Detecting Compromised Windows Hosts

Tenable recently added a credentialed Windows check (Nessus ID #23910) to find systems that have been infected by certain viruses. The check considers the contents of the file:

SYSTEM32\Drivers\etc\HOSTS

and sees if it has been manipulated to prevent virus updates. A common virus technique (such as in MyDoom, Bagel and their variants) is to disable a computer's ability to update its anti-virus signatures once it has been compromised. Typical anti-virus software performs a DNS lookup to find the update server where new signatures are available.

By adding alternate IP addresses (usually 0.0.0.0) for common update sources such as Symantec, Sophos, Microsoft, Kaspersky and so on, a virus can prevent anti-virus software from updating itself. Tenable has also seen viruses place destinations for anti-spyware solutions as well.

If Anti-Virus Software is there in the first place, why does it fail?

The answer is pretty simple: zero-day (or recent vulnerability announcements) exploits and the desire to maintain control over a compromised system. Worm writers who use a new exploit can compromise many systems before the anti-virus vendors develop signatures for the files in motion or network attack vectors.

A savvy worm writer will "know" that if their Trojan or worm is popular or successful enough, it will get the attention of the anti-virus community and signatures will be developed and deployed to target it. With this in mind, a worm writer who disables or neuters an anti-virus solution can keep control of the infected host well after the anti-virus rules have been updated.

Other Nessus Anti-Virus Checks

There are several other anti-virus and Trojan/backdoor detection plugins available for Nessus. Here is a quick overview:

• For most commercial anti-virus solutions, a Nessus local check can be used to determine if the system is running with the latest available updates, or if the solution is installed but disabled or not running.
• For popular viruses, Tenable maintains a set of "quick check" local tests in plugin #11329. This is not a comprehensive list of the 1000s of various virus and Trojan variants, but does check for several dozen very popular viruses.
• For many popular worms that have well known network backdoors, Tenable does write plugins to scan for and discover these. For example, the Sasser Virus Detection plugin (Nessus ID #12219) connects to various ports to look for an FTP service.

Being Proactive and Vigilant

Tenable offers a variety of solutions to extend a typical Nessus deployment to monitor enterprise networks for worms, virus outbreaks and  even network anomalies:

Besides discovering most of your server and client vulnerabilities simply by watching network traffic, Tenable's Passive Vulnerability Scanner discovers when new ports become open, can identify the presence (or lack thereof) of several anti-virus solutions and can also alert when an internal host begins port scanning.

When fed netflow logs, firewall logs or using the Tenable "TNM" agent for direct network traffic analysis, the Log Correlation Engine can identify hosts infected with spyware, malware, botnets and trojans. This is done primarily through cross referencing several popular black lists, as well as considering anomalies such as "Crowd Surges" of samples of the network population to suspicious locations.

Tenable's Nessus 3 scanner can also perform agent-less host-based configuration audits. These tests can consider the configuration a specific asset class (server, desktop, web server, .etc) should have and look for discrepancies. For example, Nessus can test that the content of the "HOSTS" file contains a "corporate" standard, that certain base configurations are met and that specific processes are indeed running.

Obtaining These Checks and Thanks

Tenable would like to thank both the folks at Sensepost as well as Michel Arboi for suggesting this sort of check. The check is currently available in the Direct Feed. All Security Center and Direct Feed users have access to this plugin at this time.