Mailing List Archive: Re: Does nessus not pick up on trojans ?

Re: Does nessus not pick up on trojans ?

Aug 22, 2002, 1:41 PM

Post #1 of 6 (1256 views)

Mike Shaw <mshaw@wwisp.com> writes:

> It's pretty hard to detect trojan horses purely by port numbers.

Better than nothing?

> You'll get so many false positives that you'll eventually miss
> something.

Well, if we look only at *unknown* services, that's better.
The problem is there is currently no easy way to remove a port from
the "Services/unknown" list. NASL should be extended for this.
Then trojan_horses.nasl should run after all other ACT_GATHER_INFO
scripts...

> Plus, some trojans can use any port.

I know.

Here is an experimental script anyway.

Re: Does nessus not pick up on trojans ? [ In reply to ]

deraison at nessus

Aug 22, 2002, 1:58 PM

Post #2 of 6 (1228 views)

On Thu, Aug 22, 2002 at 10:41:38PM +0200, Michel Arboi wrote:
> Mike Shaw <mshaw@wwisp.com> writes:
>
> > It's pretty hard to detect trojan horses purely by port numbers.
>
> Better than nothing?

Nah. There are so many trojans out there that this would be akin to
preventing any service from binding on top of 50% of the port space.

-- Renaud

Re: Does nessus not pick up on trojans ? [ In reply to ]

Aug 22, 2002, 2:13 PM

Post #3 of 6 (1226 views)

At 10:41 PM 8/22/2002 +0200, Michel Arboi wrote:
>Mike Shaw <mshaw@wwisp.com> writes:
>
> > It's pretty hard to detect trojan horses purely by port numbers.
>
>Better than nothing?

Not really a great justification. Sure, something is always better than
nothing, but not necessarily *much* better than nothing. And the
incremental benefit of simply looking for odd ports will probably be more
than offset by the additional cost.

It's simply something better reserved for another area of security. If you
are doing nothing other than vulnerability scanning, then you're asking for
trouble.

>Well, if we look only at *unknown* services, that's better.

You're going to spend an awful lot of time hunting down odd ports on a
typical windows network (or explaining away the false positive in a
resulting report), and what if somebody gets wise and runs one off a port
that doesn't look suspicious?

Now if you looked for a signature trojan response from a certain port then
sure, why not have it? That's much more definitive than a simple open
port. But then they could make one that looked like a telnet server, or an
ftp server, or whatever. Again, scanning for vulnerabilities is one thing,
but trying to detect someone or something who has explicitly compromised
you is a different animal.

-Mike

Re: Does nessus not pick up on trojans ? [ In reply to ]

Aug 22, 2002, 2:51 PM

Post #4 of 6 (1227 views)

Mike Shaw <mshaw@wwisp.com> writes:

> incremental benefit of simply looking for odd ports will probably be
> more than offset by the additional cost.

Well, there are several ways to use Nessus. Some people just want a
nice report for their boss, and they do not want any false positive.

Others just look around with Nessus before they run specialized tools
or exploits; those one probably want as much information as possible.

> You're going to spend an awful lot of time hunting down odd ports on a
> typical windows network (or explaining away the false positive in a
> resulting report)

I wonder how many false positive there will be on a typical network. I
insist: the script only look for *unknown* services.
This means that it will miss trojan horses that are implemented on top
of a standard protocol, like SSH or Telnet

> and what if somebody gets wise and runs one off a
> port that doesn't look suspicious?

We never said that Nessus protected against *everything*.

> Now if you looked for a signature trojan response from a certain port
> then sure, why not have it?

I looked for Kaos and could not find any information on the protocol.
Maybe if we added the banner to the report, some people could send
them to the list so that we write a plugin.

> But then they could make one that looked like a telnet
> server, or an ftp server, or whatever.

I agree.

> Again, scanning for vulnerabilities is one thing, but trying to
> detect someone or something who has explicitly compromised you is a
> different animal.

A good point for you. But should we remove the whole "Backdoor" family?

PS: shouldnt we discuss of all this on the "nessus" list?!

Re: Does nessus not pick up on trojans ? [ In reply to ]

Aug 22, 2002, 6:16 PM

Post #5 of 6 (1226 views)

> I wonder how many false positive there will be on a typical
network.

many. i looked through the list and saw a number of ports that will
give false-positives on most of my network's systems.

Nessus has such a low false-positive rate that i'd hate to see it
report simply 'unknown' ports. now, if we have a valid way to test
for a specific trojan... then by all means, please test, even if my ids
should have caught it :)

Re: Does nessus not pick up on trojans ? [ In reply to ]

Aug 23, 2002, 1:28 AM

Post #6 of 6 (1231 views)

"sullo" <sullo@cirt.net> writes:

> many. i looked through the list and saw a number of ports that will
> give false-positives on most of my network's systems.

I tried on a Unix & W2K machines. One warning on the W2K (port 515),
three on Unix (among them, Leafnode on 119 with was not detected as
NNTP by find_service - I fixed that)
Not great. There is no easy way to get rid of 515 but remove it
from the list

The real point is "unknown service". e.g. if there is something on
port 23 with is not a Telnet server, then you should worry.
Note that the current CVS find_service issues a warning in this case.
Is this enough?

> Nessus has such a low false-positive rate that i'd hate to see it
> report simply 'unknown' ports.

I wonder if the false positive will not always come with the same
ports. If we remove them, we might have a cheap way to gather common
Trojan horses banners.