Yesterday — 18 September 2001 — a worm called Nimda appeared. By this morning it has reached saturation across multiple platforms. The structural complexity exceeds any previous worm.
This is a first writeup. Pulled together quickly because the patterns are unusual and worth describing while the situation is clear in my mind.
What Nimda does
Nimda is a multivector worm. It propagates through five distinct mechanisms simultaneously:
1. IIS web server compromise. Like Code Red, Nimda exploits the IIS .ida vulnerability and similar IIS bugs. It scans for vulnerable IIS hosts and compromises them.
2. Backdoors from prior Code Red II infections. Where a host was compromised by Code Red II, Nimda uses the persistent backdoor (the cmd.exe/root.exe left by Code Red II) to install itself. This is operationally clever — Nimda inherits Code Red II's compromised population.
3. Email propagation. The worm sends itself as an email attachment using the user's mail client. The attachment is a .eml file that, when opened in a vulnerable Outlook/Outlook Express, automatically executes due to a separate Outlook vulnerability. No double-click required.
4. Network share propagation. The worm copies itself to network shares the infected host can write to, naming the copies in ways that look like ordinary documents. Other hosts that open the shares may execute the worm.
5. Web-page modification. On infected IIS servers, the worm modifies served HTML to include a JavaScript that downloads the worm to visitors. Anyone visiting an infected site with a vulnerable browser is then compromised.
Five vectors, simultaneously. The worm propagates through whatever path is available.
The propagation arithmetic
With multiple vectors operating in parallel, the propagation arithmetic is more complex than the single-vector case I described. Each vector has its own β; the cumulative effect is approximately the sum.
For Nimda specifically:
- IIS scanning: similar β to Code Red (around 10/hour).
- Code Red II backdoor exploitation: very high β (the substrate is well-known and reachable).
- Email propagation: moderate β.
- Network shares: high β within local networks.
- Browser drive-by: variable β depending on traffic to compromised sites.
The combined β produces saturation across the vulnerable population in hours. Data from operators suggests Nimda hit over 500,000 hosts on the first day.
What is structurally novel
Three things.
The chained-compromise mechanism. Nimda using Code Red II's backdoors is a new pattern. One worm exploiting the persistence of an earlier worm means that surviving compromised hosts become substrate for further attacks. The compromised population is sticky in ways that compound.
The browser-as-vector mechanism. Compromising IIS servers and using them to compromise visiting browsers is a new technique at scale. The internet's web-browsing population is now part of the attack substrate.
The cross-platform propagation. Nimda compromises servers (IIS), desktops (via mail and shares), and indirectly any user who browses to a compromised site. The lateral spread across platforms is more thorough than any previous worm.
What operators should do
A short list, in priority order:
Apply all relevant patches. Multiple Microsoft advisories are involved — IIS .ida, IIS unicode, Outlook MIME handling. Each must be applied.
Inspect for Code Red II artefacts. Any host previously compromised by Code Red II is a candidate for Nimda re-infection. Check for cmd.exe or root.exe in writable web directories; remove if found.
Disable network shares not needed. Nimda's network-share propagation is defeated by simply not having writable shares.
Filter email attachments. The .eml attachment vector is defeated by stripping at the relay, as standard.
Update browsers and disable vulnerable Outlook auto-execution. The drive-by and email vectors require specific patches; apply them.
What I expect over the next weeks
A short list:
Aggressive cleanup. Operators are going to be doing serious work for weeks. The combination of multiple vectors and persistent backdoors makes the cleanup substantially harder than for previous worms.
Variants. Nimda's source is now widely available. Variants will follow. Some will fix the obvious shortcomings; some will introduce new mechanisms.
Continuing reduction in IIS deployment. Operators are increasingly migrating away from IIS in response to the cumulative incident pattern. The economics of running IIS in 2001 are visibly worse than they were in 2000.
A continued elevation in baseline internet noise. Code Red and Nimda both leave persistent infections that continue to scan and propagate. The base rate of malicious traffic across the internet is now higher than it has been at any point in this notebook's lifetime.
A small reflection
Nimda is, on the available evidence, the most consequential worm of 2001 to date. The multivector approach is a structural escalation; defenders responding to one vector miss the others.
For my own infrastructure: not directly vulnerable. My honeypot range is being hit by all five vectors and is logging substantial data; I will write up specific captures over the next month.
For friends running Microsoft infrastructure: the cleanup is non-trivial. I am going to spend this weekend helping the worst-affected.
More as the situation develops.