Writing

Nimda aftermath: structural lessons

Published · Updated
defence nimda post-mortem structural

A week into Nimda. The cleanup continues; the structural lessons are clearer than they were on day one.

A more careful writeup of what defenders should take from this incident.

The single most important lesson

Multivector attacks defeat single-vector defences. A defender who has perfect IIS patching is still vulnerable to Nimda via email; a defender with perfect email filtering is still vulnerable via web browsing; a defender with perfect browser security is still vulnerable via network shares. No single defence catches Nimda. The defence has to be in depth across multiple layers.

This is the lesson I have been writing about throughout this year as "defence in depth". Nimda is the empirical confirmation that the slogan is correct.

The chain effect

Nimda's use of Code Red II's persistent backdoors is structurally novel and worth understanding. The mechanism:

  • Code Red II compromises hosts, installs cmd.exe/root.exe in writable web directories, in summer 2001.
  • Many of those compromised hosts have not been cleaned up.
  • Nimda comes along months later and uses the still-existing backdoors to install itself.
  • Nimda's compromised population includes hosts that were compromised by Code Red II and never patched.

The cleanup discipline is what determines whether you are vulnerable to Nimda's chain attack. Hosts that were quickly cleaned of Code Red II are not in the substrate. Hosts that were not are.

This is the retention vs eviction problem at structural scale. Once a host is compromised, evicting the attacker fully is not always done. The residual access compounds over future incidents.

The internet's elevated baseline

From my Snort sensor and from operator chatter, the post-Nimda baseline of internet attack traffic is the highest I have ever observed. Specifically:

  • The .ida exploit pattern is generating roughly 50,000 hits per day against my range. Many sources are presumably persistent Nimda or Code Red II infections.
  • Email-attachment volume is up substantially. Even legitimate users are seeing notable mail-relay slowness.
  • Network-share-targeting traffic on internal segments (where I have visibility) is elevated; even internal LANs are seeing scan attempts that did not exist before.

The internet's attack-noise floor has stepped up. Operators who have been monitoring for years can confirm this pattern; the line on the graph has been creeping up for two years and just took a substantial step.

What this implies for the defence model

A few specific implications.

Patching alone is no longer sufficient. I wrote about this in October 2000; Nimda is the strongest available evidence. Even an operator with perfect patching for the IIS vulnerabilities is hit by Nimda via email or shares. The defence has to be multi-layer.

Removing all traces of past compromise is now operationally important. Where previously a quick cleanup was acceptable, the chain-compromise pattern means residual artefacts are exploitable months later. Full reinstall from clean media is the right level of paranoia for any seriously-compromised host.

Network segmentation is essential. Nimda's network-share propagation is defeated by segmentation; the internal lateral spread requires a flat network. Organisations that segmented are seeing dramatically less internal damage than organisations that did not.

Browser security is now part of the perimeter. Drive-by compromise via legitimate (but compromised) websites is now a real attack vector. Defending the browser is no longer a desktop-security concern; it is part of the network defence.

What is changing in vendor response

The combined Code Red and Nimda incident sequence has produced visible movement at Microsoft.

Patching prioritisation is improving. New IIS advisories are being shipped on aggressive timelines. The patching tooling is getting better.

Defaults are shifting. Outlook 2002 ships with default attachment blocking. IIS 6 (in development) will ship with much more restrictive defaults. The architectural changes I have been arguing for are visibly in development.

The internal security culture is changing. From conversations with people at Microsoft, the company is preparing for substantial security-process changes. Bill Gates personally is reportedly involved. Whether this produces structural change in product quality is the question; the early signals are encouraging.

What I am taking from this

Three things.

The defence-in-depth message is now self-evident. Operators who have been resisting the layered approach as overkill are seeing the cost of single-layer defences. The conversation has shifted.

Cleanup discipline matters more than I had emphasised. I have been writing about prevention extensively and about forensic readiness somewhat. I have been writing less about the cleanup phase — the period after an incident is contained but before the affected systems are fully restored. Nimda has shown that incomplete cleanup is itself a security problem.

The vendor response is the slowest variable. Microsoft is starting to move; the movement is years away from completion. Operators must continue to defend without assuming structural improvements will arrive in time.

More as the year develops. The next regular post will be on the Sebek captures from the Nimda window, which have been informative.

Back to all writing