They're taking advantage of a back door the worm has created in infected systems.

InformationWeek Staff, Contributor

January 29, 2004

4 Min Read

Now tagged by at least one security firm as "the worst worm in history," MyDoom has created a back door to infected systems that an army of hackers is quickly turning to its advantage.

MyDoom, which began spreading on Monday, continues to show signs of slowing, according to some security analysts--but not all.

"We're still seeing a substantial number of MyDoom submissions [from customers]," said Eric Chien, chief researcher at Symantec's Security Response team. "The volume really hasn't gone down that much; it will take a few more days for it to taper off."

But Network Associates' Avert team said Wednesday that MyDoom isn't slowing down; it has increased its estimates of infected systems from the 100,000 to 200,000 of yesterday to 400,000 to 500,000 on Thursday.

MyDoom had broken records once held by Sobig to become the fastest-spreading worm ever, several security and messaging filtering firms have said. The latest to award MyDoom the dubious distinction is the Finnish company, F-Secure, which now estimates that 20% to 30% of all global E-mail traffic is composed of MyDoom mailings. In just three days, F-Secure said, MyDoom blew past Sobig to become the worst worm in virus history.

The widespread distribution of MyDoom will likely present problems for SCO and Microsoft, both of which are targeted by the worm and its MyDoom.b variant, discovered Wednesday, for denial-of-service attacks starting Feb. 1.

But the worm may also give average users major heartburn. That's because MyDoom creates a backdoor to infected systems by opening numerous ports, which then can be used by attackers to secretly install malicious code, including key loggers or Trojan horses. That malicious code could also allow access to the machine's hard drive, or make it perform other chores, such as spamming or conducting additional denial-of-service attacks, Symantec's Chien said.

"Hackers are actively looking for open machines to compromise," said Chien, who noted that Symantec's Threat Management System, a collection of network sensors deployed around the globe, has seen substantial scanning activity targeting port 3127, one of the ports that MyDoom's back door opens.

"They are targeting the back door on this port, which can allow them to upload new malicious code as well as use the infected system to launch further attacks and forward spam," the Threat Management System reported in an alert. Symantec has seen more than 2,000 unique sources scanning for this port. MyDoom's back door opens TCP ports 3127 through 3198.

"Systems infected with MyDoom are wide open to every kind of attack," said Chien. "All it takes is a medium level of technical proficiency on the part of a hacker" once scanning has identified a machine infected with the worm.

Attackers could upload key-logging software--used by identify thieves to uncover passwords and user names, credit-card information, E-mail account info, and other data typed on the system--install Trojan horses to turn the PC into a spamming proxy, or upload pirated application and multimedia files to use the unsuspecting system as an illegal file server.

"There's no question that hackers are scanning for and connecting to and utilizing this back door," said Chien.

To compound the problem, MyDoom.b, a copycat worm unleashed Wednesday, also scans for the original worm's open ports, said Chien, and when it finds an infected system, "copies itself over the original to "upgrade" that machine." Fortunately, MyDoom.b seems to be spreading very slowly. Chien attributed that partly to luck--the original may have been seeded to a small number of computers with particularly large E-mail address files--and partly to the defenses that users have thrown up against MyDoom before MyDoom.b appeared.

The only silver lining in the potential assault by this army of hackers, and it may be only temporary, said Chien, is that automated tools for accessing this back door are not yet widespread on the Web.

To access the opening in a MyDoom-infected machine, said Chien, a hacker must not only sniff out the system by scanning, but also carefully compose the attack using MyDoom's protocol. "Parts of that protocol have been published on open mailing lists," he said, "but 'kiddies-scripts' aren't yet widely available." Script-script refers to tools that allow even the clumsiest hacker to exploit a compromised computer.

That may change, and quickly, if MyDoom follows the pattern of other big-time exploits such as last year's Slammer, and even earlier vulnerabilities created by worms such as Nimda and Code Red, all of which were rapidly supported by tools that eliminated the need for an attacker to have a high level of technical expertise.

"Today, what hackers really want is access," said Chien. "They want to own machines for E-mailing spam, for storing pirated software, or just to have zombies available to them."

And with the open back doors provided by MyDoom, that's exactly what they're getting.

To protect networks and computers, security firms have recommended blocking TCP ports 3127 through 3198 at the firewall.

Machines infected with the MyDoom worm can be cleansed by following a set of instructions on the Microsoft security Web site, or by downloading one of the many removal tools posted on the Internet.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights