SANS Incidents handler of 2001/09/25 Vicki Irwin
SANS Incidents handler of 2001/09/25 Vicki Irwin:
A poster to the Handler’s list came to the following conclusion
after performing an analysis on the worm code with a disassembler:“After consuming a certain amount of CPU time [Nimda] goes dormant for 10
days. If counts the days as year*365 + month*30 + day_of_month. The
next wave of attacks will be on Sept 28, Oct 8, Oct 18, Oct 28….”The results of this analysis would explain the slowing very well, and
predicts that we should expect another ramp up in activity on Friday. Other
sources have noted that the use of Nimda’s “GetSystemTime” call is to initiate
the email propagation phase anew every 10 days; but have not said anything
about the worm stopping scanning for web servers upon reaching some defined
limit. In addition to explaining the observed drop off in scan activity, this
analysis would also potentially explain why the strings “Processor Time”,
“User Time”, “Privileged Time”, etc. are found in the worm binary.Note: The incidents.org Nimda report will be updated tomorrow (9/26)
with new information collected since 9/21.
