APT1-Related SSL Certificate Detected

This script is Copyright (C) 2013 Tenable Network Security, Inc.


Synopsis :

An SSL certificate used in a malware-based command and control
infrastructure was detected on the remote host.

Description :

An SSL certificate associated with the group known as APT1 was
detected on the remote host. APT1's command and control
infrastructure uses several self-signed certificates to encrypt
communications in their command and control infrastructure. The
remote host appears to be using one of these certificates, which
indicates it may have been compromised.

See also :

http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf
http://intelreport.mandiant.com/Mandiant_APT1_Report_Appendix.zip

Solution :

Determine if the system has been compromised, restore from a set of
known good backups if necessary, and investigate your network for further
signs of a breach.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

Family: General

Nessus Plugin ID: 64688 ()

Bugtraq ID:

CVE ID: