Nessus has several different plugins and techniques for helping you with the fight against malware. The video below is part 7 in our series of the top ten things you didn't know about Nessus and covers 3 different ways Nessus can be used to help detect malware:
Below are a few more examples of how Nessus can detect malware:
1. Nessus Network Checks
Nessus plugins in the "Backdoor" plugin family detect certain types of generic behavior on listening services that are indicative of malware. For example, plugin #35322 detects the presence of an HTTP backdoor. Nessus detects the web server remotely and identifies a condition where the web server, regardless of the request, returns a Windows executable:
Conficker and the Downadup worm used this method to propagate. This is a sure fire indication that the host has been compromised.
The Lizamoon malware used this method to propagate.
2. Nessus Credentialed Plugin Checks
Nessus will use credentials to login to a system, on a Windows platform for example, and search the registry and file system for indications of well-known malware:
Most strains of Zeus/Zbot can be detected in this manner.
A separate plugin (id 23910) can look at your system and identify if the Windows hosts file has been tampered with:
Some malware will add entries to this file forcing entries to anti-virus software companies update servers to somewhere else.
Nessus will also check that any target IP address or host name is part of a known botnet. This check is performed against each target, and the known botnet hosts list is updated regularly via plugin updates and pulls from multiple sources.
Nessus contains information about anti-virus software and identifies hosts with no anti-virus software installed, outdated anti-virus software installed, and definitions that are out-of-date.
3. Nessus Configuration Auditing Checks
Using configuration auditing Nessus can dig deeper into your systems and detect malware infections such as the Duqu virus and more!
In addition to detecting the presence of anti-virus software that is contained in the plugins, audit files can tell you more information about your anti-virus installations, such as if the anti-virus software is set to start on boot.
Stay tuned for the next video in our series which will cover scanning IPv6 hosts!