The anthrax mailings and the Nimda worm
were released on exactly the same two dates.
The Nimda Worm
Nimda combined many malicious code techniques into a devastating punch that infected 2.2 million systems in its first
24 hours in the wild.
Nimda, which is Admin spelled backwards, used four means of spreading propagation vectors in industry-speak):
Scanning Nimda-infected systems scan a network looking for unpatched Microsoft Internet Information Server (IIS) systems.
Nimda then uses a specific exploit, called Unicode Web Traversal exploit, to gain control of the target server.
Email Nimda gathers email addresses from the mailboxes of any MAPI-based email system. Nimda then formats messages to
these addresses using both the To: and the From: fields so the From: address will not be from the infected user.
The worm also has its own SMTP server to send out the emails, thus avoiding Exchange or Notes servers.
When Nimda arrives in an email, it uses a MIME exploit that allows it to execute just by reading the infected message
or opening the message in a preview pane.
Browsing Visitors to a Nimda-infected Web server are asked to download an Outlook Express email file which contains the
worm as a readme attachment. It then activates using the email technique described above.
Network Shares Nimda creates open network shares on the target system (desktop or server), allowing complete access to
that system at a later date.
After the Infection
In the past, viruses existed mainly to propagate themselves, although some were specifically crafted to perform damage
via the delivery of their payload to the infected system.
Hybrid threats are much more dangerous. In fact, so many servers and desktops were infected with Nimda that the email
traffic and constant scanning for new targets created a mini-"denial of service condition for those networks.
Typical post-infection actions include: Increasing the remote access exposure of the infected machine;
Hiding evidence of infection and removing audit trails; Placing backdoors for future unauthorized access;
Rolling back existing security measures;
Or hiding the presence of malicious code by moving the illicit program into stealth or hibernation, mode until it is needed.
Other hybrid threat activities include clearing system logs of evidence of infection, changing file and registry settings,
reformatting or altering drives, files and data, corrupting databases, denying access to critical system functions or applications,
and enabling remote access and control of the infected host.
The hybrid, as demonstrated by Code Red, Nimda, BadTrans, and others, is a malicious program composed of a combination
of formerly stand alone information security threats.
Viruses, worms, trojans and hacker techniques have been merged into automated, multi-headed attack tools that rapidly
propagate across the Internet to cause huge amounts of economic damage.
For example, Nimda infected over 2.2 million PCs and servers in 24 hours after its release to the wild in September 2001
(Computer Economics), incurring over $530M in damages via downtime and cleanup. Code Red clocked in at an even more staggering
figure an estimated $2.6 billion of damage.
NIMDA CODE RED CONNECTION
In September 2001, Nimda raised new alarms by using five different ways to spread to 450,000 hosts within the first 12
Nimda seemed to signal a new level of worm sophistication.
It found e-mail addresses from the computer Web cache and default
Messaging Application Programming Interface (MAPI) mailbox.
Itsent itself by e-mail with random subjects and an attachment named
readme.exe. If the target system supported the automatic execution
of embedded MIME types, the attached worm would be automatically
executed and infect the target.
It infected Microsoft IIS Web servers, selected at random, through a
buffer overflow attack called a unicode Web traversal exploit.
It copied itself across open network shares. On an infected server, the
worm wrote Multipurpose Internet Mail Extensions (MIME)-encoded
copies of itself to every directory, including network shares.
to that Website.
It looked for backdoors left by previous Code Red II and Sadmind worms.
"The anthrax mailings and the Nimda worm were released on exactly the same two dates.
Moreover, they were distributed via essentially the same method, and they shared a common apparent purpose.....
Released on the Same Dates
The anthrax-laden letters were postmarked on Sept. 18 and Oct. 9, 2001.
These are precisely the same dates that the destructive Nimda worm and a new variant of this worm called Nimda.B were
released on the Internet.
Sept. 18 was the date that the Nimda worm was released on the Internet, and Oct. 9 was the date that the Nimda.B variant
Both involve mailing (either by the Postal Service or by e-mail) a destructive payload to unsuspecting individuals. Although
the two attacks (anthrax and Nimda) appear at first glance to be very different from one another, a similar mind-set seems
to underlie both."
"To: Khan Noonian Singh; genefromjersey; John Faust; Battle Axe; Allan; Shermy; TrebleRebel
So what observations have *you* noticed that you have not posted or that may not be known widely?
