WebCrime

ANTHRAX-NIMDA CONNECTION

Home
THE PROFIT MOTIVE: MyDoom Redux:
MALICIOUS CODE
HORROR STORIES
SPYWARE
SPOOFING
ANTHRAX
VIRUSES BY OTHER NAMES
PROGRAMMING VIA BIOLOGICAL ENGINEERING TECHNIQUES
MYDOOM
WORMS
KEYLOGGER
SPYWARE
HYBRIDS
ANTHRAX ON THE INTERNET
ANTHRAX CHATTER
CELLPHONE VIRUS CHATTER
VIRUS CHATTER
ANTHRAX CHATTER
MICROSOFT CHATTER
"link=bacillus"
MSBLASTER
PHISHING
SWEN
FIREWALLS
TERMS GLOSSARY
MALICIOUS SCRIPTS: THE STATE OF THE ART DELIVERY METHOD
RESOURCES: FIGHTING BACK - FREE UTILITIES
CODE RED
WHAT'S IN A NAME
MICROSOFT
NIMDA
ANTHRAX-NIMDA CONNECTION
SCRIPT KIDDIES VRS ENGINEERS
THE UNLIKELY LADDS
VIRUS ALLERTS
IDENTITY THEFT
HEADS OFF
HEADSUP

 
 

ANTHRAX-NIMDA CONNECTION

Two Prongs of One Attack on Our Communication System

M. Spector
Dept. of Computer Science and Software Engineering
Seattle University
E-mail:
spector@seattleu.edu

November 9, 2001

It appears likely that the recent anthrax mailings and the Nimda computer worm are two prongs of a single coordinated attack on our communications infrastructure. If this theory is correct, there may be two undiscovered anthrax-laden letters, including one mailed in late October whose victims would still be in the incubation period.

A Summary of the Evidence

The anthrax mailings and the Nimda worm were released on exactly the same two dates. Moreover, they were distributed via essentially the same method, and they shared a common apparent purpose. The details follow.

Released on the Same Dates
The anthrax-laden letters were postmarked on Sept. 18 and Oct. 9, 2001. These are precisely the same dates that the destructive Nimda worm and a new variant of this worm called Nimda.B were released on the Internet. Sept. 18 was the date that the Nimda worm was released on the Internet, and Oct. 9 was the date that the Nimda.B variant was released.

Same Method
Both involve mailing (either by the Postal Service or by e-mail) a destructive payload to unsuspecting individuals. Although the two attacks (anthrax and Nimda) appear at first glance to be very different from one another, a similar mind-set seems to underlie both.

Same Apparent Purpose
Both attacks may have had as their combined purpose the simultaneous disruption of all our mail communications -- both the U.S. mail and e-mail. Luckily, neither attack has been particularly successful in this regard, at least so far.

In addition, the anthrax letters were sent to people in the mass media, which is another component of our communications system.

Consequences

Still-Undiscovered Anthrax Mailings? (Kathy Nguyen's Death and Another Possible Forthcoming Attack)
Three more variants of the Nimda worm were released after Nimda.B: Nimda.C (on October 12), and Nimda.D and Nimda.E (both on October 29). If the anthrax-Nimda connection isn't a coincidence, there may have been further mailings of anthrax on October 12 and October 29.

Are there undiscovered anthrax letters that were mailed on the later worm release dates of October 12 and October 29? Is it conceivable that a hypothetical October 12 mailing was responsible for Kathy Nguyen's death? I think anybody infected by a hypothetical October 29 mailing would still be in the incubation period for the disease, with signs of infection to show up shortly.

I hope I'm wrong about the possibility of an Oct. 29 anthrax mailing, but it's important to be alert for more anthrax cases as we near the end of what would be the incubation period (and this is also a test of whether the theory is correct).

Notice that these hypothetical anthrax release dates are consistent with the warnings of terrorist attacks within the following few days issued by the FBI on Oct. 11 and by Attorney General John Ashcroft on Oct. 31 (especially in light of both the incubation period for anthrax and the inherent uncertainty in warnings such as these).

Connection with Code Red II and earlier worms
The Nimda worm makes use of "back-doors" left by the earlier Code Red II and sadmind worms. It is unknown if this is an opportunistic use of these back-doors, or if one or both of these earlier worms were released with the specific intent of following up with the Nimda worm. It is also unknown if Code Red II is actually related to the original Code Red worm (in spite of the names assigned by security experts). In any event, the sadmind worm was released on May 8, 2001, Code Red was released on July 16, 2001, and Code Red II was released on August 4, 2001. It would be of interest to see if there were any apparently unrelated anthrax threats, terrorist threats, etc., on May 8, July 16, and/or August 4. (I have seen a news report indicating that Bill O'Reilly and Sean Hannity of Fox News may have received letters before Sept. 11 apparently similar to the later anthrax mailings.)

The People Behind the Attack
The coincidence of dates and the similarity of methods and purpose indicate that the same group of people is behind both the anthrax attacks and the Nimda series of worms. It appears that at least two people must be involved, since one person is unlikely to be so skilled at both microbiology and software development as to have been able to create and carry out both attacks.

Speculation

Speculation - Connections with the 9/11 attacks
The first Nimda attack occurred almost precisely one week (to the hour, and maybe to the minute) after the first plane hit the World Trade Center, strongly suggesting a connection between the Sept. 11 attacks and Nimda, and now therefore suggesting a connection between the Sept. 11 attacks and the anthrax mailings.

Speculation - Place of Origin
This theory may point to a foreign connection with the anthrax attack. It has been widely suggested that Nimda may have originated in China; this is purely speculative and is based only on early widespread propagation in Asia and on the fact the worm itself contains a reference to China.

Background: Technical Information on the Nimda Worm (and others)

For technical information on the Nimda, Code Red, Code Red II, and sadmind worms, see the Symantec security web site at http://securityresponse.symantec.com , the F-Secure web site at http://www.europe.f-secure.com/v-descs/w.shtml (click on W32/Nimda.a@mm, etc.), and the SANS Institute web site at http://www.incidents.org .


HOME

HOME