#7 Nessus Versus Malware - Top Ten Things You Didn't Know About Nessus

Nessus has several different plugins and techniques for helping you with the fight against malware. The video below is part 7 in our series of the top ten things you didn't know about Nessus and covers 3 different ways Nessus can be used to help detect malware:

Below are a few more examples of how Nessus can detect malware:

1. Nessus Network Checks

Nessus plugins in the "Backdoor" plugin family detect certain types of generic behavior on listening services that are indicative of malware. For example, plugin #35322 detects the presence of an HTTP backdoor. Nessus detects the web server remotely and identifies a condition where the web server, regardless of the request, returns a Windows executable:

Screen Shot 2012 01 04 at 12 56 22 PM

Conficker and the Downadup worm used this method to propagate. This is a sure fire indication that the host has been compromised.

Nessus can also detect if one of your web sites is hosting malicious JavaScript. In this condition, two things are being detected: 1) The fact that your web site is vulnerable in some way which allows attackers to modify the content and 2) Clients going to the web site will likely get infected via the JavaScript code:

Screen Shot 2012 01 04 at 12 57 10 PM

The Lizamoon malware used this method to propagate.

2. Nessus Credentialed Plugin Checks

Nessus will use credentials to login to a system, on a Windows platform for example, and search the registry and file system for indications of well-known malware:

Screen Shot 2012 01 04 at 12 57 51 PM

Most strains of Zeus/Zbot can be detected in this manner.

A separate plugin (id 23910) can look at your system and identify if the Windows hosts file has been tampered with:

Screen Shot 2012 01 04 at 12 58 22 PM

Some malware will add entries to this file forcing entries to anti-virus software companies update servers to somewhere else.

Nessus will also check that any target IP address or host name is part of a known botnet. This check is performed against each target, and the known botnet hosts list is updated regularly via plugin updates and pulls from multiple sources.

Screen Shot 2012 01 04 at 12 58 57 PM

Nessus contains information about anti-virus software and identifies hosts with no anti-virus software installed, outdated anti-virus software installed, and definitions that are out-of-date.

3. Nessus Configuration Auditing Checks

Using configuration auditing Nessus can dig deeper into your systems and detect malware infections such as the Duqu virus and more!

Screen Shot 2012 01 04 at 12 59 29 PM

In addition to detecting the presence of anti-virus software that is contained in the plugins, audit files can tell you more information about your anti-virus installations, such as if the anti-virus software is set to start on boot.

Stay tuned for the next video in our series which will cover scanning IPv6 hosts!

More from the Tenable Blog