Have fun planting virus signatures in strange places that touch remote disks somehow/somewhere.
Example:
Change your mail sig to:
X5O!P%@ap[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
Or send it in a browser var, as a password (quickly find the sites that don't encrypt passwords), send to open syslogs, etc.
The some AV actually delete/quarantine the file (weblogs, mailspool, {u,w}tmp etc.)!
What are your ideas?
Inspired by: https://www.sec.cs.tu-bs.de/pubs/2017-asiaccs.pdf
@donb cool, please share with me earlier if you can.
Other off the top of the head tricks (some need a different sig):
Password: quarantine pw files that aren't encrypted
username: utmp/wtmp
syslog to local/remote: zorch certain logs based on log level etc.
Browser strings: logs
DNS additional records: local lookup caches
SMTP X-headers: mail files/spools
Anything across the net to bork IDSes running AV.
This is a gift that keeps on giving!
Other ideas?
@Mudge At a high level is you insert the EICAR test string into the Erlang virtual machine's memory.
When BEAM (the VM) crashes, it automatically writes out a crash file (not a core dump, an Erlang specific format file). The EICAR sig will be written into it, causing it to be auto-deleted in certain A/V.
This is a useful in environments where you can get code execution within Erlang, but you can't alter files outside of the VM, and you can't maintain persistence once the VM exits.
@Tanuki @Mudge yes, if you plant the EICAR string in files then when they cross the boundaries you can see them trigger even basic rules on clamAV (i.e. use ClamAV purely as an exfiltration detection mechanism without the other rules).
It is similar in concept to CanaryTokens (https://canarytokens.org/).
Mudge
donb
Tanuki
cynicalsecurity ->@bsd.network