Plugin Updates: Malicious Process & Botnet Detection
Malicious Process Detection Updates
A short time ago, Tenable released a new plugin to perform Malicious Process Detection (plugin ID 59275). Originally, it identified all possible malicious processes and reported the risk level as "High." This has now been split into two plugins; the original plugin that detects processes as malware which now uses the risk level of "critical," and a new plugin titled Malicious Process Detection: Potentially Unwanted Software (plugin ID 59641):
Click for larger image
The difference between the two plugins is the intent of the malicious software. For example, "Netcat" is a popular tool that can be used for network troubleshooting or by attackers for "evil" purposes such as backdoors. These two separate malware plugins will allow customers to more easily differentiate between policy violations and systems that are infected with malware unmistakable for any legitimate program.
Inbound & Outbound Botnet Detection
The botnet database-checking plugin now differentiates between outbound and inbound connections associated with botnet activity:
- Plugin ID 58430 - Active Outbound Connection to Host Listed in Known Bot Database - Detects when the target has an outbound connection to a host that is listed in a public database as part of a botnet. This is a strong indication the host may be compromised (risk factor is "High").
- Plugin ID 59713 - Active Inbound Connection From Host Listed in Known Bot Database - Detects when the target has an inbound connection from one or more hosts that are listed in a public database as part of a botnet (risk factor is "none" or informational).
Often times, a busy email server or Skype user will trigger plugin 59713, meaning a host participating in a botnet is connecting to one of your systems. While this behavior may be suspicious, it is not a definitive indication that your system is compromised. For this reason, plugin 59713 is classified as risk factor of "none." However, if a system in your environment has an outbound connection to a host known to be participating in a botnet, this can be a strong indication of being compromised (therefore earning a risk factor of "high").
By separating both the malicious process and botnet host detection plugins, we hope to allow customers to more easily prioritize, and react, to events that require immediate action. You can now filter on plugins 58430 (Active Outbound Connection to Host Listed in Known Bot Database) and 59275 (Malicious Process Detection) and quickly review more critical security issues in your network.