worm blog: Using a Vulnerability Assessment to Discover Worm Hosts

« Code-Red: a case study on the spread and victims of an Internet worm | Main | Early Bird: Catching worms while sysadmins sleep »

Using a Vulnerability Assessment to Discover Worm Hosts

The Nessus tool is a popular, powerful open source vulnerability scanner. It has a basic scripting lanaguge you can use to create new plugins and detection modules. Among the many ones available are some to detect Sasser hosts. This is a great example of using one tool for another use.

The first plugin detects the Sasser backdoor and presents the Nessus user with a message when it finds an infected host.

The Sasser worm is infecting this host. Specifically, a backdoored command server may be listening on port 9995 or 9996 and an ftp server (used to load malicious code) is listening on port 5554 or 1023. There is every indication that the host is currently scanning and infecting other systems.

Source: Sasser Virus Detection, plugin page, appearantly developed by Tenable Security (a commercial Nessus organization).

You can also use Nessus to detect the original MS04-011 vulnerability, which is what Sasser used to propagate. The Nessus plugin is described here:

The remote host seems to be running a version of Microsoft OS which is vulnerable to several flaws, ranging from denial of service to remote code execution. Microsoft has released a Hotfix (KB835732) which addresses these issues.

Source: Microsoft Hotfix for KB835732 (SMB check) Nessus detection plugin, also appearantly developed by Tenable.

February 20, 2005 in tools | Permalink
Tell others: digg submit | del.icio.us this | Reddit

Comments

Talking about Sasser, isn't MS05-11*, released on 02/08/2005, a great opportunity for a new worm like Blaster and Sasser? It seems to be, but I didn't see anybody comment about it.

* http://www.microsoft.com/technet/security/bulletin/MS05-011.mspx

Posted by: Vinicius | Feb 20, 2005 8:36:48 PM

In cases in which a Windows admin is interested in scanning Windows systems for this and other vulnerabilities, I'd recommend using WMI rather than installing another operating system and application to attempt to do the job for you.

WMI classes abound for performing a wide variety of checks on systems, from looking for installed patches, to checking configurations, etc. You can even use WMI to determine if NICs on remote systems are in promiscuous mode.

Posted by: H. Carvey | Feb 23, 2005 10:04:32 AM

The comments to this entry are closed.