Virus Auditing

Nessus and the Fight against Viruses

by Ron Gula on July 7, 2010

We’ve blogged many times over the past few years about how Nessus can be used to scan systems for both the presence of some viruses as well as the presence of an effective antivirus solution. This blog provides an overview of all current Nessus virus and antivirus technologies available to HomeFeed, ProfessionalFeed and SecurityCenter users.

Research Spotlight: The Evil That Bots Do

by Paul Asadoorian on July 1, 2010

It’s All About the Information

cosmo.jpg
"There's a war out there, old friend. A world war. And it's not about who's got the most bullets. It's about who controls the information. What we see and hear, how we work, what we think... it's all about the information!"
- "Cosmo", From the movie "Sneakers" (1992)

The last part of the quote above always seems to play in my head during the course of an average day in information security. It really is all about information in many different aspects. One aspect I would like to highlight is collecting information about those who are attacking you. Specific information potentially useful to those defending networks and systems could be:

  • The Software Itself - Perhaps the most useful information you can have, understanding what the malicious software (a.k.a. "malware") does is critical in being able to detect, prevent and remove it from your systems.
  • The Users - Understanding how and why the end-user is using the software can provide some useful information (admittedly not as useful as analyzing the software itself). Malware can give an attacker a host of features. Knowing which ones are using it for denial of service attacks, and which groups are stealing bank data can help aid detection and forensics analysis (on both the system and the network).
  • The Programmer - Probably the least useful to those defending networks on an everyday basis. Most authors of malware are most-likely motivated by profit, and create software to sell on the black market. Sometimes interesting things can be found in the software itself, indicating potentially where the software was created and providing hints as to the author's skill level.

I'd like to highlight some of the above information in this article (and an upcoming podcast) as it relates to botnets and malware. There is an endless supply of malware designed to perform a wide-array of "evil biddings". There is an entire economy behind botnets, including outsourcing, marketing and shady business schemes. All of this activity is happening on our networks today, leading to service disruptions from distributed denial of service (DDoS) attacks to theft of banking information.

Tenable has produced several configuration audits and updates to enterprise products, such as the Log Correlation Engine (LCE) and Passive Vulnerability Scanner (PVS), to help detect this activity in your environment. Nessus ProfessionalFeed customers can download the configuration auditing files that detect malware from the Tenable Support Portal Virus Detection Policies page (requires a Tenable Support Portal Login). For more detailed information on how Nessus is able to detect viruses, refer to the article Auditing Infected Systems for Viruses and Trojans with Nessus.

novirus.jpg
'

Being Pro-Active Against the "0-Day" Threat

by Paul Asadoorian on January 21, 2010

Recent investigations into the Google "Aurora" incident uncovered evidence that Chinese attackers used a 0-day exploit for Internet Explorer to gain access to Google employees’ computer systems. This event has sparked the release of Microsoft Security Bulletin MS10-002 - Critical , and a public exploit for the vulnerability. To mitigate this vulnerability, Microsoft originally recommended that customers upgrade to Internet Explorer 8, and enable DEP (Data Execution Prevention). On January 21, 2010 Microsoft released an "out-of-band" patch for the vulnerability, which fixes the problem on Internet Explorer version 6, 7 and 8. Methods exist to reliably exploit Internet Explorer versions 6 & 7, and there are several people who have working exploits for IE version 8, including Dino Dai Zovi, a well-respected vulnerability researcher. (A concise list of the details surrounding this issue can be found in this article).

Being Proactive

Many organizations are likely to implement the patch released by Microsoft since the issue has been receiving a lot of media attention. Patching because of a media event is an all-too-common mistake made by many organizations that cannot be convinced to implement new security measures until exploits make the news. Patching systems needs to be part of an organization’s overall strategy – not just a reaction to a media event. When new technologies become available as upgrades to your existing systems, put a plan in place to test and migrate to them, especially if they offer increased security. The organizations doing this today are looking at the latest exploit and implementing their patch strategy as part of the standard operating procedure.

Detecting Malware Distribution With Nessus

by Paul Asadoorian on March 31, 2009

Many of today's latest worms and viruses are using interesting methods to propagate across the network. For example, the Conficker.A / Downadup worm sets up a web server for victims to connect to and download a copy of the malware. What I find interesting about this method is that no matter what request is made to the HTTP server, it responds with a Microsoft executable file. Nessus detects such an HTTP server with plugin id 35322 "HTTP Backdoor Detection":

HTTP-Malware-1.png

Auditing Infected Systems for Viruses and Trojans with Nessus

by Ron Gula on January 22, 2009

Have you ever been in the situation where you have found a server or desktop Windows system that was infected with a virus, Trojan, rootkit or malware and you wanted to scan your network to see if other systems had similar issues?  Nessus ProfessionalFeed and Security Center users can leverage the compliance auditing features of Nessus to look for evidence of hostile software on their network.

Background

Auditing Anti-virus Software without an Agent

by Ron Gula on July 28, 2008

Most enterprises are required  to run some sort of Anti-virus (AV) software on all or a portion of their desktops and servers and report on the status of the deployment. This blog entry discusses some of the limits of self-reporting within an anti-virus application and how Nessus can help you detect systems that are not AV compliant.

Self Reporting with Anti-Virus Software

Auditing Anti-Virus Products with Nessus

by Ron Gula on February 15, 2007

For credentialed scans of Windows systems, Nessus can detect the presence of many leading anti-virus solutions. This blog entry will discuss what sort of information can be reported, how this is relevant for compliance and vulnerability audits and the specific anti-virus solutions supported.

Auditing Anti-Virus Deployments

Pages