Users login

Create an account »


Users login

Home » Hacking News » AOL is still infected with nimda. Lamers beware.

AOL is still infected with nimda. Lamers beware.

by Majik on September 27th, 2001 Nimda has gone dormant over much of the Internet this week, but within America Online's network the worm is still frenetically attempting to infect users.

In less than one hour on the service Wednesday, a computer operated by Newsbytes was probed by six different AOL systems infected with Nimda.

All of the machines had Internet protocol addresses assigned to America Online and appear to be operated by AOL users rather than by the online service.

The tests, performed using a tool called Wormcatcher from TruSecure Corporation, showed that each Nimda-infected AOL machine was attempting to fire off the worm's arsenal of more than a dozen exploits of known security vulnerabilities in Microsoft's Internet Information Server (IIS) software.

Such probes would likely be unnoticed and present no danger to AOL users on Windows 95 or 98 systems. But for subscribers with unpatched versions of Microsoft's Windows 2000 operating system, however, connecting to the online service could be inviting infection, according to Johannes Ullrich, operator of the distributed intrusion detection system.

Indeed, all of the infected AOL users that scanned Newsbytes appeared to have been running Windows 2000 and displayed home pages containing the worm's code.

While Nimda infections have leveled off overall since peaking on Sept.19, AOL appears to be a possible hot-spot of contagion, according to Roger Thompson, director of malicious code research for TruSecure.

"AOL appears to be battling a heavy concentration of Nimda infections, especially a week later when everyone else is more or less winding down," he said.

The company's online message boards include numerous reports from users infected with Nimda, but AOL officials told Newsbytes the firm has not received an abnormally high number of customer support calls regarding viruses, nor has it experienced any network degradation as a result of the worm.

While some Internet service providers have begun disconnecting subscribers whose systems are infected with Nimda or Code Red, AOL currently has no plans to take such action, company representatives said.

Systems infected with Nimda can create a scanning storm, simultaneously attempting to probe up to 200 Internet addresses, according to an analysis of the worm by the SANS Institute.

The Nimda activity within AOL has gone largely undetected by Dshield and other Internet intrusion monitoring services. One reason is that systems infected with Nimda aim 75 percent of their probes within their local Internet area. In AOL's case, this is a block of addresses beginning with the number 172.

In addition, AOL has effectively walled off its users through the use of what are called proxy servers and through filtering outgoing Web requests by its users, according to Ullrich, who said Dshield has received few reports of Nimda scans originating from AOL addresses.

AOL officials confirmed that the online service "insulated" both its corporate network as well as the resources used by AOL members on Sept.18 when the worm was first discovered and quickly began infecting thousands of Windows systems around the Internet.

Besides spreading by scanning, Nimda propagates to other 32-bit Windows systems by infecting Web pages and e-mail, and may also spread using open file shares, according to researchers.

The situation on AOL's network could begin to intensify Friday, when experts say the infection will awaken in PCs and begin new mass-mailings of infected messages.

According to estimates by the Cooperative Association for Internet Data Analysis (CAIDA) at the University of California in San Diego, Nimda infected nearly half a million systems at its peak last week.

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »