[unisog] Nachi and NetFlow

Mitch Collinsworth mitch at ccmr.cornell.edu
Thu Oct 30 02:12:13 GMT 2003


Today one of my staff told me about a new one he's started seeing
that manages to hide all traces of itself from NAV.  He was finally
able to find it by sharing the C: drive to another machine, mounting
it on that machine and scanning it from there.   (!)

-Mitch


On Wed, 29 Oct 2003, Lois Lehman wrote:

> We may have one case reported yesterday that would match what you are
> seeing.  The workstation was identified from a source outside our campus
> as exhibiting nachi-like behavior.  When the SA checked it out, the
> Antivirus software could not detect it.
>
> Lois Lehman
> College Network Security Manager
> Physical Sciences Computer Support Manager
> College of Liberal Arts & Sciences
> Arizona State University
> 480-965-3139
>
>
> -----Original Message-----
> From: Scott Genung [mailto:sagenung at ilstu.edu]
> Sent: Wednesday, October 29, 2003 8:37 AM
> To: unisog at sans.org
> Subject: [unisog] Nachi and NetFlow
>
> All,
>
> For those of you who are using Cisco switches with NetFlow accounting,
> I'm
> wondering if anyone else has tripped over a problem that I have. Last
> month, we applied a route map at the gateway for each vLAN to discard
> ICMP
> echo and reply messages with a fixed length of 92 bytes (one of the
> signatures for a Nachi infected host). This was part of our continuing
> efforts to minimize the impact of Nachi as units on campus continue to
> clean infected hosts. This model also breaks traceroute sourced from a
> Windows OS but that's another story! Anyway, we have used NetFlow to
> identify hosts that are spewing these packets so that the SAs can clean
> and
> patch them. Below is a small sample of what we are seeing:
>
> SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP
> Pkts
> Vl104         10.20.1.89      Null          10.17.253.228   01 0000 0800
> 1
> Vl104         10.20.1.89      Null          10.17.253.229   01 0000 0800
> 1
> Vl104         10.20.1.89      Null          10.17.253.230   01 0000 0800
> 1
> Vl104         10.20.1.89      Null          10.17.253.223   01 0000 0800
> 1
> Vl104         10.20.1.89      Null          10.17.253.224   01 0000 0800
> 1
> Vl104         10.20.1.89      Null          10.17.253.225   01 0000 0800
> 1
> Vl104         10.20.1.89      Null          10.17.253.226   01 0000 0800
> 1
>
> If the DstIf column is set to Null, the route map has matched the packet
>
> sourced from the host (SrcIPaddress) and thrown it in the bit bucket. We
>
> literally see hundreds or thousands of these 1 packet flows from a
> single
> host in a 15 second interval. We're convinced that the host is infected
> with Nachi based upon this data and the fact the user is not complaining
>
> about any application problems on their desktop. However after reporting
>
> this information to the techs responsible for this and other hosts, some
>
> (not all) are coming back and telling me that they cannot find a worm on
>
> the host we have ID'd. They tell me that the latest version of Stinger
> (NAI) does not detect a virus. Has anyone else out there tripped over a
> flavor of Nachi that is not detectable from the desktop?
>
>
> Scott Genung
> Manager of Networking Systems
> Telecommunications and Network Support Services
> 124 Julian Hall
> Illinois State University
>
> (309)438-8731   http://www.tnss.ilstu.edu
>
>



More information about the unisog mailing list