Security → Nachi the new champion bad boy

Nachi is out of control or at least on our local cable connections for one of our test systems. For example we average a Nachi ICMP ping event every seven seconds. What does this mean? Imagine that you have built a new XP system and now want to go online to use WindowsUpdate to download and install the latest patches. Your system will easily be infected before you even start to download the first patch (before you go online with a unpatched XP system enable the ICF or you will be infected within seconds of connecting to the internet). Go online with an unpatched, unprotected Win2k system you too will be infected within seconds. Is it this bad everywhere, maybe, maybe not, but it is that bad here. Nachi is a triple thread on hits, first there are the Nachi Pings (note a Nachi ping is not the same as a regular ping) second, Nachi scans TCP ports 445 and 139, and third it scans TCP port 135 and now we are starting to see an increase in secondary infections on systems which started out as Nachi infected systems. Put all this together and Nachi is easily the biggest worm in history in terms of traffic events generated, relegating even Opaserv and similar worms to what used to be an unthinkable second place on the hit parade (I didn't think it could get much worse then Opaserv, guess I was wrong).

Given the IP generation algorithm that Nachi uses we have a possible scan source of 260,100 IP Addresses and assuming that every one of them is in use (our ISP would be the happiest camper on the planet if this was actually the case, but we will use this in order to be very, very conservative), that would mean at least 2% of systems in our local net node are infected with Nachi (we have seen almost 100,000 Nachi pings from over 5,400 IP Addresses over the last 9 days). I also suspect that Nachi has some problems with its random IP generator in that it is not uniform in distribution in that if you whacked 3 or 4 local infected systems here it would drop our Nachi traffic by about 50% (can anyone else confirm this), which also means there could be additional locally infected systems from which we never see traffic.

What does all this mean? Simply there are still far too many systems that are vulnerable to attack. Nachi was released on August 18th and the media attention was significant, and yet at least 2% of systems on the internet (or at least on our net node) are still infected. That fact basically indicates that at least 2% of systems on the internet suffer from very poor security and or administration and hence continue to be vulnerable to the next mass attack (these are systems where the owner is totally unaware and doesn't include the systems which were initially infected then cleaned up). Overall this equates to millions of systems on the internet which remain vulnerable and easily enough to do serious damage. In short security awareness on the internet still has a long, long way to go before we can even begin to think the internet is safe (I personally doubt it will ever be 'safe'). Combine this with the fact that all of these systems could be set to automatically download and apply required patches, it is not a technology problem but simply a user awareness problem.

So what do the graphs show?
1. Inbound Attacks, 12582 suspicious scans or attacks consisting of 23 attacks or scans types (note this does not include Nachi pings).

2. Attacks and Scans came from 3,683 different sources. Note that 4 addresses make up almost 50% of the scans/attacks (possible indication of the lack of uniform IP generation within Nachi as these systems are Nachi infected systems).

3. Number of attacks/scans per hour. Interestingly the last couple of days the number of attacks has reduced and stabilized (we have been doing some notification of infected systems and perhaps this has been making a difference).

4. Number of ICMP events per hour for the last 9 days showing that a number of these systems must be shut off at night and evening are the time when most infected systems are online (ie home users). From a previous study we found that over 99.98% of these ICMP events were Nachi pings.

5. Port Events showing the match between TCP port 135 and 445 traffic indicative of Nachi infections. UDP port 137 traffic is from Opaserv type worms (scans for systems with available file shares, the previous bad boy king).

6. Number of unique IP addresses from which the various port traffic is originating from. Note since Nachi uses a restricted IP generation algorithm, only a few infected systems can generate a lot of local traffic (similar to Code Red. I think the original Nachi author's intention was to have a couple of systems maintain the 'security' of each node, but he vastly underestimated the number of unmaintained systems and hence the resulting overdose of Nachi traffic, ie the solution has become a problem). Opaserv type worms are not localized and use an unrestricted uniform distribution algorithm for IP generation.

I should point out for about 2 - 3 weeks we ran an automatic notification program here which sent out notification to Nachi infected systems and talking with some other people our Nachi scan rates are lower here then in other netblocks because of the notifications sent resulted in a number of systems being cleaned up.

Comments, questions, abuse, this article is meant to create discussion as to what can be done to improve security on the internet.

Thanks
Blake McNeill