Stealer Malware

by Cody Dumont
May 27, 2014

The “Stealer” malware is new a threat to systems on the network. Tenable's Ken Bechtel wrote about the exact nature of the attack is not yet known, but SecurityCenter users have an opportunity to get ahead of the malware using Nessus, LCE, and PVS.

The dashboard and its components are available in the SecurityCenter Feed, an app store of dashboards, reports, and assets.  The dashboard requirements are:

  • SecurityCenter 4.8
  • Nessus 5.2.6
  • LCE 4.2.2
  • PVS 4.0.2

The malware uses a common technique to conceal its true purpose by posing as legitimate software.  While the true purpose of the malware has yet to be identified, Tenable customers can quickly identify vulnerable systems using SecurityCenter Continuous View (SC CV).  When customers use SC CV, vulnerabilities are detected from many sources, such as event logs, active scanning and passive detection.  This dashboard contains five components, which assist security analysts and system administrators in identifying systems vulnerable to the Stealer malware.

Stealer Malware - Autorun, Network Analysis, and Daily User Summary: This component encompasses several aspects of SecurityCenter Continuous View by monitoring Windows Logon AutoRuns, vulnerabilities based on port 80, 21 containing the strings 'intel-update.com', and 'office.windows-essentials.tk'.  The LCE also monitors for command usage with Daily User Summary alerts, and DNS queries for the aforementioned strings.  Nessus plugin 70621, "Microsoft Windows AutoRuns Logon", includes the most common startup locations used by programs.  These autorun commands are commonly associated with programs that start automatically when a computer is turned on, users log in, users log off, and remote sessions are started.  Such keys can be set from a program installation, GPO, or through a malicious process to maintain persistence. 

Stealer Malware - Auditing for the Rogue Applications and Services: This component covers several aspects of monitoring, starting with GPO Events captures in logs to identifying unique services on systems. The Service Enumeration indicator uses plugin 10456 to identify services using the SMB protocol; a list of active and inactive services are listed for each host. The Bad AutoRuns & Scheduled Tasks indicator uses plugin 74442 to identify systems with registry entries that are known to be associated with known malware identified by threat intelligence from ThreatGRID.  The Network Services indicator uses plugin 11154 to report when banners were retrieved, but Nessus was unable to determine the service running. The Unique AutoRuns uses plugin 70628 to gather the autorun entries from similar machines and compare the output against each other to find unique entries. The Running Processes indicator uses plugin 70768 to identify when one or more running processes on the remote Windows host are not present in a database of 'known good' or 'known bad' software.

Stealer Malware - MD5 Hashes: This component uses the Malicious Process Detection plugins to monitor for the associated MD5 hashes identified by the FBI.  Additionally, an indicator is used to help identify all the Malicious Process Detection plugins currently in SecurityCenter.   There are several plugins to identify malicious processes, of which some focus on operating systems such as Windows, Linux, or Mac OS X.  Others allow for security administrators input their own MD5 hashes and check for MD5 hashes identified by Mandiant. 

Account Weakness - Suspicious Login Activity (Events from Last 72 Hours): This matrix shows potentially suspicious login activity. This activity can bring attention to accounts that are more threatened and require greater protection.

Stealer Malware - Windows Process Information: This component monitors Microsoft Windows process information.  While the plugin is mostly informative, this indicator uses the plugin for forensic investigation and malware detection purposes.  The filters apply the name of the process in the vulnerability text field and change color to yellow when matched.