Re: Nachi the new champion bad boy in Security

Re: Nachi the new champion bad boy in Security http://www.dslreports.com/forum/r8543683 en Tue, 01 Dec 2009 07:50:47 EDT Tue, 01 Dec 2009 07:50:47 EDT Re: Nachi the new champion bad boy http://www.dslreports.com/forum/remark,8587400 Mele20 : I would have done the same except my old W98SE box is not upgradeable to XP. So, I didn't have much a choice. I also wanted W2000 PRO instead of XP Pro but again unless I just fork out extra money now at the store, I have to live with XP.
--
"Everything can be taken from a man or woman but one thing: the last of the human freedoms - to choose one's attitude in any given set of circumstances, to choose one's destiny." Victor Frankl - Man's Search for Meaning ]]> http://www.dslreports.com/forum/remark,8587400 Sun, 23 Nov 2003 21:11:54 EDT Re: Nachi the new champion bad boy http://www.dslreports.com/forum/remark,8586730 anthrorules : That is one reason I bought a license of XP Professional from the store and upgraded my Dell computer. ;)

]]> http://www.dslreports.com/forum/remark,8586730 Sun, 23 Nov 2003 19:58:43 EDT Re: Nachi the new champion bad boy http://www.dslreports.com/forum/remark,8586503 Mele20 : I just got a new Dell and it came with ICF enabled so Dell is doing their part in this respect. I have XPSP1a. However, when I went to Windows Update, I found 13 critical updates waiting for me. It would not help for Microsoft to issue updates to the OEM's because at least Dell (I don't know about the others) doesn't even install XP as Microsoft sends it to them. Dell takes quite a bit of time to "tweak" XP for Dell computers and then finally installs it. The XP CD Dell sent me is not the same as the XP CD I would get if I bought XP in the store off the shelf. There is already a significant lag time from the time Microsoft sends an OS to the OEM before it gets on the OEM's new machines. Sending CD's with the latest patches would not solve a thing.
--
"Everything can be taken from a man or woman but one thing: the last of the human freedoms - to choose one's attitude in any given set of circumstances, to choose one's destiny." Victor Frankl - Man's Search for Meaning ]]> http://www.dslreports.com/forum/remark,8586503 Sun, 23 Nov 2003 19:33:31 EDT Re: Nachi the new champion bad boy http://www.dslreports.com/forum/remark,8560765 ghost16825 : Worse, some of these patches don't patch it properly.
The blaster patch sometimes works and sometimes doesn't.
I "patched" a machine the other day and using the DCOMulator from grc it tells me it's unpatched.
The worrying thing is about these machines is that they're free for the taking. That's thousands of machines with free processing power and free bandwidth.

]]> http://www.dslreports.com/forum/remark,8560765 Thu, 20 Nov 2003 20:48:28 EDT Re: Nachi the new champion bad boy http://www.dslreports.com/forum/remark,8560577 CylonRed : The other thing I thought was odd - I never saw any of the typical symptoms. My Control Panel never went nuts and my PC never re-started itself.... I would have never known had I not seen the msblast.exe in the Processes...
--
Brian
America's Army Forum Moderator and America's Army Beta Tester]]> http://www.dslreports.com/forum/remark,8560577 Thu, 20 Nov 2003 20:27:03 EDT Re: Nachi the new champion bad boy http://www.dslreports.com/forum/remark,8559959 Link Logger :

said by hoyleysox :
Good thing Nachi is supposed to 'uninstall' itself 1/1/2004...

That is the plan until some idiot takes a hex editor to the worm and changes the the date to something like the year 3032 or something like they did with Code RedII. I think Nachi is going to be around for a long time.

Blake]]> http://www.dslreports.com/forum/remark,8559959 Thu, 20 Nov 2003 19:29:11 EDT Re: Nachi the new champion bad boy http://www.dslreports.com/forum/remark,8559248 hoyleysox : Good thing Nachi is supposed to 'uninstall' itself 1/1/2004...

Nachi has hit broadband tech support hard. Customers finally get their fast-internet working and complain that the internet is slow, because their upstream bandwidth is maxed out. ]]> http://www.dslreports.com/forum/remark,8559248 Thu, 20 Nov 2003 18:23:53 EDT Re: Nachi the new champion bad boy http://www.dslreports.com/forum/remark,8558472 vfpguy :

said by Link Logger :
I wonder how many computer shops install all the service packs and patches before shipping/releasing a computer to a customer?

