Nachi: Best. Worm. Ever.

by Steve Mallett

Related link: http://news.oreillynet.com/pub/n/ReturnofNachi



Nachi 2: The Return of Nachi. It sounds like one of those terrible ninja movies that are so fun to watch, but this superhero of a virus is your inbox's best friend.


Nachi is a virus that is spreading across the internet right now cleaning and patching the MyDoom security hole. It eradicates the virus, then automatically downloads and installs the needed patches. Good thing too. Trojan horse, Mitglieder-H, is now on the loose exploiting the same MS security hole.

Advocating the use of this, and even celebrating it is supercharged with ethical concerns, but I for one thank the author.

Don't get any wild ideas folks. This kind of thing could get you in serious trouble despite good intentions.

Nachi! Nachi! Nachi!


6 Comments

jwenting
2004-02-12 05:44:50
tells more about careless users...
If it's indeed the same cleaner worm as the one that cleaned up after Blaster that means that myDoom uses the same vulnerability as did Blaster many months after that one hit the web.


In other words, there's still millions of irresponsible users out there that haven't bothered to keep up with updates which were available BEFORE Blaster was unleashed...

spaceman
2004-02-12 05:54:25
tells more about careless users...
It appears to my untrained eye to be the same name, but with different purpose. It is using the MyDoom hole, not Blaster's.
montey
2004-02-12 06:16:32
What a naive opinion
I find this analysis of the nachi and/or Nachi.B worms to be incredibly ilinformed and naive.


Facts time:
- Nachi worm billegally accessed and modified systems in a manner not authorised by the owner of the system.
- Nachi worm is alleged to have opened a backdoor in to systems for its own purposes, and hence was actually protecting itself by applying patches.
- Nachi worm created far more traffic on the Internet than any other worm preceding it. In some instance costing companies hundreds of dollars per month in trafic charges for blocked traffic.
- Nachi.B worm works by infecting (re-infecting) systems still vulnerable to the original MSBlaster worm. Either Nachi wasn't that successful in patching, or Nachi.B will be a complete flop.


No virus or worm is good. The nature of them is to spread en-mass throughout the Internet and at the very least they create large traffic loads. Even if the authors intent is benevelant Nachi proves any worm is a problem.

spaceman
2004-02-12 06:40:50
What a naive opinion
An actual analysis tells a different story.


"Nachi worm billegally accessed and modified systems in a manner not authorised by the owner of the system." -Irresponsibly- unpatched computer s are the victims of their own design. People have had a lot of time to patch these, knowing that their systems are causing others a lot of headaches.


"Nachi worm is alleged to have opened a backdoor in to systems for its own purposes, and hence was actually protecting itself by applying patches." The above analysis indicates that this is not the case at all.


"Nachi worm created far more traffic on the Internet than any other worm preceding it. In some instance costing companies hundreds of dollars per month in trafic charges for blocked traffic." I'd like to see this backed up, but I bet it caused less traffic in the long run because it stopped MSBlaster. Just a bet!


"Nachi.B worm works by infecting (re-infecting) systems still vulnerable to the original MSBlaster worm. Either Nachi wasn't that successful in patching, or Nachi.B will be a complete flop." Again, the above analysis indicates that this in not the case.


"No virus or worm is good. The nature of them is to spread en-mass throughout the Internet and at the very least they create large traffic loads. Even if the authors intent is benevelant Nachi proves any worm is a problem." While I see Nachi creating the traffic I am glad it is. In the long run I believe we are better off for it.

jimothy
2004-02-12 09:44:48
What a naive opinion
From the Sophos link:


"W32/Nachi-B may overwrite files with extensions SHTML, SHTM, STM, CGI, PHP, HTML, HTM and ASP with an HTML file containing the following text:


LET HISTORY TELL FUTURE !
..."


Overwriting files does not sound like benevolent behavior to me. Regardless of its author's intentions, I'm also nervous of what security holes Nachi creates either through intentional backdoors or through potential unintentional coding mistakes of its own.


2006-09-26 04:15:56
need to get on to this website