Mass-mailing Worms

PCQ Bureau
New Update

Spam and mass-mailing worms are two major threats in most networks today, which can easily clog your network in just a few minutes, since they generate so much traffic. While spam should be tackled at the server and ISP level, mass-mailing worms need to be tackled on your network. Before you can tackle the worms, you need to understand the traffic patterns on your network to distinguish between genuine and malicious traffic. The good thing is that there are lots of good tools, both free and commercial, to help you achieve this. In this article, we'll explain how to use some of these tools to understand your network's traffic, and identify potential problems. To explain this, we simulated a worm attack on a test network, and then used a few tools to combat it. There are four steps that you need to follow to identify such problems on your network: Map, Monitor, Alert and Rectify. This should be a continuous process and not a one-time job. 


Identify the symptoms

It's not very difficult to determine that a mass-mailing worm has attacked your network. A few symptoms are slow Internet connectivity, client machines losing their connections to the network or getting frequent time outs while doing file transfers. These could also be caused by faulty hardware or misconfigured applications, so you can't rule those out as possible causes. If it's a mass-mailing worm, then it's generating a lot of traffic on your network, which is slowing down everything. 

Notice the machines in red. These have crossed their thresholds limits

Meet the detectives

We used a set of four different tools for the job. The first was Ntop, which monitors the total bandwidth usage on a network and classifies it according to users, nodes, protocols and applications. It generates very good reports detailed down to an hourly, daily, monthly or even yearly basis. We explained its installation in our June 2004 issue. The second tool we used was 3COM's Network Supervisor, and we have given its 60-days trial version on this month's DVD. The third tool we used was a spoofing tool called ettercap (explained in our January 2004 issue), and lastly we used a handy Windows sniffer called P-Net Detective. You could also use Ethereal instead of P-Net, as it's free while P-Net is commercial and requires a license. It is, however, much easier to use as it gives a more 'Human Readable' output than Ethereal.


Detectives at work

Now let's see how to use these tools and make sense of the alarms they generate. If there's a mass-mailing worm active on your network, then you'll notice the following in the various tools:

  • Ntop reports will show an increase in the broadcast traffic on your network. Please note that a faulty Ethernet card

    could also cause this*.
  • When you run P-Net Detective or Ethereal, you'll notice a sudden increase in random ICMP and ARP requests. Note here that if the traffic is coming only from a single machine, it might be legitimate. However, if you see similar traffic patterns on other machines as well, then it's a virus. Of course, here again, a misconfigured personal firewall could also be causing this, and not necessarily a mass-mailing worm.
  • The ping response time will dramatically increase, especially for your Internet gateway. 3Com's LAN Supervisor will be able to alert you in case this happens. 

Identifying the infected machines is very easy. In Ethereal, just note the source IP-address of the machine that's generating ICMP or ARP data over the network in Ethereal. The Ntop graph will also show you graphs of traffic, so just check which machines have suddenly started sending a lot of traffic. Those machines are possibly infected. 


Isolating infected machines

You can use ettercap to isolate the infected machines from your network, and the steps to do this are as follows: 

  • Here you can see that 50 percent of the data generated nothing but broadcast traffic

    First use LAN Supervisor to see where the infected machines are located on your network. It

    can plot a complete diagram of your network and tell you  which PC is connected to which switch on your network.  

  • Run Ettercap and select the IP address from the destination table (appears at the right side of the Ettercap window), which you want to isolate from the network now press the 'a' key. It will open up another window. Then press 

    the 'p' key and select the 23rd (leech) plug-in. It will reconfirm once that you really want to isolate the machine or not. Type Yes and press Enter and the machine will be out of network. This will make sure that while you go out of your seat and hunt for the machines to run the Antivirus on, they
    don't spread the virus to other healthy PCs. 

Remove the threat 

Once you've isolated the machine, at least you don't have to worry about the worm spreading other machines on your network. Cleaning the infection depends upon the type of worm that's there. You might first like to check out the websites of major anti-virus vendors to see whether they've released a patch. 


Installing 3Com LAN Supervisor 

Find 3com_network_supervisor_v4_0_1.exe on our this month's PCQ Xtreme DVD and copy it to your hard disk.


Double-click and run this file. A wizard will appear to guide you through the installation process. After installation, you should automatically see a configuration wizard to help you set up and use it on your network.

On the prompt asking you to 'Create a new network map' or open an existing map, select 'Create a new Network Map' and click on OK. You will see three options: Automatically discover all devices on your subnet, Discover all notes that are connected to a default gateway and Specify and use your own subnet. Select the first option if you have a single subnet, the second option if you have multiple subnets connected through a single gateway, and the third option if you have a mixed network with different subnets. If you selected the third option, you will be presented with a dialogue box asking for the desired subnets. Enter them and click on Next. You will be asked if you want to set up Stress Monitoring on the discovered devices. Select Yes and continue with the wizard. Wait for the detection process to complete and the software will create your network map for you.

Now, you can select any device on your network and set the threshold limits for them by right-clicking on the device. You can even find all the possible routes between two nodes in your network.