New "False Positives" for Nachi tcpdump

Joshua Thomas thomasj4 at
Fri Sep 12 20:01:13 GMT 2003

We're using a tcpdump filter to look for ICMP traffic destined for external 
sources matching the Nachi worm's signature, harvesting source IPs from 
packets that match, and disabling the switch ports for the suspect host.

Until recently, we've had no reports of false positives with this 
procedure.  However, beginning this afternoon, we're receiving reports from 
our desktop support staff that some of the machines we've disabled today 
have non-vulnerable OS's (Win9x), and that other machines we've disabled 
show no signs of infection when scanned with Stinger or another up-to-date 
anti-virus application.

The ICMP traffic goes away when we disable the port.  In most cases the 
"non-vulnerable" or "scanned-clean" machine is the only device attached to 
that port.  It makes me think we're actually disabling the source of the 
traffic, but why would it be coming from those machines?

Is there a new virus that pings like Nachi, but isn't caught by current 
anti-virus definitions?

Joshua Thomas
Security Analyst
Communication Network Services
Ohio University

More information about the unisog mailing list