I do. I run MS's SUS Server on my network server. When I build a new computer I connect it to my network and redirect Automatic Updates to my server. I come back in 20 minutes and the new system is up to date.
--
"...a great, serene and peaceful future can slip from us quite as irrevocably by neglect, division and inaction, as by spectacular disaster." -- H. Truman, 6/21/56]]> http://www.dslreports.com/forum/remark,8558472 Thu, 20 Nov 2003 17:04:34 EDT Re: Nachi the new champion bad boy http://www.dslreports.com/forum/remark,8558350 kpatz :

said by Randy Bell :

said by Link Logger :
.. would lead me to think that the system that infected you is hiding behind a firewall and hence immune to Nachi attack ..
In which case, the obvious question would be: if that system was hiding behind a firewall and hence immune to Nachi attack, how did it become infected by MSBlaster? Both Worms use the same RPC Vulnerablity that cannot be exploited when the MS Patch and/or a functioning firewall are in place. ;=)

If pings are blocked but port 135 isn't, and your machine is unpatched, Nachi won't infect, since it didn't get response to the ping, but Blaster will.

Also, maybe the machine was behind a firewall, but someone brought in a Blaster-infected machine and plugged it in to the LAN, behind the firewall, and infected the machines on the LAN.

]]> http://www.dslreports.com/forum/remark,8558350 Thu, 20 Nov 2003 16:50:58 EDT Re: Nachi the new champion bad boy http://www.dslreports.com/forum/remark,8558312 Link Logger :

said by Randy Bell :
In which case, the obvious question would be: if that system was hiding behind a firewall and hence immune to Nachi attack, how did it become infected by MSBlaster? Both Worms use the same RPC Vulnerablity that cannot be exploited when the MS Patch and/or a functioning firewall are in place. ;=)

The most common way for this to happen is if someone connects an infected laptop to the 'protected' network, thereby infecting other systems on the network. Second someone installed a firewall after the system was infected (ie someone hears about how evil the internet is and buys a firewall and installs it without checking to see if any of their systems are already 'evil', more common with home users, this could also apply to enabling ICF on an infected XP box for example). There are other ways but these are the most common methods that I can think of right now.

Blake]]> http://www.dslreports.com/forum/remark,8558312 Thu, 20 Nov 2003 16:48:00 EDT Re: Nachi the new champion bad boy http://www.dslreports.com/forum/remark,8558250 ObdH : tell me about it bro, nachi was on two of our michigan servers........

sucked...]]> http://www.dslreports.com/forum/remark,8558250 Thu, 20 Nov 2003 16:40:34 EDT Re: Nachi the new champion bad boy http://www.dslreports.com/forum/remark,8558223 Randy Bell :

said by Link Logger :
.. would lead me to think that the system that infected you is hiding behind a firewall and hence immune to Nachi attack ..

In which case, the obvious question would be: if that system was hiding behind a firewall and hence immune to Nachi attack, how did it become infected by MSBlaster? Both Worms use the same RPC Vulnerablity that cannot be exploited when the MS Patch and/or a functioning firewall are in place. ;=)
--
"But now abide faith, hope, love, these three; but the greatest of these is love." (1 Cor. 13:13)]]> http://www.dslreports.com/forum/remark,8558223 Thu, 20 Nov 2003 16:37:38 EDT Re: Nachi the new champion bad boy http://www.dslreports.com/forum/remark,8557827 Link Logger : The part that interests me is you got hit with MSBlast which given how effective (if you can call flooding the internet effective) Nachi/Welchia is at finding and nuking MSBlast installations would lead me to think that the system that infected you is hiding behind a firewall and hence immune to Nachi attack or your ISP is doing something which inhibits Nachi, but not MSBlast which would be interesting.

As you can imagine we don't have any MSBlast infected systems around here (or if there are they are extremely rare and hidding behind a firewall or short lived before Nachi gets them).

Blake]]> http://www.dslreports.com/forum/remark,8557827 Thu, 20 Nov 2003 15:57:21 EDT Re: Nachi the new champion bad boy http://www.dslreports.com/forum/remark,8557542 CylonRed : Got nailed as an experiment when I rebuilt my hard drive and updated without a firewall in place - got infrcted with blaster within seonds of being online. When I did get my firewall I got several notices within a few seconds attacking port 135/139....

