Detecting Microsoft Executables Being Served by an Unknown Service with Nessus

Many different types of malware and botnets require some sort of exploit payload. This payload can be obtained through traditional compromised services such as HTTP, FTP and even TFTP. Payloads can also be delivered by highly customized or proprietary protocols designed by the malware and botnet creators. 

Tenable’s research team has encountered some ports that can't be fingerprinted and appear to start an executable download when they are connected to. This is a tactic that some of the botnets use to infect additional machines.

Any program that can make a simple TCP connection and save any received data to a file can be used to retrieve these types of files. For example, a program such as netcat can be used to connect to one of these services to obtain the malware or exploit program being distributed by redirecting the data to a file. The following command line uses netcat to connect to a host on port 9002 and save the resulting data into a file named “executable.bin”.

nc 192.168.20.100 9002 > executable.bin

If you suspect this to be a malicious file, you can have it analyzed by an anti-virus tool such as ClamAV or even uploaded to a service such as Jotti's malware scan.

Nessus Detection

Plugin 33950 named "MS Executable Detection" attempts to connect to any service that has been identified as being "unknown". Nessus has an extensive database of application banners and fingerprints. If an open port is identified but cannot be fingerprinted, Nessus will place it into the knowledge base marked as an "unknown service". All services marked in this way will be probed by the new plugin to see if they are distributing an executable.

Tenable's research team has encountered these types of servers running on many different ports, primarily on ports much higher than 1024.

To have Nessus look for these services, configure your scans with the following settings:

• Ensure the MS Executable Detection plugin (which is in the Service detection family) is enabled.
• Perform port scans that target ports higher than 1024. For a complete audit, consider scanning all ports.
• Ensure that the Service Detection (2nd Pass), Service Identification (2nd Pass) and Service Identification are all enabled.
• Make sure that the "Probe services on every port" setting under the Advanced tab and "Global variable settings" is enabled.

Below is a Nessus scan policy that you can download for use with your Nessus client. It has a pre-configured scan policy, which can be used to scan networks to look for these services hosting potentially hostile executables.

Download MS-Executable-Scan.nessus

Below is a screen shot of scan results from an infected system:

When the plugin detects an executable, it will display a binary hex dump of the contents. It will also generate hash values of the obtained file that can be submitted to http://www.virustotal.com/buscaHash.html for analysis and other organizations such as Bit9. 

For more Information

Previous blog posts have discussed using Nessus, the Passive Vulnerability Scanner and the Log Correlation Engine to look for compromised or infected hosts:

• Boss, I think Half of our FTP Servers are fake!
• Detecting Compromised Windows Hosts
• Hunting Symantec Worms
• Using "New Port Browsing" Events to find Worm/Trojan/Rootkit Activity