Here's something I noticed.
Khan, in a posting of yours in July, 2004, you made the claim that there was an "ineffective anthrax attack at end
of February of 2003." You then elaborated, as follows:
"Has been dubbed weaponised or semiweaponised.
Was thought to have encompassed both a letter campaign with threatening messages and an outdoor delivery trial.
Best estimate of date is 24 Feb 2003." [Boldface added.]
Links: http://www.freerepublic.com/focus/f-news/1165194/posts?page=112#112 and http://www.freerepublic.com/focus/f-news/1165194/posts?page=145#145
What I noticed was that the same date (Feb. 24, 2003) had occurred in an earlier FR discussion about the possible connection
between the anthrax mailings and Internet worms/viruses. [I have placed all the instances of the date Feb. 24, 2003, in this
posting in boldface, to make it easy to spot them.]
Before proceeding, a bit on the Nimda worm: It is known that the destructive Nimda worm was released on Sept. 18, 2001,
exactly one week after the 9/11 attack (one week to the minute, as closely as one can tell). The destructiveness of this worm
on the heels of 9/11 was sufficient that John Ashcroft made a televised statement on Sept. 18 that the worm was not known
to be terrorist-related. Something no one knew on that date was that Sept. 18, 2001, was also the postmark date of the anthrax
mailings to NBC News and the NY Post. In addition, a variant called Nimda.B was released some time between Oct. 5 and 9, 2001,
matching the mailing date of the second set of anthrax letters. (Neither Nimda.B nor the second set of anthrax letters can
be dated precisely.) This was observed in early November, 2001, but to this date it is not known whether Nimda and the anthrax
mailings were really connected or whether it was a coincidence. (It's perhaps worthy of comment that both the Nimda and anthrax
attacks involved putting a destructive payload in mail, whether e-mail or postal mail.)
Fast-forward two years, to late Dec., 2003. Frequent FR reincarnatee Van der Waals, who had expressed interest in the
Nimda theory, noted that the Swen computer worm had been released on Sept. 18, 2003, and that a variant of Swen had been released
on Oct. 9, 2003. These are the anniversaries of the two known anthrax mailings. The HTML used by the worm makes use of the
code word "bacillus". Here's the link to this posting of Van der Waals: http://www.freerepublic.com/focus/f-news/1042297/posts?page=37#37.
I replied to Van der Waals, in http://www.freerepublic.com/focus/f-news/1042297/posts?page=40#40. Here's part of what
I wrote at the time (Dec. 20, 2003):
... note that the worm called Swen is apparently the latest incarnation of the earlier Gibe worm, so 9/18/2003 and 10/9/2003
are just the latest two dates in a longer series of release dates.
So, here are three possibilities regarding Swen:
Possibility 1. The dates are just a coincidence. If you look, you can find many things that happened on Sept. 18, and
some that happened on both Sept. 18 and Oct. 9 in some year.
Possibility 2. Someone who had nothing to do with the anthrax mailings intentionally picked the anniversary dates, just
because he thought it would be a cool thing to do.
Possibility 3. Someone who had something to do with the anthrax mailings picked those dates on purpose. But why would
he do that? Two possible reasons:
Possibility 3(a). Disinformation. This presupposes that the Nimda theory is false; the purpose of Swen would then be to
divert resources into investigation of a (false) Nimda connection to the anthrax mailings.
Possibility 3(b). To draw attention to the earlier release dates of Gibe/Swen:
Mar. 4, 2002
Feb. 24, 2003
(There were also minor follow-up variants released on Mar. 16, 2003, and Mar. 24, 2003.)
Why draw attention to these earlier dates? I don't know, but that attention to the earlier Gibe-worm release dates is
a predictable consequence of the later Swen releases on the anthrax anniversary dates. In this theory 3(b), it's as if someone
is saying: "Look at the release dates!"
My guess is that it's just a coincidence - Possibility 1.
As you can see, the Feb. 24, 2003, release date of Gibe coincides with Khan Noonian Singh's purported "ineffective
anthrax attack." Possibility 3(b) specifically pointed out the date Feb. 24, 2003, as a date of interest.
44 posted on 11/26/2004 12:18:00 AM PST by Mitchell"