Amazing how fast this got into an unprotected system...
--
Brian
America's Army Forum Moderator and America's Army Beta Tester]]> http://www.dslreports.com/forum/remark,8557542 Thu, 20 Nov 2003 15:24:29 EDT Re: Nachi - map link http://www.dslreports.com/forum/remark,8552557 Sparrow :

said by EGeezer :
Hi CS,

As for a map, I have this one on an ol' browser Links bar... Data gathered from Housecall scans.

»www.trendmicro.com/map/
...................

We can make a difference - I intend to use all the resources they provide to do my small piece to work to a more secure, private, reliable and functional global system of communications.

HTH
EG

Thank you for the link, EG. I was surprised to see that Asia is in third place. This is precisely why I like the idea of the maps. It is a good learning and teaching tool to show worldwide internet habits.

The computer is not just a toy, and although we can still have fun with it, end-users need to understand the necessity of safe computing. No matter what the extra-curricular activity one is involved in there are risks involved, and understanding what those risks are and how to avoid them are all part of playing the game. Sometimes the old clichés just fit.

I think the fact that Nachi was almost (or was) designed as a counter-attack against W32/Blaster-A, requires some reading between the lines. Who knows what the creator of Nachi was thinking. They were even kind enough to apologize to Zhongli (perhaps the creator's wife?) in the hidden signature:

Once running, it will attempt to remove W32/Msblast.A from that system, as well as attempting to update the system with the security patch from Microsoft which addresses this vulnerability.

The worm contains the following string, never exposed to the end user:

"=========== I love my wife & baby :)~~~ Welcome Chian~~~ Notice: 2004 will remove myself :)~~ sorry zhongli~~~========== wins"
»www.f-prot.com/virusinfo/descrip···i_A.html

Hopefully we will all win in the end.

P.S. The smilies are part of the sig as well...
--
oO^..^Oo oO^..^Oo]]> http://www.dslreports.com/forum/remark,8552557 Wed, 19 Nov 2003 23:44:59 EDT Re: Nachi the new champion bad boy http://www.dslreports.com/forum/remark,8549888 qrkx :

said by Link Logger :
Comments, questions, abuse, this article is meant to create discussion as to what can be done to improve security on the internet.

If I were to throw my 50 cent in, I'd venture to say educating the IT people should be a start. Then - place some degree of responsibility on the vendors(for their claims). Educating the home user is utopian - imho.

Large ISP's should also be held liable for letting worms affect their infrastructures. With a minimum of competent staff, such outbursts can easily be controlled with ingress/egress filtering without any impact on end-user functionality.

I guess it all comes back to one thing: unless dedicated and trained personnel is at hand, there is little we can do to improve Internet security. No soft/hard vendor will ever do that. The answer could be found in having the allocated budgets to hire the necessary skilled security people to handle these things.

An analogy would be the health care system; do you start training people at home to self medicate(mmmm...self triple by-pass toolkit) or do you invest in trained professionals and relevant equipment?

How can we expect the end user to become "educated" if most - I repeat - most of the corporate IT infrastructure is largely ignorant with respect to security matters(not necessarily a fault of their own...but still)?

rgds.]]> http://www.dslreports.com/forum/remark,8549888 Wed, 19 Nov 2003 19:10:13 EDT Re: Nachi the new champion bad boy http://www.dslreports.com/forum/remark,8549518 Randy Bell :

said by GotGhosts :
The Microsoft updates are a fix for those security holes in the operating system. Why isn't Microsoft fixing the software before it leaves Microsoft? I suppose that would be a good question to ask Microsoft.

Probably because the security issues come out after the live release of the XP operating system, or even after major upgrades such as Service Pack 1. If MS started issuing different CDs on a weekly basis, that would create chaos, as each CD would contain a different "mix" of security patches. The practical way, the way they're doing it, is to release XP SP1 {Windows XP, Service Pack 1} on all new machines and leave it to the user to install the security patches which keep changing dynamically as new issues arise. Out of the box, my XP Home Edition that I got with my new Compaq couple months ago, already had the automatic updating enabled by default {see pic}. All the user has to do is enable his {usually broadband} connection to the Net and the Windows Updates occur automagically in the background, with a SysTray Popup when downloaded and ready to install. The main thing, as Blake {LinkLogger} has emphasized, make sure to enable ICF the first thing, before your first connection to the Net, to prevent Nachi or MSBlaster infection. ;-)
--
"But now abide faith, hope, love, these three; but the greatest of these is love." (1 Cor. 13:13)

Default Out-of-the-Box Settings for Automatic Updates

]]> http://www.dslreports.com/forum/remark,8549518 Wed, 19 Nov 2003 18:27:07 EDT Re: Nachi the new champion bad boy http://www.dslreports.com/forum/remark,8549344 GotGhosts : said by antiserious - did you really think H/P or Compaq or Dell or Gateway was gonna update the software for you ? ...

