Original Issue Date: 29th August 2003
Last Updated: 3rd September 2003
Introduction
This paper is initiated due to requests from various organizations on their difficulty in eradicating and recovering their operations due to W32.Nachi worm attack within their LAN. This document is to be read together with MyCERT's Advisory MA-055.082003: W32.Nachi Worm released on the 19th August 2003 http://www.mycert.org.my/en/services/advisories/mycert/2003/main/detail/97/index.html.
The purpose of this paper is to provide guidelines to manage the incident in medium to large organization network so that the worm can be eradicate effectively. We believe the same approach proposed in this paper may be applicable in battling other new Internet worms in future, although the specific filters need to be customized to the specific behavior of the Internet worm that needs to be eradicated. This step however is not targeted for Internet Service Providers and other public networks.
In organization networks where the worm activity has reached its peak, causing network inaccessibility within LAN or causing extreme speed degradation, the following steps may be applied to reduce the infection rate and speed up recovery of network services.
Step 1 - Preparation and Coordination
Organizations are advised to setup a Crisis Task Force in which the members consists of network engineers and system engineers who are familiar with their own network system and architecture, and has sound knowledge in routers, firewalls and Intruder Detection System configurations. A leader shall be appointed to coordinate the response activities.
Step 2 - Containment
In this meeting, the first initiative would be to look at the organization's network topology. Based on the most current network topology, they should identify the WAN or LAN connectivity to external networks (such as connection to ISP, company branches, etc) to the organization network.
The next step is to contain the worm activity from further propagating outgoing traffic of the worm through the external gateways and to reduce the number of worm traffic from coming into the network and further increasing the worm traffic within the LAN. In order to contain the worm traffic within the LAN, filters can be applied at the external router gateways to prevent both incoming and outgoing ICMP echo and echo-reply. Unfortunately there is no one single filter for all routers. Organizations are advised to refer to Cisco advisory on how to apply the relevant filters:
http://www.cisco.com/warp/public/707/cisco-sn-20030820-nachi.shtml
There are different filters for different Cisco router models. The ICMP filter may effect monitoring of devices in a network in which ping is used to monitor devices instead of snmp. Firewalls can also be used to filter ICMP traffic.
Step 3 - Eradication
The host based eradication steps are provided in our W32.Nachi Worm advisory http://www.mycert.org.my/en/services/advisories/mycert/2003/main/detail/97/index.html.
However, due to the fast spread of the worm, many may find it difficult to identify and eradicate in absence of proper coordination. We suggest the use of one of the following two approaches:
Total network disconnect
In situation where the whole network is not accessible, no sign of connectivity to even the nearest hop, the removal or shutdown of the Virtual Local Area Network (VLAN) on the core switches can be done. (Note: This is only to be done if the network is totally congested). The next step is to deploy technical personnel to the respective locations, armed with relevant tools such as Microsoft Windows service packs (Windows NT 4.0, Windows 2000 and Windows XP), relevant patches and antivirus cleaner on CDs to clean and patch each computer. Proper planning need to be done prior to the exercise to reduce network downtime.
Network suffering poor performance
In situation where network performance has greatly degraded, a sniffer or packet analyzer can be used within the LAN to identify infected computers. (Refer to MyCERT Resource Center http://www.mycert.org.my/en/resources/security_tools/sniffer/main/detail/203/index.html for some free sniffer tools) The sniffer or packet analyzer will provide the relevant reading of network traffic and infected computers can be identified to the level of IP Address and MAC Address of the Network Interface Card. For the pattern of the ICMP traffic, refer to MyCERT Advisory. The team will have to physically locate and isolate the infected system from network. Most switches also allow ports to be disabled remotely. Thus, computers can also be logically located and isolated. However, this is only possible if network connectivity is still present even though with much degradation in speed. The infected and vulnerable computers however, would still need to be physically located, patched and cleaned.
In situations where system administrators are unable to confirm what patches are currently running on a windows platform computer, they may use HFNetChk to confirm what patches and service packs are not installed on the computer. HFNetChk free download version can be obtained from:
http://www.shavlik.com/pHFNetChkEXE.aspx
Step 4 - Verification
Upon eradication of the worm on every computer, verification should be done to confirm the removal is successful. This can be done by scanning the computer using the scanners or antiviruses.
Step 5 - Recovery and Monitoring
Upon successful eradication, the computers can then be re -connected to the network. This is not the final step unfortunately. Organizations should conduct real-time monitoring of the network traffic or to conduct scanning on the network using antivirus scanners to identify new infected or vulnerable computers. Based on our experience, it is easy to have worms introduced in a LAN via mobile or notebook computers.
Several tools can be used to detect malicious worm activities in a network in real-time. Tools include sniffers and Intruder Detection Systems. Below are some of the links available:
Tool based on Snort and bootable FreeSBIE with stripped rules to detect MSBlaster, Nachi (aka Welchia) and Sobig-F by Extol.
http://www.mycert.org.my/en/tools/extol/main/main/detail/553/index.html
List of several Intrusion Detection Systems
http://www.mycert.org.my/en/resources/security_tools/intruder_detection/main/detail/199/index.html
List of several types of sniffers
http://www.mycert.org.my/en/resources/security_tools/sniffer/main/detail/203/index.html
