Enhanced Botnet Detection with Nessus

Tenable’s Research team recently added the ability for Nessus to evaluate audited hosts to see if they are connected to or configured with a known botnet IP address. In this blog entry, we will review all of the features available within Nessus for botnet and malware detection, as well as the types of features that are available in other Tenable products.

Nessus Botnet and Malware Detection

Nessus, Perimeter Service and SecurityCenter users have access to the following plugins which perform a variety of botnet and malware detection:

Host is listed in Known Bot Database (52669): Nessus checks the scanned IP address against a database of known botnet IPs and reports if there is a match.

Web Site Links to Malicious Content (52670): While performing a web application scan, the lists of external URLs are processed to see if any match with a list of known DNS names and websites that are associated with botnet activity.

Active Connection to Host Listed in Known Bot Database (58430): The list of connected systems is evaluated to see if any are part of a known botnet. This check requires credentials and will enumerate both outbound and inbound connections with botnet IPs.

DNS Server Listed in Known Bot Database (58429): Similar to the DNS Changer malware, if a system has been configured with a DNS IP address which is also on a list of known botnet systems, Nessus will report this potential infection.

Nessus also includes a wide variety of server-side checks that perform credentialed, uncredentialed and configuration auditing scans to identify malware, remote access tools and compromised systems. It can also be used to audit the status of anti-virus systems. These have been blogged about extensively in the past and are linked in the following blog posts:

• Active and Passive Auditing of DNS Servers in use
• Nessus and the Fight Against Viruses
• Auditing Anti Virus Configurations and Installations
• Detecting Malware Distribution with Nessus

The new netstat connection tests are extremely useful to organizations that don’t have a SIM, NBAD, IDS or other type of network solution to monitor traffic for botnet activity. I’ve spoken with some SecurityCenter customers who plan on scheduling “light” credentialed scans several times a day and alert accordingly if a system is found with a botnet connection.

Botnet scanning is also very popular with Tenable’s Perimeter Service offering. Since the Perimeter Service allows unlimited IP address scanning, Perimeter Service customers can perform daily scans of their network to identify infected systems or web servers hosting botnet content. For PCI scanning, we’ve also encountered a variety of ecommerce sites that don’t have any vulnerabilities, but have been observed to be participating in a botnet, possibly from a previous compromise before patching.

Passive Network Monitoring and LCE Botnet Correlation

Tenable’s Log Correlation Engine correlates a wide variety of normalized logs with daily lists of known botnet IP addresses. In particular, it performs this type of correlation on the real-time network activity logs produced by the Passive Vulnerability Scanner.

The PVS converts many types of network traffic into a SYSLOG message, which is easily processed by SIEMs such as the LCE. In particular, the LCE performs botnet correlation on the following logs from the PVS:

• All inbound and outbound web queries have their IPs checked against the botnet database
• All DNS lookups have the queried domain name checked against the botnet database
• All passively observed FTP, SMB, NFS and HTTP file transfers have their IPs checked against the botnet database
• All passively observed SSH, VNC and Windows Terminal services have their IPs checked against the botnet database

On Tenable’s YouTube channel, we’ve listed several videos including this one which visualizes botnet traffic in 3D.

Log Normalization and LCE Botnet Correlation

In addition to the PVS real-time logs, the LCE will perform botnet correlation on many other types of normalized logs including:

• Network traffic logs via NetFlow or direct network flow monitoring with the Tenable Network Monitor
• Login failures from all applications such as VPNs, Secure Shell daemons and Windows authentication.
• Web access and error logs from web servers such as Apache, IIS and others.
• Intrusion detection logs such as Snort and TippingPoint.

The LCE normalizes many types of botnet traffic based on the direction of the connection. This facilitates identification, reporting and alerting of botnet traffic. Outbound connections to known botnet sites aid in identification of compromised and “botted” internal systems. Inbound connections can indicate a wide variety of botnet related scanning, attacks and compromise attempts.

Conclusion

If you would like to learn more about Tenable’s solutions for searching for botnets on your network, please contact us at [email protected].  If you have questions about how Tenable leverages botnet detection with scanning, log analysis and network traffic monitoring, please feel free to visit our Discussions Forums.