Detecting Malware Distribution With Nessus

Many of today's latest worms and viruses are using interesting methods to propagate across the network. For example, the Conficker.A / Downadup worm sets up a web server for victims to connect to and download a copy of the malware. What I find interesting about this method is that no matter what request is made to the HTTP server, it responds with a Microsoft executable file. Nessus detects such an HTTP server with plugin id 35322 "HTTP Backdoor Detection":

HTTP-Malware-1.png

Note that Nessus performs service detection to discover applications running on non-standard ports. The port displayed in the above example (15871/TCP) is chosen at random, so be sure your scan is configured to run against all 65535 ports and that "Probe services on every port" is enabled. If a host is found running this service, it is most likely infected. To mitigate, run the removal tools for popular malware, such as Conficker, or rebuild the host. Nessus will also detect if a non-HTTP service is distributing a MS executable using plugin 33950, "MS executable detection" as described in the Tenable blog post titled "Detecting Microsoft Executables Being Served by an Unknown Service with Nessus". With both of the above plugins Nessus will download the binary and produce an MD5 checksum. Then you can check to see if the malware has been recognized by the Virus Total Web Site:

Malware-Virustotal.png

Nessus also detects specific malware payloads with plugin id 31854, "Malware Payload Code detection":

DetectMalwareOnPort.png

Of course, the best approach is to proactively protect your network and systems rather than scan for a particular issue that is getting media attention.

The Conficker worm infects systems and spreads using the following three mechanisms:

    1) Performs password brute-forcing on Windows systems

    2) Exploits the MS08-067 vulnerability

    3) Adds itself to any removable/network drives

Source: Downadup/Conficker Worm Removal, SecureWorks Threat Analysis Blog

Pro-active security measures can ensure protection against all of these attack vectors without taking special actions just for a particular new worm. A strong authentication policy, regular system patching and monitoring for removable devices are all security measures that can provide protection from Conficker. Tenable's products can be used in a pro-active manner to help protect your network, as described in the following previous posts to the Tenable blog:

References:


More from the Tenable Blog