I asked if Microsoft was still selling the "swiss cheese" operating systems to computer manufacturing companies.

The Microsoft updates are a fix for those security holes in the operating system. Why isn't Microsoft fixing the software before it leaves Microsoft? I suppose that would be a good question to ask Microsoft.

I wouldn't expect Dell, HP, or any other computer maker to do that. But if Microsoft updated their software before it got to the computer manufacturers that would be a huge help. ]]> http://www.dslreports.com/forum/remark,8549344 Wed, 19 Nov 2003 18:07:17 EDT Re: Nachi - map link http://www.dslreports.com/forum/remark,8549096 EGeezer : Hi CS,

As for a map, I have this one on a on the ol' browser Links bar... Data gathered from Housecall scans.

»www.trendmicro.com/map/

I *definitely* agree end users need to be educated! I've attended several meetings where FBI agents, US Attorneys, Law enforcement and military representatives are eagerly encouraging private industry folks like myself to work with them. Their efforts are quite remarkable.

We can make a difference - I intend to use all the resources they provide to do my small piece to work to a more secure, private, reliable and functional global system of communications.

I'll post all that's appropriate for public forums here ... Any non-public or restricted items will have to be distributed through channels authorized for same.

HTH

EG
--
I hate jogging. It makes my beer foam up...]]> http://www.dslreports.com/forum/remark,8549096 Wed, 19 Nov 2003 17:39:24 EDT Re: Nachi the new champion bad boy http://www.dslreports.com/forum/remark,8548427 Maven : Are Windows 2000 and XP the only OSes targeted by this worm?]]> http://www.dslreports.com/forum/remark,8548427 Wed, 19 Nov 2003 16:33:54 EDT Re: Nachi http://www.dslreports.com/forum/remark,8547480 EGeezer : FYI,

I've noticed only a slight rise in 135 and 445 activity from around 20:00 UCT at one of my clients, a public sector entity located in Ohio. No problems deflecting same, only 3-6 per hour.
--
I hate jogging. It makes my beer foam up...]]> http://www.dslreports.com/forum/remark,8547480 Wed, 19 Nov 2003 14:44:35 EDT Re: Nachi the new champion bad boy http://www.dslreports.com/forum/remark,8547364 antiserious :
said by Link Logger -"I wonder how many computer shops install all the service packs and patches before shipping/releasing a computer to a customer?"

... my guess, virtually none - unless it's a small private shop that builds their own and helps customers get set up, and I don't know any of those around here ... I'm sure there are some, but not many ...

said by Boris - "Microsoft is still selling the Windows XP OS software to computer companies that don't have the MS updates?"

... hell yes ! ... you think they run off a few, re-tool the OS, then run off a few more? ... they burn the cd, ship it off, then hope the user updates ... did you really think H/P or Compaq or Dell or Gateway was gonna update the software for you ? ... if that were true I'd expect the Easter bunny to deliver my Sunday paper in a nice basket, with coffee and bagels ...

... f w i w ...

--
... "Sometimes you're the Bird ... sometimes you're the Windshield" ...]]> http://www.dslreports.com/forum/remark,8547364 Wed, 19 Nov 2003 14:26:58 EDT Re: Nachi the new champion bad boy http://www.dslreports.com/forum/remark,8546417 Sparrow :

said by Link Logger :
You might want to look into DeepSight at Symantec which my partner and myself designed and built while at SecurityFocus (my partner stayed on so now he is a Symantec kind of guy :)). There is a free component that you can join (see »aris.securityfocus.com ) and there are all sorts of global reports and analysis available(most are in the $ side however, but still there is a lot that is free). The idea is you send your IDS logs (supported systems here »analyzer.symantec.com/requirements.asp ) to DeepSight and you can use DeepSight to create all sorts of reports and such.

