Using Tenable Products to find unpatched/infected MS06-040 devices

Tenable has had many of our customers call in to discuss ways they can look throughout their enterprise to find the latest round of security issues from the last "Microsoft Tuesday". Here is a quick list of things you can look for with our products:

• Nessus can be used to perform a network scan for any Windows host effected by the MS06-040 patch. The scan does not need credentials, but the scanner does need to be able to communicate with the target on ports 445 or 139.
• If you do have domain credentials, plugin 22182 performs a patch audit looking for the applicability of the missing patch. Doing an audit with credentials will also allow for testing of the other "local" security issues besides MS06-040.
• If you've completed an active Nessus scan for MS06-040, the Security Center will correlate NIDS events (from Tipping Point, Snort, Dragon, etc.) that target vulnerable MS06-040 devices.
• For devices infected by Mocbot/Wargbot, Nessus plugin 11329 can detect this. This plugin requires credentials.
• For devices infected with the BOLO worm/trojan that exploits MS06-040 (and delivers the Mocbot trojan), if you have a Passive Vulnerability Scanner deployed on your perimeter, you can query your Security Center to list any devices which browse on port 445 and 18067. Any devices which browse on port 445 across your perimeter should be considered suspect for a wide variety of issues regardless.
• Lastly, if you have deployed the Log Correlation Engine, you can query it for activity on ports 445 and 18067 as well. Tenable has also released a TASL script which looks for Mocbot activity in any log source. The LCE also has many generic log correlation techniques such as looking for crowd surges and suspicious proxy connections in any log sources. We've blogged about the crowd_surge.tasl script previously and it has been updated to alert when there is a surge of visitors to sites tracked by the Internet Storm Center.