man's malware. What Ollmann is describing as a pen-test using malware is what Chris Gates of the Carnal0wnage blog has referred to as many times as full-scope penetration testing. In the simplest of terms, instead of limiting a pen-test to only include Internet-facing systems, systems containing sensitive information, or some other arbitrary limitation, a full scope pen-test includes ALL systems -- including users.

Gunter is using the term malware to refer to the tools that currently exist for creating custom code that can be used to compromise systems the same way an attacker would with a malicious Website. His example is saying, "Prove it" when confronted by a statement like: "Drive-by downloads are a fact of life, and all it takes is one unpatched host to browse a dangerous site to infect our network. But that's okay, because we have anomaly detection systems and DLP, and we'll stop them that way."

In truth, there are many do-it-yourself malware creation kits that attacks use, but I don't think any reputable pen-tester is going to go out and get one of them. Instead, we have well-known and well-respected tools, like the Metasploit Framework and Core IMPACT, that provide us with the same capabilities to exploit users and systems through phishing and client-side attacks.

We don't need malware creation kits and the risks of using them....or is that what Ollmann was calling tools like Metasploit or IMPACT? It certainly wouldn't be the first time a tool like netcat or Sysinternals pstools was labeled as malware and deleted by AV, because tools we've used for good as infosec pros were also used for malicious purposes. No matter the distinction, the reality is that comprehensive, full-scope pen-tests using the methods described in Ollmann's blog are taking place, and have been for a couple of years now.

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/14/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-10287
PUBLISHED: 2020-07-15
The IRC5 family with UAS service enabled comes by default with credentials that can be found on publicly available manuals. ABB considers this a well documented functionality that helps customer set up however, out of our research, we found multiple production systems running these exact default cre...
CVE-2020-10288
PUBLISHED: 2020-07-15
IRC5 exposes an ftp server (port 21). Upon attempting to gain access you are challenged with a request of username and password, however you can input whatever you like. As long as the field isn't empty it will be accepted.
CVE-2020-15780
PUBLISHED: 2020-07-15
An issue was discovered in drivers/acpi/acpi_configfs.c in the Linux kernel before 5.7.7. Injection of malicious ACPI tables via configfs could be used by attackers to bypass lockdown and secure boot restrictions, aka CID-75b0cea7bf30.
CVE-2019-17639
PUBLISHED: 2020-07-15
In Eclipse OpenJ9 prior to version 0.21 on Power platforms, calling the System.arraycopy method with a length longer than the length of the source or destination array can, in certain specially crafted code patterns, cause the current method to return prematurely with an undefined return value. This...
CVE-2019-20908
PUBLISHED: 2020-07-15
An issue was discovered in drivers/firmware/efi/efi.c in the Linux kernel before 5.4. Incorrect access permissions for the efivar_ssdt ACPI variable could be used by attackers to bypass lockdown or secure boot restrictions, aka CID-1957a85b0032.