dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
12138
share rss forum feed


Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
kudos:3

3 recommendations

Nachi the new champion bad boy

Click for full size
Click for full size
Click for full size
Click for full size
Click for full size
Click for full size
Nachi is out of control or at least on our local cable connections for one of our test systems. For example we average a Nachi ICMP ping event every seven seconds. What does this mean? Imagine that you have built a new XP system and now want to go online to use WindowsUpdate to download and install the latest patches. Your system will easily be infected before you even start to download the first patch (before you go online with a unpatched XP system enable the ICF or you will be infected within seconds of connecting to the internet). Go online with an unpatched, unprotected Win2k system you too will be infected within seconds. Is it this bad everywhere, maybe, maybe not, but it is that bad here. Nachi is a triple thread on hits, first there are the Nachi Pings (note a Nachi ping is not the same as a regular ping) second, Nachi scans TCP ports 445 and 139, and third it scans TCP port 135 and now we are starting to see an increase in secondary infections on systems which started out as Nachi infected systems. Put all this together and Nachi is easily the biggest worm in history in terms of traffic events generated, relegating even Opaserv and similar worms to what used to be an unthinkable second place on the hit parade (I didn't think it could get much worse then Opaserv, guess I was wrong).

Given the IP generation algorithm that Nachi uses we have a possible scan source of 260,100 IP Addresses and assuming that every one of them is in use (our ISP would be the happiest camper on the planet if this was actually the case, but we will use this in order to be very, very conservative), that would mean at least 2% of systems in our local net node are infected with Nachi (we have seen almost 100,000 Nachi pings from over 5,400 IP Addresses over the last 9 days). I also suspect that Nachi has some problems with its random IP generator in that it is not uniform in distribution in that if you whacked 3 or 4 local infected systems here it would drop our Nachi traffic by about 50% (can anyone else confirm this), which also means there could be additional locally infected systems from which we never see traffic.

What does all this mean? Simply there are still far too many systems that are vulnerable to attack. Nachi was released on August 18th and the media attention was significant, and yet at least 2% of systems on the internet (or at least on our net node) are still infected. That fact basically indicates that at least 2% of systems on the internet suffer from very poor security and or administration and hence continue to be vulnerable to the next mass attack (these are systems where the owner is totally unaware and doesn't include the systems which were initially infected then cleaned up). Overall this equates to millions of systems on the internet which remain vulnerable and easily enough to do serious damage. In short security awareness on the internet still has a long, long way to go before we can even begin to think the internet is safe (I personally doubt it will ever be 'safe'). Combine this with the fact that all of these systems could be set to automatically download and apply required patches, it is not a technology problem but simply a user awareness problem.

So what do the graphs show?
1. Inbound Attacks, 12582 suspicious scans or attacks consisting of 23 attacks or scans types (note this does not include Nachi pings).

2. Attacks and Scans came from 3,683 different sources. Note that 4 addresses make up almost 50% of the scans/attacks (possible indication of the lack of uniform IP generation within Nachi as these systems are Nachi infected systems).

3. Number of attacks/scans per hour. Interestingly the last couple of days the number of attacks has reduced and stabilized (we have been doing some notification of infected systems and perhaps this has been making a difference).

4. Number of ICMP events per hour for the last 9 days showing that a number of these systems must be shut off at night and evening are the time when most infected systems are online (ie home users). From a previous study we found that over 99.98% of these ICMP events were Nachi pings.

5. Port Events showing the match between TCP port 135 and 445 traffic indicative of Nachi infections. UDP port 137 traffic is from Opaserv type worms (scans for systems with available file shares, the previous bad boy king).

6. Number of unique IP addresses from which the various port traffic is originating from. Note since Nachi uses a restricted IP generation algorithm, only a few infected systems can generate a lot of local traffic (similar to Code Red. I think the original Nachi author's intention was to have a couple of systems maintain the 'security' of each node, but he vastly underestimated the number of unmaintained systems and hence the resulting overdose of Nachi traffic, ie the solution has become a problem). Opaserv type worms are not localized and use an unrestricted uniform distribution algorithm for IP generation.

I should point out for about 2 - 3 weeks we ran an automatic notification program here which sent out notification to Nachi infected systems and talking with some other people our Nachi scan rates are lower here then in other netblocks because of the notifications sent resulted in a number of systems being cleaned up.

Comments, questions, abuse, this article is meant to create discussion as to what can be done to improve security on the internet.

