Detecting Malware Distribution With Nessus

Many of today's latest worms and viruses are using interesting methods to propagate across the network. For example, the Conficker.A / Downadup worm sets up a web server for victims to connect to and download a copy of the malware. What I find interesting about this method is that no matter what request is made to the HTTP server, it responds with a Microsoft executable file. Nessus detects such an HTTP server with plugin id 35322 "HTTP Backdoor Detection":

Note that Nessus performs service detection to discover applications running on non-standard ports. The port displayed in the above example (15871/TCP) is chosen at random, so be sure your scan is configured to run against all 65535 ports and that "Probe services on every port" is enabled. If a host is found running this service, it is most likely infected. To mitigate, run the removal tools for popular malware, such as Conficker, or rebuild the host. Nessus will also detect if a non-HTTP service is distributing a MS executable using plugin 33950, "MS executable detection" as described in the Tenable blog post titled "Detecting Microsoft Executables Being Served by an Unknown Service with Nessus". With both of the above plugins Nessus will download the binary and produce an MD5 checksum. Then you can check to see if the malware has been recognized by the Virus Total Web Site:

Nessus also detects specific malware payloads with plugin id 31854, "Malware Payload Code detection":

Of course, the best approach is to proactively protect your network and systems rather than scan for a particular issue that is getting media attention.

The Conficker worm infects systems and spreads using the following three mechanisms:

1) Performs password brute-forcing on Windows systems

2) Exploits the MS08-067 vulnerability

3) Adds itself to any removable/network drives

Source: Downadup/Conficker Worm Removal, SecureWorks Threat Analysis Blog

Pro-active security measures can ensure protection against all of these attack vectors without taking special actions just for a particular new worm. A strong authentication policy, regular system patching and monitoring for removable devices are all security measures that can provide protection from Conficker. Tenable's products can be used in a pro-active manner to help protect your network, as described in the following previous posts to the Tenable blog:

1) Disabling Password Guessing attempts with Nessus - This post describes how Nessus tests for passwords, and how to prevent it from locking out accounts. Specifically plugin 10404, "SMB Log in as users", will intelligently test your domain accounts for weak passwords.

2) How did you test for MS08-067? - Details how to test your network for the MS08-067 vulnerability using Nessus. This can be done using either network or credentialed scanning.

3) USB Device History Auditing with Nessus - If you believe the worm was spreading via the usage of USB thumb drives, the methods described in this post could help you track down the offending USB drive.

References:

• Auditing Infected Systems for Viruses and Trojans with Nessus
• Detecting Off-Port Services