Blake

I will assume that help will soon be on its way here. ;)
--
oO^..^Oo oO^..^Oo]]> http://www.dslreports.com/forum/remark,8546417 Wed, 19 Nov 2003 12:25:06 EDT Re: Nachi the new champion bad boy http://www.dslreports.com/forum/remark,8545883 Doctor Four : Nachi (or Welchia as it is also known) is also quite
widespread on UUNet's network, which my Earthlink
connection happens to be on. On average, I would see
Nachi pings (all from UUNet addresses) about once every
minute or even more often than that sometimes. It really
is a persistent worm.
--
"Kayura or Badamon, whichever you are, you should know that I will never give up this battle. By the will of the Ancient, I shall succeed!" - Shuten (Anubis) from the Ronin Warriors.]]> http://www.dslreports.com/forum/remark,8545883 Wed, 19 Nov 2003 11:11:15 EDT Re: Nachi the new champion bad boy http://www.dslreports.com/forum/remark,8545676 Hickerx2 :

said by Daniel :
You mean like bandwidth utilization? Hmm, ok -- didn't know that. I'd think that millions of 142k messages flying around at any given second would be worse, but I am not in the know about these things.

Sven is a mass-mailer, which is bad enough.
Nachi floods the network with a constant stream of pings from every infected machine. That's much more degrading to a network than mass emailing.

On top of that, the spam traversing Adelphia's network is probably more demanding than Sven mailings anyway. I average 100-150 spam emails per day and I haven't received the Sven worm in quite some time now.]]> http://www.dslreports.com/forum/remark,8545676 Wed, 19 Nov 2003 10:40:05 EDT Re: Nachi the new champion bad boy http://www.dslreports.com/forum/remark,8545454 GotGhosts :

quote:
Blake:I wonder how many computer shops install all the service packs and patches before shipping/releasing a computer to a customer?

Microsoft is still selling the Windows XP OS software to computer companies that don't have the MS updates? I think this would be a good place for the buck to stop here!

Thats like buying a brand new car without any brakes.

Something needs to be done about that, even though everyone needs to be educated on computer security.]]> http://www.dslreports.com/forum/remark,8545454 Wed, 19 Nov 2003 10:09:27 EDT Re: Nachi the new champion bad boy http://www.dslreports.com/forum/remark,8544977 R2 : Understand. Thanks.]]> http://www.dslreports.com/forum/remark,8544977 Wed, 19 Nov 2003 08:48:16 EDT Re: Nachi the new champion bad boy http://www.dslreports.com/forum/remark,8544798 Link Logger : A regular ping has as packet data:

abcdefghijklmnopqrstuvwabcdefghi

whereas in a Nachi ping the packet contents are:

ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª

Note this is supposed to Ascii character 'AA' but it doesn't display correctly in the posting (it is also known as a 'CyberKit ping').

Also note the length of the packet data is different as well.

I'm sure the author of the Nachi worm did this by design as it allows you identify Nachi infected systems by the content (and size) of the ping packet.

Blake
--
»www.SonicLogger.com - Logging Software for SonicWall and 3Com
»www.LinkLogger.com - Logging Software for Linksys, Netgear and Zyxel]]> http://www.dslreports.com/forum/remark,8544798 Wed, 19 Nov 2003 08:15:49 EDT Re: Nachi the new champion bad boy http://www.dslreports.com/forum/remark,8544693 R2 : Excuse me if this is the wrong place to ask, but could you briefly expand on this statement?

said by Link Logger:
note a Nachi ping is not the same as a regular ping

If you prefer, just send me to the appropriate link. Thanks.]]> http://www.dslreports.com/forum/remark,8544693 Wed, 19 Nov 2003 07:50:06 EDT Re: Nachi the new champion bad boy http://www.dslreports.com/forum/remark,8544671 Khaine : It appears that we, have not and continually ignore the mistakes of the past.

That being said, their is always a minority that is aware of problems but generally cannot solve them. I hope that we can solve the issue of user education, buy maximising the amount of poeple who visit this forum]]> http://www.dslreports.com/forum/remark,8544671 Wed, 19 Nov 2003 07:45:03 EDT Re: Nachi the new champion bad boy http://www.dslreports.com/forum/remark,8544613 Daniel :

said by Hickerx2 :
From the user side, you're right on. From the network side, Nachi is much more malicious.

You mean like bandwidth utilization? Hmm, ok -- didn't know that. I'd think that millions of 142k messages flying around at any given second would be worse, but I am not in the know about these things.
--
"While we are postponing, life speeds by." - Seneca]]> http://www.dslreports.com/forum/remark,8544613 Wed, 19 Nov 2003 07:31:28 EDT Re: Nachi the new champion bad boy http://www.dslreports.com/forum/remark,8544577 Hickerx2 :

said by Daniel :
Just from my point of view, SVEN is the real demon. It's everywhere. I have gotten like 5 in the last few minutes -- and it's been like this for weeks now.