Thanks
Blake McNeill
--
»www.SonicLogger.com - Logging Software for SonicWall and 3Comhttp://www.LinkLogger.com - Logging Software for Linksys, Netgear and Zyxel


Sparrow
Crystal Sky
Premium
join:2002-12-03
Sachakhand

Blake, just giving this a lift.



catseyenu
Ack Pfft
Premium
join:2001-11-17
Fix East
reply to Link Logger

Saw a test where it took less than 6 seconds for infection after connecting an unpatched XP box.
The days of the "ignorance is bliss" user is about over.
I fear the consequences of protecting "users" will cost the rest of us.
--
Cox Support Arrogance... faster than you can say overpriced.


comm3

join:2003-10-12
Burnaby, BC
reply to Link Logger

If you didn't know this, if you get infected and your computer is going to shutdown, just set the date backa year or so and your computer wont shutdown for about 360 days.



Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
kudos:3
reply to catseyenu

said by catseyenu:
Saw a test where it took less than 6 seconds for infection after connecting an unpatched XP box.
I don't think Microsoft has any option concerning enabling the ICF by default in the upcoming XP SP2, it has to be done. If users disable it then they do so at their own risk and hopefully they realize that and take appropriate steps to maintain their security.

I wonder how many computer shops install all the service packs and patches before shipping/releasing a computer to a customer?

Does anyone have CPU utilizations stats surround the Nachi worm as I would think it eats a fair bit of CPU?

Blake
--
»www.SonicLogger.com - Logging Software for SonicWall and 3Comhttp://www.LinkLogger.com - Logging Software for Linksys, Netgear and Zyxel


gheezer
Compooters R Us
Premium
join:2002-12-20
Henrietta, NY

1 recommendation

reply to catseyenu

This is an Excellent report. Although I suspect the estimates of numbers infected at 2% is way too conservative. here in the US, I suspect initially, at the onset of the outbreak, 10% would have been a conservative estimate.

By my own observations with another American ISP, I suspect they had 10's of THOUSANDS of infected users. (MILLIONS nationwide...!)

I understand they have given up on notifiying infected users, and have been actively shutting down infected workstations for some time now. But with 10's of thousands of infected users, and only so many hours a day, and only so many bodies available to actively search for infected users.....and lets not forget, newly infected users come on line every day....well......it's an uphill battle.

It's a shame it had to come to that though....truly.

But your explanation of the IP Scanning algorythm, and the SCAN effect on local bandwidth clearly demonstrates how devastating just a COUPLE infected machines can be on a whole community.

Nachi EATS bandwidth....massively.

I am linking to this article from a couple other forums.
--
Join the NAVY, see the world....It's mostly water!



Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
kudos:3

2% is my very conservative estimate and I would agree with you in that its likely much more.

ISPs are not setup for doing user notifications of this magnitude and I doubt they ever could, as the cost would certainly be prohibitive, as their user base would certainly balk at the increased user fees. Most ISPs have been reducing staff and to track down and notify users of infected systems is a labour intensive process, especially if you try to help people fix their systems. I'm sure everyone here has tried to help someone over the phone with a computer problem and found it to be a frustrating experience at best. In short ISP are not going to be able to help much when it comes to mass infections and nor can they be expected to for the price they charge. Can they filter traffic, certainly, but can you really filter ICMP traffic, what about the next attack vector, and filtering for the most part is only a delaying tactic.

When MSBlast was released, it was likely the most anticipated worm ever, as everyone had lots of advanced notice as to what vulnerability it was going to attack and even scan tools were available to located systems vulnerable to the impending attack. I conducted an internet survey and posted my results in the Security Forum »Re: Defcon5? Impact if(when) Dcom worm released? two days before we captured our first instance of the MSBlast worm »New Capture on TCP port 135 and found that despite all the warnings little was being done to reduce the threat level.

Now we hear about new threats »Hackers crack latest Windows flaw for example would seem to be an impending mass attack and the question is did we learn anything from MSBlast in that preparations will be better this time? Certainly those who are aware of such things will make preparations (or more likely will check that their normal mode of operations has already installed the required patches etc), but once again the masses will not and we will all share in the results.

I see a foot race coming in that Black hats are going to try to release their worms before Microsoft gets XP SP2 out as enabling ICF by default is certainly going to dampen the success of worm authors (virus authors on the other hand are a different story as social engineering will always be their most effective weapon and can defeat even the best network security).

Blake
--
»www.SonicLogger.com - Logging Software for SonicWall and 3Comhttp://www.LinkLogger.com - Logging Software for Linksys, Netgear and Zyxel



Sparrow
Crystal Sky
Premium
join:2002-12-03
Sachakhand
reply to Link Logger

One thing I would like to see is a more conclusive map of the worldwide infection as in the maps here: »www.hackerwatch.org/map/?source=···period=1 These maps are only showing participants in HackerWatch, which I would conclude to mean, "educated" users.

