Analyzing Nessus Detected Malicious Processes Activity with the Log Correlation Engine

by Ron Gula
October 15, 2012

The data from Nessus malicious process checks can be immediately leveraged by SIEM and log search tools. In this blog post we will consider a very basic example of how a computer infected with the GameVance adware can be analyzed with the Log Correlation Engine (LCE).

Nessus performs checks on Windows computers for malicious and unwanted running processes. Plugins 59275 and 59641 leverage Windows credentialed auditing to enumerate all running processes and cross reference their checksums against an industry index of virus scanners.

Intelligent log analysis tools, such as the Log Correlation Engine, provide multiple methods to monitor logs from Windows hosts. The LCE can monitor windows systems with an agent, with a remote WMI event log monitor, and can also analyze real-time logs from the Passive Vulnerability Scanner (PVS) which includes logs of network file downloads, DNS queries, and web browsing history.

When system logs are aggregated in real-time along with Nessus malware testing, suspicious results can be investigated immediately.

To illustrate this, we configured a lab and infected a target Windows 7 computer with the relatively benign GameVance adware. The lab leveraged a SecurityCenter, a Nessus scanner, a Log Correlation Engine, and a Passive Vulnerability Scanner.

The SecurityCenter was configured with a variety of real-time alerts, including one for plugin 59641 which identifies unwanted processes as shown in the screen shot below:

1 - alert

The actual Nessus result for plugin 59641 is shown below:

2 - sep30

SecurityCenter tracks that this particular plugins was active on our target at 192.168.1.11 since August and was seen recently. It also identifies the actual DLL infected and associated process IDs with the software in question.

Switching to our Log Correlation Engine event view, I searched for logs from the system’s known IP address and the process ID of 2548 and obtained the following search results:

3 - still running

These are Windows event logs that log network connections through the local filtering system. A different Windows computer with a lighter auditing policy may not generate similar logs, but in this case, it is very useful to be able to investigate the actual process ID and see what was occurring.

The process that was running was Internet Explorer. The DDL in question was adware attached to the browser. When we set this lab up, I had installed some software which also silently installed the GameVance adware and I left Internet Explorer running. Having a process like this run consistently for multiple days is similar to what some types of simplistic malware does. Within the LCE, looking for the activity associated with this process ID created several traces in local Windows event logs:

4 - history

Additionally, it’s worth noting that the LCE summarize all executed processes each day for a quick look:

4a-mor history

Obviously, more advanced malware can hide from the process tree, edit, or delete logs and even attack SIEM and log collection agents. Most malware does not do this though. When investigating malware identified with Nessus, since it’s based on looking into the running process tree, it is likely that there will also be logs and Window events associated with it.

It is also worth noting that the real-time network logs from the Passive Vulnerability Scanner could be used to analyze which files and network interactions resulted in the infection. Below is a screen shot from August (two months ago) which showed the actual .exe downloads I had done to install some shareware software that resulted in the GameVance infection:

6 network traffic

Conclusions

If you have a positive malware or unwanted program detection with Nessus, monitoring what the process is doing can be accomplished with system log analysis and network traffic. Your response to a Nessus malware infection or even a Nessus botnet detection should really be no different if your anti-virus system or intrusion detection found something suspicious.

For more information on how Tenable solutions can be used to identify malware and botnets, please consider these following blog entries, dashboards and YouTube videos:

Fore more detailed examples and discussions of Tenable product capabilities, please join the conversations at the Tenable Discussion Forums or follow us on Twitter @tenablesecurity.