[unisog] Nachi and NetFlow

Lois Lehman LOIS.LEHMAN at asu.edu
Thu Oct 30 01:00:45 GMT 2003


We may have one case reported yesterday that would match what you are
seeing.  The workstation was identified from a source outside our campus
as exhibiting nachi-like behavior.  When the SA checked it out, the
Antivirus software could not detect it.

Lois Lehman
College Network Security Manager
Physical Sciences Computer Support Manager
College of Liberal Arts & Sciences
Arizona State University
480-965-3139


-----Original Message-----
From: Scott Genung [mailto:sagenung at ilstu.edu] 
Sent: Wednesday, October 29, 2003 8:37 AM
To: unisog at sans.org
Subject: [unisog] Nachi and NetFlow

All,

For those of you who are using Cisco switches with NetFlow accounting,
I'm 
wondering if anyone else has tripped over a problem that I have. Last 
month, we applied a route map at the gateway for each vLAN to discard
ICMP 
echo and reply messages with a fixed length of 92 bytes (one of the 
signatures for a Nachi infected host). This was part of our continuing 
efforts to minimize the impact of Nachi as units on campus continue to 
clean infected hosts. This model also breaks traceroute sourced from a 
Windows OS but that's another story! Anyway, we have used NetFlow to 
identify hosts that are spewing these packets so that the SAs can clean
and 
patch them. Below is a small sample of what we are seeing:

SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP
Pkts
Vl104         10.20.1.89      Null          10.17.253.228   01 0000 0800
1
Vl104         10.20.1.89      Null          10.17.253.229   01 0000 0800
1
Vl104         10.20.1.89      Null          10.17.253.230   01 0000 0800
1
Vl104         10.20.1.89      Null          10.17.253.223   01 0000 0800
1
Vl104         10.20.1.89      Null          10.17.253.224   01 0000 0800
1
Vl104         10.20.1.89      Null          10.17.253.225   01 0000 0800
1
Vl104         10.20.1.89      Null          10.17.253.226   01 0000 0800
1

If the DstIf column is set to Null, the route map has matched the packet

sourced from the host (SrcIPaddress) and thrown it in the bit bucket. We

literally see hundreds or thousands of these 1 packet flows from a
single 
host in a 15 second interval. We're convinced that the host is infected 
with Nachi based upon this data and the fact the user is not complaining

about any application problems on their desktop. However after reporting

this information to the techs responsible for this and other hosts, some

(not all) are coming back and telling me that they cannot find a worm on

the host we have ID'd. They tell me that the latest version of Stinger 
(NAI) does not detect a virus. Has anyone else out there tripped over a 
flavor of Nachi that is not detectable from the desktop?


Scott Genung
Manager of Networking Systems
Telecommunications and Network Support Services
124 Julian Hall
Illinois State University

(309)438-8731   http://www.tnss.ilstu.edu 



More information about the unisog mailing list