Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Detecting Microsoft Executables Being Served by an Unknown Service with Nessus

Many different types of malware and botnets require some sort of exploit payload. This payload can be obtained through traditional compromised services such as HTTP, FTP and even TFTP. Payloads can also be delivered by highly customized or proprietary protocols designed by the malware and botnet creators. 

Tenable’s research team has encountered some ports that can't be fingerprinted and appear to start an executable download when they are connected to. This is a tactic that some of the botnets use to infect additional machines.

Any program that can make a simple TCP connection and save any received data to a file can be used to retrieve these types of files. For example, a program such as netcat can be used to connect to one of these services to obtain the malware or exploit program being distributed by redirecting the data to a file. The following command line uses netcat to connect to a host on port 9002 and save the resulting data into a file named “executable.bin”.

nc 9002 > executable.bin

If you suspect this to be a malicious file, you can have it analyzed by an anti-virus tool such as ClamAV or even uploaded to a service such as Jotti's malware scan.

Nessus Detection

Plugin 33950 named "MS Executable Detection" attempts to connect to any service that has been identified as being "unknown". Nessus has an extensive database of application banners and fingerprints. If an open port is identified but cannot be fingerprinted, Nessus will place it into the knowledge base marked as an "unknown service". All services marked in this way will be probed by the new plugin to see if they are distributing an executable.

Tenable's research team has encountered these types of servers running on many different ports, primarily on ports much higher than 1024.

To have Nessus look for these services, configure your scans with the following settings:

  • Ensure the MS Executable Detection plugin (which is in the Service detection family) is enabled.
  • Perform port scans that target ports higher than 1024. For a complete audit, consider scanning all ports.
  • Ensure that the Service Detection (2nd Pass), Service Identification (2nd Pass) and Service Identification are all enabled.
  • Make sure that the "Probe services on every port" setting under the Advanced tab and "Global variable settings" is enabled.

Below is a Nessus scan policy that you can download for use with your Nessus client. It has a pre-configured scan policy, which can be used to scan networks to look for these services hosting potentially hostile executables.

Download MS-Executable-Scan.nessus

Below is a screen shot of scan results from an infected system:


When the plugin detects an executable, it will display a binary hex dump of the contents. It will also generate hash values of the obtained file that can be submitted to http://www.virustotal.com/buscaHash.html for analysis and other organizations such as Bit9

For more Information

Previous blog posts have discussed using Nessus, the Passive Vulnerability Scanner and the Log Correlation Engine to look for compromised or infected hosts:

Subscribe to the Tenable Blog

Try for Free Buy Now

Try Tenable.io Vulnerability Management


Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now and run your first scan within 60 seconds.

Buy Tenable.io Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Try Nessus Professional Free


Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.