Nimda hit our
servers sunday 16/09/2001. It appears to be a worm that combines both
standard mass mailing techniques and attempts to exploit the buffer
overflows used by CodeRed to propagate. As of the 18th of September
2001, Nimba accounts for 35 to 45% of our belgian incoming web trafic.
Since both the attacks and the mailing appear to occur at a very high
rate, we do expect this worm to become a major problem very soon.
For those interested, here is a graph
of nimda's code, this graph was created with IDA
Pro our well known disassembler. Govind Rammurthy has made this
free
cleaner available.
Here are a few
sample mails received in relatively very short time.
|
Here is the Nimda
activity as recorded by one of our NIDS sensor
Here is Nimda hitting
our web server with a variety of attempts.
|