[unisog] Nachi/Welchia signature

Steve Bernard sbernard at gmu.edu
Wed Aug 20 18:58:03 GMT 2003

The problem stems from my looking too deeply into the packets. I have
modified the filter to *really* look at the initial 4 bytes of the data
portion of the ICMP packet; I had made a mistake before. This "should" catch
all of the Nachi/Welchia ICMP traffic unless someone creates a variant that
uses a different payload.



New filter:

'icmp[icmptype]==icmp-echo && icmp[8]==0xAA && icmp[9]==0xAA &&
icmp[10]==0xAA && icmp[11]==0xAA'

-----Original Message-----
From: Eric Pancer [mailto:epancer at security.depaul.edu]
Sent: Wednesday, August 20, 2003 12:29 PM
To: Steve Bernard
Subject: Re: [unisog] Nachi/Welchia signature

On Tue, 2003-08-19 at 10:39:13 -0400, Steve Bernard proclaimed...

> I've built a tcpdump filter to search for Nachi/Welchia worm traffic. So
> I'm seeing one dial-up user who's computer is constantly pinging an
> in Yahoo's domain which resolves as, UNKNOWN-64-58-77-85.yahoo.com. The
> was sending echo-requests every 3 to 4 seconds.
> My current tcpdump filter is:
> 'icmp[icmptype]==icmp-echo && icmp[32]==0xAA && icmp[33]==0xAA &&
> icmp[34]==0xAA && icmp[35]==0xAA'
> This looks for ICMP echo-requests in which the first 4 data bytes are each
> 0xAA (hex) or 170 (decimal).
> Suggestions for improvement or simplification are welcome.

Hey Steve -

I was using this yesterday - Kudos for writing it up! It works very
well. However, have you seen any new variants? I noticed, today,
that there's still huge amounts of scans going on for icmp, but this
filter isn't picking it up. Instead I'm grabbing things through
argus and verifying using tcpdump on each IP address (ugh).

Just curious :) Thanks again.

Eric Pancer     Computer Security Response Team     DePaul University
http://security.depaul.edu/               epancer at security.depaul.edu
pgp: 1024D/7ACBCFF3 C022 4991 41E5 51E7 683C F765 62F7 7F8E 7ACB CFF3

More information about the unisog mailing list