Botnet Reputation and Content Scanning in Nessus
With today’s plugin updates, Nessus now has the capability to warn you of hosts that are being controlled by botnets or hosting links to known malware or phishing sites.
Nessus uses a list of botnet infected hosts that is updated daily to search for your scan targets and report if the host is a known botnet zombie or is in command and control node. This is done regardless of the plugins or credentials specified and does not require sending any packets to the host to perform this check. Such hosts have been previously observed as sending malicious traffic to third-party systems across the Internet or taking an active role in attempting to control or compromise hosts for the botnet.
In addition to checking for inclusion in a botnet, Nessus will also report if a scan target is hosting links to web site addresses and specific URLs that are used by known botnets to propagate or re-directing to sites hosting phishing content. During the testing of CGI scripts, Nessus will scan the content of web pages looking for references to this type of malicious content. The ability to discover if an asset hosts botnet related malware or pages designed to steal credentials from unsuspecting users (e.g., fake eBay or banking login pages) is an incredible way to augment vulnerability scans.
To leverage this feature, make sure that your Nessus scans are looking at web site content. To enable this feature, set the Preferences -> Global Settings -> Enable CGI Tests setting to “enabled”.
The following Nessus plugins perform the botnet and malicious website content analysis:
This update is available to all Nessus users including the Nessus ProfessionalFeed and HomeFeed subscriptions, the Nessus PerimeterService and SecurityCenter customers. Tenable also offers a variety of log analysis, NetFlow analysis and passive network traffic analysis solutions which can help identify system events, user behavior and network traffic that is indicative of a botnet. To learn more about these solutions, please visit our web site or watch any of the following on-demand webinars:
- Putting a Virus under the SIEM Microscope
- Monitoring Users and Botnets with DNS
- Tracking Application Execution for Compliance and Security
- Finding and Stopping APT
Related Articles
Study: Tenable Offers Fastest, Broadest Coverage of CISA's KEV Catalog
October 23, 2023Tenable ranked first in multiple vulnerability management categories, including the most comprehensive coverage and quickest detection of CISA's Known Exploited Vulnerabilities, according to a Miercom report commissioned by Tenable.
Tuning Network Assessments for Performance and Resource Usage
September 13, 2022Using the correct tool for the job and optimizing scanner placement will have a large impact on scan efficiency with Nessus, Tenable.io and Tenable.sc.
Terrascan Joins the Nessus Community, Enabling Nessus To Validate Modern Cloud Infrastructures
May 17, 2022The addition of Terrascan to the Nessus family of products helps users better secure cloud native infrastructure by identifying misconfigurations, security weaknesses, and policy violations by scanning Infrastructure as Code repositories.
CVE-2024-7593: Ivanti Virtual Traffic Manager Authentication Bypass Vulnerability
August 14, 2024Ivanti released a patch for a critical severity authentication bypass vulnerability and a warning that exploit code is publicly available
Microsoft’s August 2024 Patch Tuesday Addresses 88 CVEs
August 13, 2024Microsoft addresses 88 CVEs with seven critical vulnerabilities and 10 zero-day vulnerabilities, six of which were exploited in the wild.
Compromising Microsoft's AI Healthcare Chatbot Service
August 13, 2024Tenable Research discovered multiple privilege-escalation issues in the Azure Health Bot Service via a server-side request forgery (SSRF), which allowed researchers access to cross-tenant resources.
- Nessus