[unisog] Nachi and NetFlow

Lois Lehman LOIS.LEHMAN at asu.edu
Thu Oct 30 17:46:31 GMT 2003


After further investigation, I found that the workstation that was
reported to be flooding a server with ICMP type 8 packets was not the
culprit.  Someone is obviously spoofing the IP address of that
workstation as it was turned off while the activity continued.

Lois Lehman
College Network Security Manager
Physical Sciences Computer Support Manager
College of Liberal Arts & Sciences
Arizona State University
480-965-3139


-----Original Message-----
From: Lois Lehman 
Sent: Wednesday, October 29, 2003 7:49 PM
To: Mitch Collinsworth
Cc: Scott Genung; unisog at sans.org
Subject: RE: [unisog] Nachi and NetFlow

Thanks Mitch!

Would any of the scanning tools be able to detect this? 

Lois Lehman
College Network Security Manager
Physical Sciences Computer Support Manager
College of Liberal Arts & Sciences
Arizona State University
480-965-3139


-----Original Message-----
From: Mitch Collinsworth [mailto:mitch at ccmr.cornell.edu] 
Sent: Wednesday, October 29, 2003 7:12 PM
To: Lois Lehman
Cc: Scott Genung; unisog at sans.org
Subject: RE: [unisog] Nachi and NetFlow


Today one of my staff told me about a new one he's started seeing
that manages to hide all traces of itself from NAV.  He was finally
able to find it by sharing the C: drive to another machine, mounting
it on that machine and scanning it from there.   (!)

-Mitch


On Wed, 29 Oct 2003, Lois Lehman wrote:

> We may have one case reported yesterday that would match what you are
> seeing.  The workstation was identified from a source outside our
campus
> as exhibiting nachi-like behavior.  When the SA checked it out, the
> Antivirus software could not detect it.
>
> Lois Lehman
> College Network Security Manager
> Physical Sciences Computer Support Manager
> College of Liberal Arts & Sciences
> Arizona State University
> 480-965-3139
>
>
> -----Original Message-----
> From: Scott Genung [mailto:sagenung at ilstu.edu]
> Sent: Wednesday, October 29, 2003 8:37 AM
> To: unisog at sans.org
> Subject: [unisog] Nachi and NetFlow
>
> All,
>
> For those of you who are using Cisco switches with NetFlow accounting,
> I'm
> wondering if anyone else has tripped over a problem that I have. Last
> month, we applied a route map at the gateway for each vLAN to discard
> ICMP
> echo and reply messages with a fixed length of 92 bytes (one of the
> signatures for a Nachi infected host). This was part of our continuing
> efforts to minimize the impact of Nachi as units on campus continue to
> clean infected hosts. This model also breaks traceroute sourced from a
> Windows OS but that's another story! Anyway, we have used NetFlow to
> identify hosts that are spewing these packets so that the SAs can
clean
> and
> patch them. Below is a small sample of what we are seeing:
>
> SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP
DstP
> Pkts
> Vl104         10.20.1.89      Null          10.17.253.228   01 0000
0800
> 1
> Vl104         10.20.1.89      Null          10.17.253.229   01 0000
0800
> 1
> Vl104         10.20.1.89      Null          10.17.253.230   01 0000
0800
> 1
> Vl104         10.20.1.89      Null          10.17.253.223   01 0000
0800
> 1
> Vl104         10.20.1.89      Null          10.17.253.224   01 0000
0800
> 1
> Vl104         10.20.1.89      Null          10.17.253.225   01 0000
0800
> 1
> Vl104         10.20.1.89      Null          10.17.253.226   01 0000
0800
> 1
>
> If the DstIf column is set to Null, the route map has matched the
packet
>
> sourced from the host (SrcIPaddress) and thrown it in the bit bucket.
We
>
> literally see hundreds or thousands of these 1 packet flows from a
> single
> host in a 15 second interval. We're convinced that the host is
infected
> with Nachi based upon this data and the fact the user is not
complaining
>
> about any application problems on their desktop. However after
reporting
>
> this information to the techs responsible for this and other hosts,
some
>
> (not all) are coming back and telling me that they cannot find a worm
on
>
> the host we have ID'd. They tell me that the latest version of Stinger
> (NAI) does not detect a virus. Has anyone else out there tripped over
a
> flavor of Nachi that is not detectable from the desktop?
>
>
> Scott Genung
> Manager of Networking Systems
> Telecommunications and Network Support Services
> 124 Julian Hall
> Illinois State University
>
> (309)438-8731   http://www.tnss.ilstu.edu
>
>



More information about the unisog mailing list