Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Auditing Infected Systems for Viruses and Trojans with Nessus

Have you ever been in the situation where you have found a server or desktop Windows system that was infected with a virus, Trojan, rootkit or malware and you wanted to scan your network to see if other systems had similar issues?  Nessus ProfessionalFeed and Security Center users can leverage the compliance auditing features of Nessus to look for evidence of hostile software on their network.

Background

Even though anti-virus technology is available, many organizations routinely deal with daily infections. In some organizations, anti-virus agents are prevalent due to the plethora of mutations in the threat as new types of hostile code can make its way into your network. Even more worrisome is the fact that many organizations with large networks have made the decision to not use any anti-virus solution and instead, rely only on network security and system hardening. Gone are the days when Internet-wide worms made front page news. Instead, IT security organizations wage daily battles to keep their network clean.

Existing Anti-Virus Audit and Hostile Code Discovery Capabilities

Before we talk about some new strategies for discovering viruses with Nessus, we should review the existing methods to audit systems for potential viruses and to make sure they are running a correctly configured anti-virus solution.

Previous blog entries have described how Nessus and the Security Center can be used to audit small and large enterprise networks to make sure there is adequate anti-virus capabilities.

  • If Nessus finds one of many commonly running commercial anti-virus solutions, it checks to make sure its virus signatures are up to date. If not, it lists this as an important vulnerability. (Read more)
  • As part of your corporate configuration audit policy, you can also use Nessus audit policies to ensure that each system is running the correct and official anti-virus solution and verify that it is set to run, to auto-start, to auto-update and so on. (Read more)

Nessus also has the ability to find suspicious system services and issues that may indicate the presence of malware:

  • If a worm or Trojan adds a daemon to a compromised host that serves executables, Nessus will recognize this and generate an alert accordingly.
  • If your Windows HOSTS file has been modified by a virus, Nessus check 23910 will likely detect it.
  • If you have a Trojan or worm that has added a service in general, Nessus can audit all system processes which have an open network socket.
  • Nessus checks for several dozen popular virus daemons and infected files. If you visit Tenable’s plugin search page and enter in terms such as “worm”, “virus” or “Trojan”, you can get an idea for the types of hostile code Nessus can search for.

Finding Systems Compromised with Hostile Code

Now that we’ve reviewed how Nessus can monitor your anti-virus solutions and potentially identify broad types of virus infections, how can it help when you know exactly what type of hostile code you are dealing with?

The basic idea is to use Nessus’ ability to audit registry settings or file content to look for viruses. As part of your analysis of any system infected with hostile code, there is very good chance that the virus has some sort of fingerprint that aids in detection. Some of the most common fingerprints to look for are specific registry entries or files that have been created or modified by the virus.

For example, F-Secure has written an analysis about the Banbra.RM virus, which provides a list of files, processes, network connections and registry entries the virus attempts to make or create. In particular, it sets the value “C:\WINDOWS\msnmsgsr.exe” into the following registry:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\run\msn

The following audit policy could be used by Nessus or the Security Center to audit your network for this virus:

<if>
 <condition type: "and">
  <custom_item>
   type        : REGISTRY_SETTING
   description    : "Banbra.RM trojan check"
   value_type    : POLICY_TEXT
   reg_key    : "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\run"
   reg_item    : "msn"
   value_data    : "C:\WINDOWS\msnmsgsr.exe"
   reg_option    : CAN_BE_NULL
  </custom_item>
 </condition>

 <then>
  <report type: "FAILED">
   description    : "Banbra.RM trojan check."
   info        : "A key found in the registry indicates the Banbra.RM trojan is infecting the host."
   info        : "Key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\run , msn, C:\WINDOWS\msnmsgsr.exe"
   info        : "(This audit tests for the Banbra.RM trojan, as defined at:"
   info        : "http://www.f-secure.com/v-descs/trojan-spy_w32_banbra_rm.shtml"
   info        : "The contents of this audit should be edited to reflect any other desired target.)"
  </report>
 </then>
 <else>
  <report type : "PASSED">
   description : "Banbra.RM trojan check."
   info        : "The absence of a known key in the registry indicates the Banbra.RM trojan is likely not infecting this machine."
   info        : "(This audit tests for the Banbra.RM trojan, as defined at:"
   info        : "http://www.f-secure.com/v-descs/trojan-spy_w32_banbra_rm.shtml"
   info        : "The contents of this audit should be edited to reflect any other desired target.)"
  </report>
 </else>
</if>

This is not to suggest that you should load up all of your favorite virus rules and use this technique proactively. The idea is that when you discover some sort of infection, you can quickly audit your Windows computers to see if they contain evidence of a compromise.

Types of Technical Audits

If you have discovered a virus infection or some other type of hostile code and want to audit your systems to see if others have been infected, Tenable recommends that you consider the following types of audits.

  • Static registry key, item and value
  • A user registry key, item and value
  • A static file
  • A specific process name

If you are familiar with user registry settings, you will know that different Windows system users can have different registry settings. These settings are located under the “HKU” if you are browsing a system registry. The Nessus configuration auditing checks will automatically test any HKU registry key across all users.

Below are two screen shots of auditing live systems for the presence of a specific virus.

Virus3 

The is an audit for the Banbra virus.The audit is looking for specific registry data which indicates a system has likely been infected by the Banbra virus.

Virus4

In this screen shot, we've audited a system's list of processes to look for a file named "sodata.exe" and have not found it. This process is associated with the W32/Hupigon.OGA backdoor.

A Word to the Wise

Many viruses will invoke cmd.exe to run a variety of programs. You may be tempted to search all of your Windows computers to see if any have cmd.exe processes running. many legitimate applications will also run cmd.exe and leave those processes running. Finding a cmd.exe process does not directly correlate with a virus infection, but it could be a valid audit for your organization.

Please keep in mind that if you are working with live viruses, they may interact with your testing and auditing. If a virus has countermeasures, it may attempt to resist being removed and could re-create itself from copies running in memory. If a virus has a rootkit component, it may also have the ability to hide various registry settings, processes and files from your audits. This could give you a false sense of security. In a crisis though, being able to rapidly audit many different systems could yield very interesting and useful results.

For More Information

Tenable’s Customer Support Portal includes example audit policies for Nessus and Security Center users that can be modified to find evidence of local systems that have evidence of virus infections. Users who wish to share their audit policies for specific variants of Trojans and viruses may wish to post them to the Discussions Forum so that other Nessus users can benefit.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.