From the user side, you're right on. From the network side, Nachi is much more malicious.]]> http://www.dslreports.com/forum/remark,8544577 Wed, 19 Nov 2003 07:16:20 EDT Re: Nachi the new champion bad boy http://www.dslreports.com/forum/remark,8544550 Daniel : Just from my point of view, SVEN is the real demon. It's everywhere. I have gotten like 5 in the last few minutes -- and it's been like this for weeks now.
--
"While we are postponing, life speeds by." - Seneca]]> http://www.dslreports.com/forum/remark,8544550 Wed, 19 Nov 2003 07:02:16 EDT Re: Nachi the new champion bad boy http://www.dslreports.com/forum/remark,8544470 Hickerx2 :

said by comm3 :
If you didn't know this, if you get infected and your computer is going to shutdown, just set the date backa year or so and your computer wont shutdown for about 360 days.

Please don't post information unless you verify it first. People come here looking for help, and bogus information isn't helpful. The NACHI worm does not cause shutdowns.

»securityresponse.symantec.com/av···orm.html]]> http://www.dslreports.com/forum/remark,8544470 Wed, 19 Nov 2003 06:26:49 EDT Re: Nachi the new champion bad boy http://www.dslreports.com/forum/remark,8544173 Link Logger : You might want to look into DeepSight at Symantec which my partner and myself designed and built while at SecurityFocus (my partner stayed on so now he is a Symantec kind of guy :)). There is a free component that you can join (see »aris.securityfocus.com ) and there are all sorts of global reports and analysis available(most are in the $ side however, but still there is a lot that is free). The idea is you send your IDS logs (supported systems here »analyzer.symantec.com/requirements.asp ) to DeepSight and you can use DeepSight to create all sorts of reports and such.

Blake
--
»www.SonicLogger.com - Logging Software for SonicWall and 3Com »www.LinkLogger.com - Logging Software for Linksys, Netgear and Zyxel]]> http://www.dslreports.com/forum/remark,8544173 Wed, 19 Nov 2003 03:15:45 EDT Re: Nachi the new champion bad boy http://www.dslreports.com/forum/remark,8544110 Sparrow : One thing I would like to see is a more conclusive map of the worldwide infection as in the maps here: »www.hackerwatch.org/map/?source=···period=1 These maps are only showing participants in HackerWatch, which I would conclude to mean, "educated" users.

I think this is a pretty fair assessment of the indiscriminate browsing habits in the US, and parts of Western Europe. I know some countries (i.e.: India) can not stay online the amount of time the average US surfer does, simply to conserve electrical power. Fax machines are turned off at night to conserve energy. By the same token, less systems become infected and/or infect others.

How to educate the average user, especially in the "first world" countries should be the primary goal, but this is a near impossible task without interference from the powers that be (i.e.: governmental regulation). It would be a matter of privacy v. security, and we all know the uproar that would cause. Big Brother is already thinking along these lines, as they too understand the ramifications and destruction that can, in the not-so-distant future ensue.

--
oO^..^Oo oO^..^Oo]]> http://www.dslreports.com/forum/remark,8544110 Wed, 19 Nov 2003 02:46:19 EDT Re: Nachi the new champion bad boy http://www.dslreports.com/forum/remark,8544034 Link Logger : 2% is my very conservative estimate and I would agree with you in that its likely much more.

ISPs are not setup for doing user notifications of this magnitude and I doubt they ever could, as the cost would certainly be prohibitive, as their user base would certainly balk at the increased user fees. Most ISPs have been reducing staff and to track down and notify users of infected systems is a labour intensive process, especially if you try to help people fix their systems. I'm sure everyone here has tried to help someone over the phone with a computer problem and found it to be a frustrating experience at best. In short ISP are not going to be able to help much when it comes to mass infections and nor can they be expected to for the price they charge. Can they filter traffic, certainly, but can you really filter ICMP traffic, what about the next attack vector, and filtering for the most part is only a delaying tactic.

When MSBlast was released, it was likely the most anticipated worm ever, as everyone had lots of advanced notice as to what vulnerability it was going to attack and even scan tools were available to located systems vulnerable to the impending attack. I conducted an internet survey and posted my results in the Security Forum »Re: Defcon5? Impact if(when) Dcom worm released? two days before we captured our first instance of the MSBlast worm »New Capture on TCP port 135 and found that despite all the warnings little was being done to reduce the threat level.

