ICMP Ping

Common Use

Typically used as a network debugging tool, but currently most of the ICMP pings are a modified Nachi/Welchia ping meant to find computers that are online before scanning them further for vulnerabilities suitable for infection with the Nachi/Welchia worm.

Nachi/Welchia is designed such that it should uninstall itself from infected systems during startup in 2004 so scan rates are falling off.  For example we have seen a decrease of about 60% since the new year.

However Sasser.D uses ICMP Pings to locate systems online to attempt to infected, so in May 2004 we see an increase in ICMP ping traffic due to Sasser.D.

Inbound Scan

Typically you will see Nachi scans from systems which have similar IP addresses to yours as Nachi/Welchia uses a localized scanning algorithm.  You could also see TCP port 135, 445, and 80 scans from these systems as Nachi/Welchia uses a couple of different exploits to infect other systems.

Outbound Scan

Outbound scans if occurring in volume should be considered an indication of a possible Nachi/Welchia/Sasser.D infection on the source computer and should be investigated.

Additional Information

Nachi the new champion bad boy

Microsoft - What You Should Know About the Nachi Worm

F-Secure Sasser.D Writeup

 

Nachi/Welchia has a built in time out date such that it will stop and uninstall itself if it is started after Midnight Dec 31, 2003.  So Nachi/Welchia pings have been significantly reduced, but are still occurring as some systems have not been restarted since the start of the new year.

 

Link Logger graph showing the continued decline of Nachi/Welchia and the emergence of Sasser.D in early May.

 

Page last updated on May 10, 2004