Wanting to test some HIDS products, I was looking for some tools (/scripts) to mimick malware / spyware behaviour without using actual malware. Which I don't have by the way. Two friends of mine (thanks guys) pointed me to Spycar.
Spycar is a suite of tools designed to mimic spyware-like behavior, but in a benign form. Intelguardians created Spycar so anyone could test the behavior-based defenses of an anti-spyware tool. Spycar runs only on Windows, the same platform most targeted by spyware developers.
Is Spycar a Comprehensive Test of Anti-Spyware Tools?
No. Spycar models some behaviors of spyware tools to see if an anti-spyware tool detects and/or blocks it. But, spyware developers are very creative, adding new and clever behaviors all the time. Spycar tests for some of these common behaviors, but not all. Also, with its behavior-based modeling philosophy, Spycar does not evaluate the signature base, the user interface, and other vital aspects of an anti-spyware tool. Thus, Spycar alone cannot be used to determine how good or bad an anti-spyware product is. We’ve used it to find several gaps in anti-spyware product defenses, but Spycar is but one tool for analyzing one set of characteristics of anti-spyware products. A comprehensive review of anti-spwyare tools should utilize a whole toolbox, of which Spycar may be one element. Ed Skoudis and Tom Liston wrote an article for Information Security Magazine comparing various enterprise anti-spyware tools, and Spycar was a small subset of our more comprehensive tests.
Well, Spycar is nice indeed. But somehow, I want to do more then these few tests. Any tips? Oh well, maybe I'll prepare a VMware lab and work with some real nasties. If I can make the time (as always).