Now we hear about new threats »Hackers crack latest Windows flaw for example would seem to be an impending mass attack and the question is did we learn anything from MSBlast in that preparations will be better this time? Certainly those who are aware of such things will make preparations (or more likely will check that their normal mode of operations has already installed the required patches etc), but once again the masses will not and we will all share in the results.

I see a foot race coming in that Black hats are going to try to release their worms before Microsoft gets XP SP2 out as enabling ICF by default is certainly going to dampen the success of worm authors (virus authors on the other hand are a different story as social engineering will always be their most effective weapon and can defeat even the best network security).

Blake
--
»www.SonicLogger.com - Logging Software for SonicWall and 3Com »www.LinkLogger.com - Logging Software for Linksys, Netgear and Zyxel]]> http://www.dslreports.com/forum/remark,8544034 Wed, 19 Nov 2003 02:17:13 EDT Re: Nachi the new champion bad boy http://www.dslreports.com/forum/remark,8543809 gheezer : This is an Excellent report. Although I suspect the estimates of numbers infected at 2% is way too conservative. here in the US, I suspect initially, at the onset of the outbreak, 10% would have been a conservative estimate.

By my own observations with another American ISP, I suspect they had 10's of THOUSANDS of infected users. (MILLIONS nationwide...!)

I understand they have given up on notifiying infected users, and have been actively shutting down infected workstations for some time now. But with 10's of thousands of infected users, and only so many hours a day, and only so many bodies available to actively search for infected users.....and lets not forget, newly infected users come on line every day....well......it's an uphill battle.

It's a shame it had to come to that though....truly.

But your explanation of the IP Scanning algorythm, and the SCAN effect on local bandwidth clearly demonstrates how devastating just a COUPLE infected machines can be on a whole community.

Nachi EATS bandwidth....massively.

I am linking to this article from a couple other forums.
--
Join the NAVY, see the world....It's mostly water!]]> http://www.dslreports.com/forum/remark,8543809 Wed, 19 Nov 2003 01:19:33 EDT Re: Nachi the new champion bad boy http://www.dslreports.com/forum/remark,8543790 Link Logger :

said by catseyenu :
Saw a test where it took less than 6 seconds for infection after connecting an unpatched XP box.

I don't think Microsoft has any option concerning enabling the ICF by default in the upcoming XP SP2, it has to be done. If users disable it then they do so at their own risk and hopefully they realize that and take appropriate steps to maintain their security.

I wonder how many computer shops install all the service packs and patches before shipping/releasing a computer to a customer?

Does anyone have CPU utilizations stats surround the Nachi worm as I would think it eats a fair bit of CPU?

Blake
--
»www.SonicLogger.com - Logging Software for SonicWall and 3Com »www.LinkLogger.com - Logging Software for Linksys, Netgear and Zyxel]]> http://www.dslreports.com/forum/remark,8543790 Wed, 19 Nov 2003 01:16:16 EDT Re: Nachi the new champion bad boy http://www.dslreports.com/forum/remark,8543779 comm3 : If you didn't know this, if you get infected and your computer is going to shutdown, just set the date backa year or so and your computer wont shutdown for about 360 days.]]> http://www.dslreports.com/forum/remark,8543779 Wed, 19 Nov 2003 01:13:20 EDT Re: Nachi the new champion bad boy http://www.dslreports.com/forum/remark,8543683 catseyenu : Saw a test where it took less than 6 seconds for infection after connecting an unpatched XP box.
The days of the "ignorance is bliss" user is about over.
I fear the consequences of protecting "users" will cost the rest of us.
--
Cox Support Arrogance... faster than you can say overpriced. ]]> http://www.dslreports.com/forum/remark,8543683 Wed, 19 Nov 2003 00:54:27 EDT Re: Nachi the new champion bad boy http://www.dslreports.com/forum/remark,8543550 Sparrow : Blake, just giving this a lift. ]]> http://www.dslreports.com/forum/remark,8543550 Wed, 19 Nov 2003 00:26:57 EDT Nachi the new champion bad boy http://www.dslreports.com/forum/remark,8534412 Link Logger : Nachi is out of control or at least on our local cable connections for one of our test systems. For example we average a Nachi ICMP ping event every seven seconds. What does this mean? Imagine that you have built a new XP system and now want to go online to use WindowsUpdate to download and install the latest patches. Your system will easily be infected before you even start to download the first patch (before you go online with a unpatched XP system enable the ICF or you will be infected within seconds of connecting to the internet). Go online with an unpatched, unprotected Win2k system you too will be infected within seconds. Is it this bad everywhere, maybe, maybe not, but it is that bad here. Nachi is a triple thread on hits, first there are the Nachi Pings (note a Nachi ping is not the same as a regular ping) second, Nachi scans TCP ports 445 and 139, and third it scans TCP port 135 and now we are starting to see an increase in secondary infections on systems which started out as Nachi infected systems. Put all this together and Nachi is easily the biggest worm in history in terms of traffic events generated, relegating even Opaserv and similar worms to what used to be an unthinkable second place on the hit parade (I didn't think it could get much worse then Opaserv, guess I was wrong).

