Hackers Target Systems Infected By MyDoom - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Hackers Target Systems Infected By MyDoom

They're taking advantage of a back door the worm has created in infected systems.

Now tagged by at least one security firm as "the worst worm in history," MyDoom has created a back door to infected systems that an army of hackers is quickly turning to its advantage.

MyDoom, which began spreading on Monday, continues to show signs of slowing, according to some security analysts--but not all.

"We're still seeing a substantial number of MyDoom submissions [from customers]," said Eric Chien, chief researcher at Symantec's Security Response team. "The volume really hasn't gone down that much; it will take a few more days for it to taper off."

But Network Associates' Avert team said Wednesday that MyDoom isn't slowing down; it has increased its estimates of infected systems from the 100,000 to 200,000 of yesterday to 400,000 to 500,000 on Thursday.

MyDoom had broken records once held by Sobig to become the fastest-spreading worm ever, several security and messaging filtering firms have said. The latest to award MyDoom the dubious distinction is the Finnish company, F-Secure, which now estimates that 20% to 30% of all global E-mail traffic is composed of MyDoom mailings. In just three days, F-Secure said, MyDoom blew past Sobig to become the worst worm in virus history.

The widespread distribution of MyDoom will likely present problems for SCO and Microsoft, both of which are targeted by the worm and its MyDoom.b variant, discovered Wednesday, for denial-of-service attacks starting Feb. 1.

But the worm may also give average users major heartburn. That's because MyDoom creates a backdoor to infected systems by opening numerous ports, which then can be used by attackers to secretly install malicious code, including key loggers or Trojan horses. That malicious code could also allow access to the machine's hard drive, or make it perform other chores, such as spamming or conducting additional denial-of-service attacks, Symantec's Chien said.

"Hackers are actively looking for open machines to compromise," said Chien, who noted that Symantec's Threat Management System, a collection of network sensors deployed around the globe, has seen substantial scanning activity targeting port 3127, one of the ports that MyDoom's back door opens.

"They are targeting the back door on this port, which can allow them to upload new malicious code as well as use the infected system to launch further attacks and forward spam," the Threat Management System reported in an alert. Symantec has seen more than 2,000 unique sources scanning for this port. MyDoom's back door opens TCP ports 3127 through 3198.

"Systems infected with MyDoom are wide open to every kind of attack," said Chien. "All it takes is a medium level of technical proficiency on the part of a hacker" once scanning has identified a machine infected with the worm.

Attackers could upload key-logging software--used by identify thieves to uncover passwords and user names, credit-card information, E-mail account info, and other data typed on the system--install Trojan horses to turn the PC into a spamming proxy, or upload pirated application and multimedia files to use the unsuspecting system as an illegal file server.

"There's no question that hackers are scanning for and connecting to and utilizing this back door," said Chien.

To compound the problem, MyDoom.b, a copycat worm unleashed Wednesday, also scans for the original worm's open ports, said Chien, and when it finds an infected system, "copies itself over the original to "upgrade" that machine." Fortunately, MyDoom.b seems to be spreading very slowly. Chien attributed that partly to luck--the original may have been seeded to a small number of computers with particularly large E-mail address files--and partly to the defenses that users have thrown up against MyDoom before MyDoom.b appeared.

The only silver lining in the potential assault by this army of hackers, and it may be only temporary, said Chien, is that automated tools for accessing this back door are not yet widespread on the Web.

To access the opening in a MyDoom-infected machine, said Chien, a hacker must not only sniff out the system by scanning, but also carefully compose the attack using MyDoom's protocol. "Parts of that protocol have been published on open mailing lists," he said, "but 'kiddies-scripts' aren't yet widely available." Script-script refers to tools that allow even the clumsiest hacker to exploit a compromised computer.

That may change, and quickly, if MyDoom follows the pattern of other big-time exploits such as last year's Slammer, and even earlier vulnerabilities created by worms such as Nimda and Code Red, all of which were rapidly supported by tools that eliminated the need for an attacker to have a high level of technical expertise.

"Today, what hackers really want is access," said Chien. "They want to own machines for E-mailing spam, for storing pirated software, or just to have zombies available to them."

And with the open back doors provided by MyDoom, that's exactly what they're getting.

To protect networks and computers, security firms have recommended blocking TCP ports 3127 through 3198 at the firewall.

Machines infected with the MyDoom worm can be cleansed by following a set of instructions on the Microsoft security Web site, or by downloading one of the many removal tools posted on the Internet.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
Future IT Teams Will Include More Non-Traditional Members
Lisa Morgan, Freelance Writer,  4/1/2020
COVID-19: Using Data to Map Infections, Hospital Beds, and More
Jessica Davis, Senior Editor, Enterprise Apps,  3/25/2020
Enterprise Guide to Robotic Process Automation
Cathleen Gagne, Managing Editor, InformationWeek,  3/23/2020
Register for InformationWeek Newsletters
Current Issue
IT Careers: Tech Drives Constant Change
Advances in information technology and management concepts mean that IT professionals must update their skill sets, even their career goals on an almost yearly basis. In this IT Trend Report, experts share advice on how IT pros can keep up with this every-changing job market. Read it today!
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll