Two Prongs of One Attack on Our Communication SystemM. Spector
of Computer Science and Software Engineering
November 9, 2001It appears likely that the
recent anthrax mailings and the Nimda computer worm are two prongs of a single coordinated attack on our communications infrastructure.
If this theory is correct, there may be two undiscovered anthrax-laden letters, including one mailed in late October whose
victims would still be in the incubation period.
A Summary of the EvidenceThe anthrax mailings and the Nimda
worm were released on exactly the same two dates. Moreover, they were distributed via essentially the same method,
and they shared a common apparent purpose. The details follow.
Released on the Same Dates
The anthrax-laden letters were postmarked on Sept. 18 and Oct.
9, 2001. These are precisely the same dates that the destructive Nimda worm and a new variant of this worm called Nimda.B
were released on the Internet. Sept. 18 was the date that the Nimda worm was released on the Internet, and Oct. 9 was the
date that the Nimda.B variant was released.
Both involve mailing (either by the Postal Service or by e-mail) a destructive
payload to unsuspecting individuals. Although the two attacks (anthrax and Nimda) appear at first glance to be very different
from one another, a similar mind-set seems to underlie both.
Same Apparent Purpose
Both attacks may have had as their combined purpose the simultaneous
disruption of all our mail communications -- both the U.S. mail and e-mail. Luckily, neither attack has been particularly
successful in this regard, at least so far.
In addition, the anthrax letters were sent to people in the mass media,
which is another component of our communications system.
Still-Undiscovered Anthrax Mailings? (Kathy Nguyen's Death and Another Possible Forthcoming Attack)
more variants of the Nimda worm were released after Nimda.B: Nimda.C (on October 12), and Nimda.D and Nimda.E (both on October
29). If the anthrax-Nimda connection isn't a coincidence, there may have been further mailings of anthrax on October 12 and
Are there undiscovered anthrax letters that were mailed on the later worm release dates of October 12
and October 29? Is it conceivable that a hypothetical October 12 mailing was responsible for Kathy Nguyen's death? I think
anybody infected by a hypothetical October 29 mailing would still be in the incubation period for the disease, with signs
of infection to show up shortly.
I hope I'm wrong about the possibility of an Oct. 29 anthrax mailing, but it's important
to be alert for more anthrax cases as we near the end of what would be the incubation period (and this is also a test of whether
the theory is correct).
Notice that these hypothetical anthrax release dates are consistent with the warnings of terrorist
attacks within the following few days issued by the FBI on Oct. 11 and by Attorney General John Ashcroft on Oct. 31 (especially
in light of both the incubation period for anthrax and the inherent uncertainty in warnings such as these).
Connection with Code Red II and earlier worms
The Nimda worm makes use of "back-doors" left
by the earlier Code Red II and sadmind worms. It is unknown if this is an opportunistic use of these back-doors, or if one
or both of these earlier worms were released with the specific intent of following up with the Nimda worm. It is also unknown
if Code Red II is actually related to the original Code Red worm (in spite of the names assigned by security experts). In
any event, the sadmind worm was released on May 8, 2001, Code Red was released on July 16, 2001, and Code Red II was released
on August 4, 2001. It would be of interest to see if there were any apparently unrelated anthrax threats, terrorist threats,
etc., on May 8, July 16, and/or August 4. (I have seen a news report indicating that Bill O'Reilly and Sean Hannity of Fox
News may have received letters before Sept. 11 apparently similar to the later anthrax mailings.)
The People Behind the Attack
The coincidence of dates and the similarity of methods and purpose
indicate that the same group of people is behind both the anthrax attacks and the Nimda series of worms. It appears that at
least two people must be involved, since one person is unlikely to be so skilled at both microbiology and software development
as to have been able to create and carry out both attacks.
Speculation - Connections with the 9/11 attacks
The first Nimda attack occurred almost precisely
one week (to the hour, and maybe to the minute) after the first plane hit the World Trade Center, strongly suggesting a connection
between the Sept. 11 attacks and Nimda, and now therefore suggesting a connection between the Sept. 11 attacks and the anthrax
Speculation - Place of Origin
This theory may point to a foreign connection with the anthrax
attack. It has been widely suggested that Nimda may have originated in China; this is purely speculative and is based only
on early widespread propagation in Asia and on the fact the worm itself contains a reference to China.
Background: Technical Information on the Nimda Worm (and others)For
technical information on the Nimda, Code Red, Code Red II, and sadmind worms, see the Symantec security web site at http://securityresponse.symantec.com , the F-Secure web site at http://www.europe.f-secure.com/v-descs/w.shtml (click on W32/Nimda.a@mm, etc.), and the SANS Institute web site at http://www.incidents.org .