Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Using Nessus to Discover Malware and Botnet Hosts

When performing a vulnerability scan (or even a penetration test), you must be able to spot a host that is already compromised, contains malware, or is part of a botnet. When malware exists on a host you're testing, the right course of action is to switch from scanning or penetration testing mode into forensics mode to determine how the system was compromised and implement a plan to remove the backdoors that may exist. Unfortunately the best way to be certain all malware has been removed is to format the hard drive and re-install the operating system and all software (provided malware has not hidden inside the BIOS, UEFI, or other hardware sub-system).

Tenable has released several plugins to identify hosts in your environment that show signs of a compromise such as containing malware or participating in a botnet. The steps below outline which plugins to enable and how to create filters to easily find the relevant plugins. You can also download a sample policy that has been pre-configured to include all of the steps below.

.nessus Policy File

Discover Malware and Botnet Hosts Nessus Policy

Download

Please note that some of the enabled plugins will require credentials for your Windows targets, and you can provide them in the credentials tab inside the policy.

Fortunately, Nessus contains several plugins to identify the problems described above. Creating the policy is pretty simple:

Step 1: Enable the “Backdoors” Plugins Family

The "Backdoors" family contains plugins that can search for a variety of malware and viruses installed on your systems. It includes older malware, such as the "Bagle Worm," and newer malware such as Stuxnet (as a general rule, Nessus plugins are written for the more popular malware and backdoors).

Nessus Backdoor plugins
A selection of "Backdoor" plugins available in Nessus.

Also included with the Backdoors plugins is a hosts file check for Windows targets. The Windows hosts file entries are compared against a list of entries known to be included as a result of malware.

Step 2: Create a Filter to Find All Botnet-related Plugins

Further filters can be created to detect malware, including the following two plugin sets:

Nessus Botnet Filters
Searching for keywords in the plugin name, this filter will allow you to enable several specific Nessus plugins for malware and botnet detection.

Step 3: Enable Malicious Process Detection Plugins

Once the filter in Step 2 has been applied, you can enable the relevant plugins, including:

Nessus Botnet plugins
Recent updates allow Nessus to detect malware associated with the APT1 attacks and malware signed by the stolen CA certificate from Bit9.

If credentials are supplied, Nessus will report on the active connections, both incoming and outgoing for each target, that are associated with botnet hosts. If the DNS server or any target given to Nessus is listed in a known botnet database, the associated plugins will report that condition.

You can also use malicious process detection to define a list of processes to look for on your own systems with the "Malicious Process Detection: User Defined Malware Running" plugin. For example, if a process was found running on a system that was compromised, and not yet detected by anti-virus software, you can enter the checksum for it and have Nessus report on hosts running that particular process.

Step 4: Enable Botnet Detection Plugins

The last set of plugins to enable for this scan is for botnet host detection:

Nessus Botnet plugins
The target host, DNS server, and IP addresses listed in the connection tables (results from "netstat" command) are cross-referenced with known botnet lists.

For more information on how Nessus is able to report hosts participating in a botnet, see the post titled "Plugin Updates: Malicious Process & Botnet Detection".

Step 5: Review the Results

The results from the plugins mentioned above will vary, depending on your environment. Hopefully, they don’t uncover malware in your environment! Below is an example of the malicious process detection plugin, which has triggered against the host 172.20.5.18:

Nessus Botnet Results

Conclusion

Nessus is capable of running several types of scans, and each has a specific purpose or focus. I like to recommend smaller, focused scans to obtain immediate and actionable results. I also recommend using larger more encompassing scans with all the plugins enabled to use for correlation, data mining, and assessing risk based on ever-changing factors.

More focused scans mean more focused results, which you can share with the appropriate people in your organization and create a response program around the scan. For example, your responses are different when finding a machine that contains malware and finding a machine with a missing patch. Not only are there likely two separate groups that deal with malware and patching, but, in most cases, the priority of removing malware is higher than applying a patch.

Using Tenable SecurityCenter, you can share the scanning load across multiple scanners and create several scan templates and policies for different systems and for different goals. SecurityCenter extends the power of Nessus and also allows you to create user accounts for people in your organization so they can initiate their own scans and track remediation.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training