Page 1 of 3 123 LastLast
Results 1 to 10 of 23

Thread: Nachi Worm

  1. #1

    Nachi Worm

    There's a new worm using the RPC DCOM exploit - see http://vil.nai.com/vil/content/v_100559.htm

    This one has a twist though.. it patches the infected PC with the MS patch 823980 and then deletes the MSBlast worm from the PC.

    Odd, huh?

  2. #2
    Senior Member
    Join Date
    Jul 2002
    That's kind of interesting. Hmm.. Why would someone create a worm to get rid of another? That's strange. Someone actually created a worm to do some good. That's really a weird twist.

    There is some good in the world...

    - The mind is too beautiful to waste...

  3. #3
    rebmeM roineS enilnOitnA steve.milner's Avatar
    Join Date
    Jul 2003
    Makes sense to me.

    I've considered that this to be a good solution to the problem...

    It wasn't Mark's that got into the wild was it?
    IT, e-commerce, Retail, Programme & Project Management, EPoS, Supply Chain and Logistic Services. Yorkshire. http://www.bigi.uk.com

  4. #4
    The initial analysis also says that it appears to be self removing after 1st Jan.

    However, we've now replaced probes to port 135 on my firewall with ping requests! It's gonna be a very noisy few months at this rate

  5. #5
    Deceased x acidreign x's Avatar
    Join Date
    Jul 2002
    I was just wondering if there are more instances of this, I always wondered why I never heard of reformed virus/worm writers writing "retroviruses" sortof, virus-like programs that, like a virus, search for computers on a network that are vulnerable to a certain exploit, use it to copy themselves onto that computer, but instead of using the inside access to DDoS another machine or wreak havok on the host network, it patches the flaw from the inside and destroys itself. Why don't cops and software companies do this? what about infosec companies like symantec? who knows more about viruses than symantec? they could totally pull it off, so why don't they?
    :q :q! :wq :w :w! :wq! :quit :quit! :help help helpquit quit quithelp :quitplease :quitnow :leave :**** ^X^C ^C ^D ^Z ^Q QUITDAMMIT ^[:wq GCS,M);d@;p;c++;l++;u ++ ;e+ ;m++(---) ;s+/+ ;n- ;h* ;f+(--) ;!g ;w+(-) ;t- ;r+(-) ;y+(**)

  6. #6
    Well, one reason not to let it onto your corporate network can be found by having a quick look at your firewall logs.

    At the moment I'm getting in excess of one ping every 4 seconds from my subnet and several very close ones. There must be a shedload of ICMP traffic hammering away through my ISP right now. Imagine what would happen on a large network? Nasty.

    On the other hand, a decent firewall should keep it at bay, and this will also likely fix most of the vulnerable PCs on the public internet.

    My guesstimate on the ping pattern is that this is looking at working a range of maybe 2048 IP addresses centered around the infected PC. It's not quite the local subnet, but very close. This could mean some ISPs or corporate networks suffering under ICMP storms.

    In other words, it's a mixed bag. I think it unintentionally comes with a payload which could cause problems on some networks.. on the other hand, those networks were probably struggling with MSBlast anyway.

  7. #7
    Senior Member
    Join Date
    Mar 2003
    central il
    Well as someone who had a lot of problems because of he MS DCOM/RPC patch I for one think that this virus should be considered malware and detected by antivirus vendors.
    Who is more trustworthy then all of the gurus or Buddha’s?

  8. #8
    Looks like most AV vendors have already updated their signatures or are working on it.

    I've *never* seen this much activity on my firewall before though. I'm making a bet that the Internet Storm Center - http://isc.incidents.org/ - will upgrade this to a yellow because of the risk on an ICMP/Ping storm.

  9. #9
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    United Kingdom: Bridlington
    Hi guys!

    This reminds me of one about 3-4 years ago........cannot remember the name?...what we are looking at is a form of "reverse social engineering", plus, if the other crap is there...his doesn't work?

    help me you memory men

    There are NO "good" bad guys

  10. #10
    I'm not sure there's much social engineering involved.. I'm pretty certain this is somebody trying to be a "white hat" but there's a couple of major flaws in this anti-worm..

    Firstly, 1st January 2004 is waaaay too long. It would pick up most of the infected PCs if allowed to run for a couple of days. This appears to be a much more effective infector than MSBlast.

    Secondly, the rate of infection is very high, and the scanning rate is very hight too. Because of the high level of effectiveness, this is causing a large number of infected hosts scanning very quickly. Indeed, on the first day, I'm getting twice as much firewall activity from Nachi as I am from MSBlast.

    Those of you with long memories will remember the first Internet Worm back in 1988. Because you can never test something like this in the wild, it's difficult to know how to "throttle" the spread of the worm. Back in '88, the worm spread much more quickly and agressively than anticipates, and I'm afraid that with the infection rate of *this* worm, we may end up with something out of control. If it was just for a couple of days it wouldn't be so bad, but we're looking at a time period of four-and-a-half months of endless repetitive pinging.

    In other words.. I think the anti-worm is a little buggy. A slower spread rate and shorter infection period would be nice. As to whether this is a *good* thing or not is hard to say. It'll clean up MSBlast pretty quickly. The damage it will do on the way is something I guess we'll find out.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts