Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Sobig-F and Nachia update - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Sobig-F and Nachia update
Sobig-F

Sobig-F went through two update cycles. Reports are mixed about success / failure. Most updates server where taken down, and the remaining server handed out a benign payload. However, it is possible that individual Sobig installations received an updated server list. At this point, it is highly recommend to rebuild infected machines from scratch.

In addition, administrators of mail servers are asked not to bounce infected messages. Sobig will fake the "From" header and notification messages will flood innocent users.

Nachia

Nachia continues to flood networks with ICMP messages and port 135 scans. Based on our measurements, the number of hosts infected by Nachia and MSBlaster is not decreasing and stead at around 150,000. Network administrators are strongly adviced to track down infected machines.

Many ISPs are now blocking ICMP traffic with a payload lengh of 92 Bytes. This payload length is used by Nachia. However, at least one network diagnosis tool is using the same payload length, but with different payload.

Sample snort rule to identify Nachia:

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Nachia Worm"; content:"|aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa|";itype:8;dsize:64;)

Most Snort installations already have a similar rule installed:

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING CyberKit 2.2 Windows"; content:"|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|";itype:8;depth:32; reference:arachnids,154; sid:483; classtype:misc-activity; rev:2;)

While this rule does not check the payload size, it works well enough for most purposes.
Handlers

76 Posts

Sign Up for Free or Log In to start participating in the conversation!