I think this is a pretty fair assessment of the indiscriminate browsing habits in the US, and parts of Western Europe. I know some countries (i.e.: India) can not stay online the amount of time the average US surfer does, simply to conserve electrical power. Fax machines are turned off at night to conserve energy. By the same token, less systems become infected and/or infect others.

How to educate the average user, especially in the "first world" countries should be the primary goal, but this is a near impossible task without interference from the powers that be (i.e.: governmental regulation). It would be a matter of privacy v. security, and we all know the uproar that would cause. Big Brother is already thinking along these lines, as they too understand the ramifications and destruction that can, in the not-so-distant future ensue.

--
oO^..^Oo oO^..^Oo



Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
kudos:3

You might want to look into DeepSight at Symantec which my partner and myself designed and built while at SecurityFocus (my partner stayed on so now he is a Symantec kind of guy ). There is a free component that you can join (see »aris.securityfocus.com ) and there are all sorts of global reports and analysis available(most are in the $ side however, but still there is a lot that is free). The idea is you send your IDS logs (supported systems here »analyzer.symantec.com/requirements.asp ) to DeepSight and you can use DeepSight to create all sorts of reports and such.

Blake
--
»www.SonicLogger.com - Logging Software for SonicWall and 3Comhttp://www.LinkLogger.com - Logging Software for Linksys, Netgear and Zyxel


Hickerx2
God Bless The U.S. Military

join:2001-03-04
Franklinville, NY
reply to comm3

said by comm3:
If you didn't know this, if you get infected and your computer is going to shutdown, just set the date backa year or so and your computer wont shutdown for about 360 days.

Please don't post information unless you verify it first. People come here looking for help, and bogus information isn't helpful. The NACHI worm does not cause shutdowns.

»securityresponse.symantec.com/av···orm.html


Daniel
Premium,MVM
join:2000-06-26
San Francisco, CA
reply to Link Logger

Just from my point of view, SVEN is the real demon. It's everywhere. I have gotten like 5 in the last few minutes -- and it's been like this for weeks now.
--
"While we are postponing, life speeds by." - Seneca


Hickerx2
God Bless The U.S. Military

join:2001-03-04
Franklinville, NY

said by Daniel:
Just from my point of view, SVEN is the real demon. It's everywhere. I have gotten like 5 in the last few minutes -- and it's been like this for weeks now.

From the user side, you're right on. From the network side, Nachi is much more malicious.


Daniel
Premium,MVM
join:2000-06-26
San Francisco, CA
Reviews:
·webpass.net

said by Hickerx2:
From the user side, you're right on. From the network side, Nachi is much more malicious.
You mean like bandwidth utilization? Hmm, ok -- didn't know that. I'd think that millions of 142k messages flying around at any given second would be worse, but I am not in the know about these things.
--
"While we are postponing, life speeds by." - Seneca


Khaine

join:2003-03-03
Australia
reply to Link Logger

It appears that we, have not and continually ignore the mistakes of the past.

That being said, their is always a minority that is aware of problems but generally cannot solve them. I hope that we can solve the issue of user education, buy maximising the amount of poeple who visit this forum



R2
R Not
Premium,MVM
join:2000-09-18
Long Beach, CA
kudos:1
reply to Link Logger

Excuse me if this is the wrong place to ask, but could you briefly expand on this statement?

said by Link Logger:
note a Nachi ping is not the same as a regular ping
If you prefer, just send me to the appropriate link. Thanks.


Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
kudos:3

A regular ping has as packet data:

abcdefghijklmnopqrstuvwabcdefghi

whereas in a Nachi ping the packet contents are:

ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª

Note this is supposed to Ascii character 'AA' but it doesn't display correctly in the posting (it is also known as a 'CyberKit ping').

Also note the length of the packet data is different as well.

I'm sure the author of the Nachi worm did this by design as it allows you identify Nachi infected systems by the content (and size) of the ping packet.

Blake
--
»www.SonicLogger.com - Logging Software for SonicWall and 3Com
»www.LinkLogger.com - Logging Software for Linksys, Netgear and Zyxel



R2
R Not
Premium,MVM
join:2000-09-18
Long Beach, CA
kudos:1

Understand. Thanks.



GotGhosts
Premium
join:2002-07-16
boo
reply to Link Logger

quote:
Blake:I wonder how many computer shops install all the service packs and patches before shipping/releasing a computer to a customer?
Microsoft is still selling the Windows XP OS software to computer companies that don't have the MS updates? I think this would be a good place for the buck to stop here!

