[unisog] Nachi and NetFlow

Mitch Collinsworth mitch at ccmr.cornell.edu
Thu Oct 30 04:32:40 GMT 2003


Gosh I hope so, but I guess you'll have to try and find out.  NAV is
pretty much a given at Cornell, due to there being a campus site
license.

-Mitch


On Wed, 29 Oct 2003, Lois Lehman wrote:

> Thanks Mitch!
>
> Would any of the scanning tools be able to detect this?
>
> Lois Lehman
> College Network Security Manager
> Physical Sciences Computer Support Manager
> College of Liberal Arts & Sciences
> Arizona State University
> 480-965-3139
>
>
> -----Original Message-----
> From: Mitch Collinsworth [mailto:mitch at ccmr.cornell.edu]
> Sent: Wednesday, October 29, 2003 7:12 PM
> To: Lois Lehman
> Cc: Scott Genung; unisog at sans.org
> Subject: RE: [unisog] Nachi and NetFlow
>
>
> Today one of my staff told me about a new one he's started seeing
> that manages to hide all traces of itself from NAV.  He was finally
> able to find it by sharing the C: drive to another machine, mounting
> it on that machine and scanning it from there.   (!)
>
> -Mitch
>
>
> On Wed, 29 Oct 2003, Lois Lehman wrote:
>
> > We may have one case reported yesterday that would match what you are
> > seeing.  The workstation was identified from a source outside our
> campus
> > as exhibiting nachi-like behavior.  When the SA checked it out, the
> > Antivirus software could not detect it.
> >
> > Lois Lehman
> > College Network Security Manager
> > Physical Sciences Computer Support Manager
> > College of Liberal Arts & Sciences
> > Arizona State University
> > 480-965-3139
> >
> >
> > -----Original Message-----
> > From: Scott Genung [mailto:sagenung at ilstu.edu]
> > Sent: Wednesday, October 29, 2003 8:37 AM
> > To: unisog at sans.org
> > Subject: [unisog] Nachi and NetFlow
> >
> > All,
> >
> > For those of you who are using Cisco switches with NetFlow accounting,
> > I'm
> > wondering if anyone else has tripped over a problem that I have. Last
> > month, we applied a route map at the gateway for each vLAN to discard
> > ICMP
> > echo and reply messages with a fixed length of 92 bytes (one of the
> > signatures for a Nachi infected host). This was part of our continuing
> > efforts to minimize the impact of Nachi as units on campus continue to
> > clean infected hosts. This model also breaks traceroute sourced from a
> > Windows OS but that's another story! Anyway, we have used NetFlow to
> > identify hosts that are spewing these packets so that the SAs can
> clean
> > and
> > patch them. Below is a small sample of what we are seeing:
> >
> > SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP
> DstP
> > Pkts
> > Vl104         10.20.1.89      Null          10.17.253.228   01 0000
> 0800
> > 1
> > Vl104         10.20.1.89      Null          10.17.253.229   01 0000
> 0800
> > 1
> > Vl104         10.20.1.89      Null          10.17.253.230   01 0000
> 0800
> > 1
> > Vl104         10.20.1.89      Null          10.17.253.223   01 0000
> 0800
> > 1
> > Vl104         10.20.1.89      Null          10.17.253.224   01 0000
> 0800
> > 1
> > Vl104         10.20.1.89      Null          10.17.253.225   01 0000
> 0800
> > 1
> > Vl104         10.20.1.89      Null          10.17.253.226   01 0000
> 0800
> > 1
> >
> > If the DstIf column is set to Null, the route map has matched the
> packet
> >
> > sourced from the host (SrcIPaddress) and thrown it in the bit bucket.
> We
> >
> > literally see hundreds or thousands of these 1 packet flows from a
> > single
> > host in a 15 second interval. We're convinced that the host is
> infected
> > with Nachi based upon this data and the fact the user is not
> complaining
> >
> > about any application problems on their desktop. However after
> reporting
> >
> > this information to the techs responsible for this and other hosts,
> some
> >
> > (not all) are coming back and telling me that they cannot find a worm
> on
> >
> > the host we have ID'd. They tell me that the latest version of Stinger
> > (NAI) does not detect a virus. Has anyone else out there tripped over
> a
> > flavor of Nachi that is not detectable from the desktop?
> >
> >
> > Scott Genung
> > Manager of Networking Systems
> > Telecommunications and Network Support Services
> > 124 Julian Hall
> > Illinois State University
> >
> > (309)438-8731   http://www.tnss.ilstu.edu
> >
> >
>



More information about the unisog mailing list