Hackers Target Systems Infected By 'Mydoom'

Mydoom, which began spreading on Monday, continues to show signs of slowing, according to some security analysts, while others disputed that take.

"We're still seeing a substantial number of Mydoom submissions [from customers]," said Eric Chien, chief researcher with Symantec's Security Response team. "The volume really hasn't gone down that much; it will take a few more days for it to taper off."

Network Associates' AVERT team, meanwhile, said Wednesday that Mydoom isn't slowing down, and increased its estimates of infected systems from the 100,000 to 200,000 of yesterday to a whopping 400,000 to 500,000 today.

Even before today, Mydoom had broken records once held by Sobig to become the fastest-spreading worm ever, several security and messaging filtering firms have said. The latest to award Mydoom the dubious distinction is the Finnish company, F-Secure, which now estimates that 20 to 30 percent of all global e-mail traffic is composed of Mydoom mailings.

In just three days, said F-Secure, Mydoom blew past Sobig to become the worst worm in virus history.

The widespread distribution of Mydoom will likely present problems for SCO and Microsoft -- both of which are targeted by the worm and its Mydoom.b variant, discovered Wednesday, for denial-of-service (DoS) attacks starting Sunday, Feb. 1 -- but the worm may also give average users major heartburn.

That's because Mydoom creates a backdoor to infected systems by opening numerous ports, which can then be used by attackers to secretly install malicious code, including key loggers or Trojan horses. That malicious code could also allow access the machine's hard drive, or make it perform other nefarious chores, such as spamming or conducting additional DoS attacks, said Symantec's Chien.

"Hackers are actively looking for open machines to compromise," said Chien, who noted that Symantec's Threat Management System -- a collection of network sensors deployed around the globe -- has seen substantial scanning activity targeting port 3127, one of the ports that Mydoom's back door opens.

"They are targeting the back door on this port, which can allow them to upload new malicious code as well as use the infected system to launch further attacks and forward spam," the Threat Management System reported in an alert. Symantec has seen more than 2,000 unique sources scanning for this port. Mydoom's back door opens TCP ports 3127 through 3198.

"Systems infected with Mydoom are wide open to every kind of attack," said Chien. "All it takes is a medium level of technical proficiency on the part of a hacker," he added, once scanning has identified a machine infected with the worm.

Attackers could upload key-logging software -- used by identify thieves to uncover passwords and usernames, credit card information, e-mail account info, and other data typed on the system -- install Trojan horses to turn the PC into a spamming proxy, or upload pirated application and multimedia files to use the unsuspecting system as an illegal file server.

"There's no question that hackers are scanning for and connecting to and utilizing this back door," said Chien.

To compound the problem, Mydoom.b, a copycat worm unleashed Wednesday, also scans for the original worm's open ports, said Chien, and when it finds an infected system, "copies itself over the original to 'upgrade' that machine." Fortunately, Mydoom.b seems to be spreading very slowly. Chien attributed that partly to luck -- the original may have been seeded to a small number of computers with particularly large e-mail address files -- and partly to the defenses that users have thrown up against Mydoom before Mydoom.b appeared.

The only silver lining in the potential assault by this army of hackers, and it may be only temporary, said Chien, is that automated tools for accessing this back door are not yet widespread on the Web.

To access the opening in a Mydoom-infected machine, said Chien, a hacker must not only sniff out the system by scanning, but also carefully compose the attack using Mydoom's protocol. "Parts of that protocol have been published on open mailing lists," he said, "but 'kiddie-scripts' aren't yet widely available." 'Kiddie-script' refers to tools which allow even the clumsiest hacker to exploit a compromised computer.

That may change, and quickly, if Mydoom follows the pattern of other big-time exploits such as last year's Slammer, and even earlier vulnerabilities created by worms such as Nimda and Code Red, all of which were rapidly supported by tools that eliminated the need for an attacker to have a high level of technical expertise.

"Today, what hackers really want is access," said Chien. "They want to own machines for e-mailing spam, for storing pirated software, or just to have zombies available to them."

And with the open back doors provided by Mydoom, that's exactly what they're getting.

To protect networks and computers, security firms have recommended blocking TCP ports 3127 through 3198 at the firewall.

Machines infected with the Mydoom worm can be cleansed by following a set of instructions on the Microsoft security Web site, or by downloading one of the many removal tools posted on the Internet. Symantec, for example, offers such a tool, while Computer Associates provides something similar.

*This story courtesy of Techweb.com.