Thats like buying a brand new car without any brakes.

Something needs to be done about that, even though everyone needs to be educated on computer security.

Hickerx2
God Bless The U.S. Military

join:2001-03-04
Franklinville, NY
reply to Daniel

said by Daniel:
You mean like bandwidth utilization? Hmm, ok -- didn't know that. I'd think that millions of 142k messages flying around at any given second would be worse, but I am not in the know about these things.

Sven is a mass-mailer, which is bad enough.
Nachi floods the network with a constant stream of pings from every infected machine. That's much more degrading to a network than mass emailing.

On top of that, the spam traversing Adelphia's network is probably more demanding than Sven mailings anyway. I average 100-150 spam emails per day and I haven't received the Sven worm in quite some time now.


Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX
reply to Link Logger

Nachi (or Welchia as it is also known) is also quite
widespread on UUNet's network, which my Earthlink
connection happens to be on. On average, I would see
Nachi pings (all from UUNet addresses) about once every
minute or even more often than that sometimes. It really
is a persistent worm.
--
"Kayura or Badamon, whichever you are, you should know that I will never give up this battle. By the will of the Ancient, I shall succeed!" - Shuten (Anubis) from the Ronin Warriors.



Sparrow
Crystal Sky
Premium
join:2002-12-03
Sachakhand
reply to Link Logger

said by Link Logger:
You might want to look into DeepSight at Symantec which my partner and myself designed and built while at SecurityFocus (my partner stayed on so now he is a Symantec kind of guy ). There is a free component that you can join (see »aris.securityfocus.com ) and there are all sorts of global reports and analysis available(most are in the $ side however, but still there is a lot that is free). The idea is you send your IDS logs (supported systems here »analyzer.symantec.com/requirements.asp ) to DeepSight and you can use DeepSight to create all sorts of reports and such.

Blake

I will assume that help will soon be on its way here.
--
oO^..^Oo oO^..^Oo


antiserious
The Future ain't what it used to be
Premium
join:2001-12-12
Scranton, PA
Reviews:
·Comcast
reply to Link Logger


said by Link Logger -"I wonder how many computer shops install all the service packs and patches before shipping/releasing a computer to a customer?"

... my guess, virtually none - unless it's a small private shop that builds their own and helps customers get set up, and I don't know any of those around here ... I'm sure there are some, but not many ...

said by Boris - "Microsoft is still selling the Windows XP OS software to computer companies that don't have the MS updates?"

... hell yes ! ... you think they run off a few, re-tool the OS, then run off a few more? ... they burn the cd, ship it off, then hope the user updates ... did you really think H/P or Compaq or Dell or Gateway was gonna update the software for you ? ... if that were true I'd expect the Easter bunny to deliver my Sunday paper in a nice basket, with coffee and bagels ...

... f w i w ...

--
... "Sometimes you're the Bird ... sometimes you're the Windshield" ...



EGeezer
zichrona livracha
Premium
join:2002-08-04
Midwest
kudos:8
Reviews:
·Callcentric
reply to Link Logger

Re: Nachi

FYI,

I've noticed only a slight rise in 135 and 445 activity from around 20:00 UCT at one of my clients, a public sector entity located in Ohio. No problems deflecting same, only 3-6 per hour.
--
I hate jogging. It makes my beer foam up...



Maven
Premium
join:2002-03-12
Canada
reply to Link Logger

Re: Nachi the new champion bad boy

Are Windows 2000 and XP the only OSes targeted by this worm?



EGeezer
zichrona livracha
Premium
join:2002-08-04
Midwest
kudos:8
Reviews:
·Callcentric
reply to Sparrow

Re: Nachi - map link

Hi CS,

As for a map, I have this one on a on the ol' browser Links bar... Data gathered from Housecall scans.

»www.trendmicro.com/map/

I *definitely* agree end users need to be educated! I've attended several meetings where FBI agents, US Attorneys, Law enforcement and military representatives are eagerly encouraging private industry folks like myself to work with them. Their efforts are quite remarkable.

We can make a difference - I intend to use all the resources they provide to do my small piece to work to a more secure, private, reliable and functional global system of communications.

I'll post all that's appropriate for public forums here ... Any non-public or restricted items will have to be distributed through channels authorized for same.

HTH

EG
--
I hate jogging. It makes my beer foam up...



GotGhosts
Premium
join:2002-07-16
boo
reply to antiserious

Re: Nachi the new champion bad boy

said by antiserious - did you really think H/P or Compaq or Dell or Gateway was gonna update the software for you ? ...

I asked if Microsoft was still selling the "swiss cheese" operating systems to computer manufacturing companies.

The Microsoft updates are a fix for those security holes in the operating system. Why isn't Microsoft fixing the software before it leaves Microsoft? I suppose that would be a good question to ask Microsoft.

I wouldn't expect Dell, HP, or any other computer maker to do that. But if Microsoft updated their software before it got to the computer manufacturers that would be a huge help.



Randy Bell
Premium
join:2002-02-24
Santa Clara, CA


Default Out-of-the-Box Settings for Automatic Updates
said by GotGhosts:
The Microsoft updates are a fix for those security holes in the operating system. Why isn't Microsoft fixing the software before it leaves Microsoft? I suppose that would be a good question to ask Microsoft.

Probably because the security issues come out after the live release of the XP operating system, or even after major upgrades such as Service Pack 1. If MS started issuing different CDs on a weekly basis, that would create chaos, as each CD would contain a different "mix" of security patches. The practical way, the way they're doing it, is to release XP SP1 {Windows XP, Service Pack 1} on all new machines and leave it to the user to install the security patches which keep changing dynamically as new issues arise. Out of the box, my XP Home Edition that I got with my new Compaq couple months ago, already had the automatic updating enabled by default {see pic}. All the user has to do is enable his {usually broadband} connection to the Net and the Windows Updates occur automagically in the background, with a SysTray Popup when downloaded and ready to install. The main thing, as Blake {LinkLogger} has emphasized, make sure to enable ICF the first thing, before your first connection to the Net, to prevent Nachi or MSBlaster infection.
--
"But now abide faith, hope, love, these three; but the greatest of these is love." (1 Cor. 13:13)

qrkx
Premium
join:2003-04-26
Montreal, QC

1 recommendation

reply to Link Logger

said by Link Logger:
Comments, questions, abuse, this article is meant to create discussion as to what can be done to improve security on the internet.

If I were to throw my 50 cent in, I'd venture to say educating the IT people should be a start. Then - place some degree of responsibility on the vendors(for their claims). Educating the home user is utopian - imho.

Large ISP's should also be held liable for letting worms affect their infrastructures. With a minimum of competent staff, such outbursts can easily be controlled with ingress/egress filtering without any impact on end-user functionality.

I guess it all comes back to one thing: unless dedicated and trained personnel is at hand, there is little we can do to improve Internet security. No soft/hard vendor will ever do that. The answer could be found in having the allocated budgets to hire the necessary skilled security people to handle these things.

An analogy would be the health care system; do you start training people at home to self medicate(mmmm...self triple by-pass toolkit) or do you invest in trained professionals and relevant equipment?

How can we expect the end user to become "educated" if most - I repeat - most of the corporate IT infrastructure is largely ignorant with respect to security matters(not necessarily a fault of their own...but still)?

rgds.
Expand your moderator at work


Sparrow
Crystal Sky
Premium
join:2002-12-03
Sachakhand
reply to EGeezer

Re: Nachi - map link

said by EGeezer:
Hi CS,

As for a map, I have this one on an ol' browser Links bar... Data gathered from Housecall scans.

»www.trendmicro.com/map/
...................

We can make a difference - I intend to use all the resources they provide to do my small piece to work to a more secure, private, reliable and functional global system of communications.

HTH
EG

Thank you for the link, EG. I was surprised to see that Asia is in third place. This is precisely why I like the idea of the maps. It is a good learning and teaching tool to show worldwide internet habits.

The computer is not just a toy, and although we can still have fun with it, end-users need to understand the necessity of safe computing. No matter what the extra-curricular activity one is involved in there are risks involved, and understanding what those risks are and how to avoid them are all part of playing the game. Sometimes the old clichés just fit.

I think the fact that Nachi was almost (or was) designed as a counter-attack against W32/Blaster-A, requires some reading between the lines. Who knows what the creator of Nachi was thinking. They were even kind enough to apologize to Zhongli (perhaps the creator's wife?) in the hidden signature:

Once running, it will attempt to remove W32/Msblast.A from that system, as well as attempting to update the system with the security patch from Microsoft which addresses this vulnerability.

The worm contains the following string, never exposed to the end user:

"=========== I love my wife & baby ~~~ Welcome Chian~~~ Notice: 2004 will remove myself ~~ sorry zhongli~~~========== wins"
»www.f-prot.com/virusinfo/descrip···i_A.html
Hopefully we will all win in the end.

P.S. The smilies are part of the sig as well...
--
oO^..^Oo oO^..^Oo