Given the IP generation algorithm that Nachi uses we have a possible scan source of 260,100 IP Addresses and assuming that every one of them is in use (our ISP would be the happiest camper on the planet if this was actually the case, but we will use this in order to be very, very conservative), that would mean at least 2% of systems in our local net node are infected with Nachi (we have seen almost 100,000 Nachi pings from over 5,400 IP Addresses over the last 9 days). I also suspect that Nachi has some problems with its random IP generator in that it is not uniform in distribution in that if you whacked 3 or 4 local infected systems here it would drop our Nachi traffic by about 50% (can anyone else confirm this), which also means there could be additional locally infected systems from which we never see traffic.

What does all this mean? Simply there are still far too many systems that are vulnerable to attack. Nachi was released on August 18th and the media attention was significant, and yet at least 2% of systems on the internet (or at least on our net node) are still infected. That fact basically indicates that at least 2% of systems on the internet suffer from very poor security and or administration and hence continue to be vulnerable to the next mass attack (these are systems where the owner is totally unaware and doesn't include the systems which were initially infected then cleaned up). Overall this equates to millions of systems on the internet which remain vulnerable and easily enough to do serious damage. In short security awareness on the internet still has a long, long way to go before we can even begin to think the internet is safe (I personally doubt it will ever be 'safe'). Combine this with the fact that all of these systems could be set to automatically download and apply required patches, it is not a technology problem but simply a user awareness problem.

So what do the graphs show?
1. Inbound Attacks, 12582 suspicious scans or attacks consisting of 23 attacks or scans types (note this does not include Nachi pings).

2. Attacks and Scans came from 3,683 different sources. Note that 4 addresses make up almost 50% of the scans/attacks (possible indication of the lack of uniform IP generation within Nachi as these systems are Nachi infected systems).

3. Number of attacks/scans per hour. Interestingly the last couple of days the number of attacks has reduced and stabilized (we have been doing some notification of infected systems and perhaps this has been making a difference).

4. Number of ICMP events per hour for the last 9 days showing that a number of these systems must be shut off at night and evening are the time when most infected systems are online (ie home users). From a previous study we found that over 99.98% of these ICMP events were Nachi pings.

5. Port Events showing the match between TCP port 135 and 445 traffic indicative of Nachi infections. UDP port 137 traffic is from Opaserv type worms (scans for systems with available file shares, the previous bad boy king).

6. Number of unique IP addresses from which the various port traffic is originating from. Note since Nachi uses a restricted IP generation algorithm, only a few infected systems can generate a lot of local traffic (similar to Code Red. I think the original Nachi author's intention was to have a couple of systems maintain the 'security' of each node, but he vastly underestimated the number of unmaintained systems and hence the resulting overdose of Nachi traffic, ie the solution has become a problem). Opaserv type worms are not localized and use an unrestricted uniform distribution algorithm for IP generation.

I should point out for about 2 - 3 weeks we ran an automatic notification program here which sent out notification to Nachi infected systems and talking with some other people our Nachi scan rates are lower here then in other netblocks because of the notifications sent resulted in a number of systems being cleaned up.

Comments, questions, abuse, this article is meant to create discussion as to what can be done to improve security on the internet.

Thanks
Blake McNeill
--
»www.SonicLogger.com - Logging Software for SonicWall and 3Com »www.LinkLogger.com - Logging Software for Linksys, Netgear and Zyxel

]]> http://www.dslreports.com/forum/remark,8534412 Tue, 18 Nov 2003 03:46:36 EDT