Identifying the Remnants of a Virus Outbreak or Spyware Infestation
Viruses and spyware have different underlying technologies, but they have a common bond once they infest a system. Variants of MyDoom, Sasser, Beagle, NetBus, SubSeven, and other Trojan horses create open ports, providing backdoor communication conduits into infected systems.
This scan will show how the entire network can be easily scanned to locate a single spyware or virus remnant. This search will make use of unique ping methods, port searches, and reverse DNS lookup settings.
Identifying Virus, Spyware, and Trojan Horse Remnants
- Nmap Ping type: If ICMP is unfiltered in an organization's network, an ICMP ping (-PE) would be an efficient way of identifying an active system. If ICMP is actively filtered, a more applicable ping type should be considered. Since this scan will be working through a large number of IP addresses, an nmap ping will be an important method of determining a remote device's availability. Disabling nmap's ping option (-P0) should be used only as a last resort in a scan with a large number of IP addresses.
- Nmap Scan Type: Since this is a simple port availability test, a TCP SYN scan (-sS) or a UDP scan (-sU) would be an effective scan type. Different spyware remnants can open TCP ports or UDP ports, and occasionally both types will need to be specified. This example will assume that both types will be scanned.
- IP Addresses: The IP addresses for these types of scans will usually be a range of addresses, using nmap's wildcards and naming conventions. For ease of use, these IP addresses should be listed in a file that can be included with the –iLoption.
- Port Ranges: This particular scan will only need to scan a few ports from each device that are associated with a specific spyware infestation. If both TCP and UDP scan types are specified, then the –p option should include U:<udpports>,T:<tcpports>.
- Reverse DNS: If a large number of hosts will be scanned over a long timeframe, it may be helpful to require a reverse DNS on each scanned device (-R). However, this can create delays during the scan process, and it may not be required if the IP addresses on the network rarely change. In these cases, a more efficient scan would disable the reverse DNS resolution process (-n).
- Version Detection: If a Trojan horse is using a port number that is commonly open on the network, it may be helpful to include a version detection option (-sV) to help identify the application type running on the remote device. This will slow down the scan significantly (especially if UDP scanning is active), so use this option only if necessary.
- Time to Live: If this scan shouldn't traverse a WAN or slow network link, the --ttl option may be useful. This would prevent the scan from using slower WAN links, although it may be more reliable to add the remote IP addresses to the exclude list if the exact network configuration isn't known.
The nmap command line would be similar to this (disregard the line break):
# nmap –vv –PE –sS –sU –iL input.lst --excludefile banned.lst –p U:31337,T:6713 –n -oA trojansAfter the scan is complete, the grepable output file (trojans.gnmap) can be searched for the word "open" to determine if any open ports were identified.