Hackers scanning for ports opened by Mydoom |
 |
By Edward Hurley, News Writer
28 Jan 2004 | SearchSecurity.com |
|
|
Users are still dealing with inboxes crammed with copies of the Mydoom worm, but the greater danger lies in the ports the worm leaves exposed once a system is infected, experts said.
Hackers are scanning for the ports opened by Mydoom and would be able to upload any kind of executable code to infected systems, said Ken Dunham, director of malicious code at Reston, Va.-based iDefense Inc. "All it takes is sending the right syntax and data to TCP ports [to exploit them]," he said.
The worm opens ports 3127 to 3198 on infected machines. Dunham suspects that future variants may include some sort of authentication for the ports, so that only the worm writer could access them. Or the creator may have a better verification system, so he knows when machines are injected -- so the worm can go and compromise the ports.
The danger posed by the open ports has been dwarfed by news of Mydoom's magnitude. Figuring out how many systems are actually infected with the worm is kind of tricky. One injected machine can send out hundreds if not thousands of messages featuring copies of itself. Also, Mydoom is adept at harvesting e-mails from infected machines, and it randomly generates e-mail addresses. Many of the latter are invalid and get bounced back, which can help spread the worm even further.
Mydoom spoofs the sender address and mails itself using a self-contained SMTP engine. So if the messages are invalid, they get sent back to the spoofed sender, who may not be infected with the worm.
Administrators should have policies in place to turn off notification of invalid e-mail addresses during major worm outbreaks, Dunham said. In fact, Mydoom's creator may have intentionally created the worm so it would bog down mail systems.
So many copies of the worm were flying around that networks have slowed to a crawl. U.K.-based e-mail content filter MessageLabs Inc. found Mydoom in one of every 12 messages at the worm's peak. By contrast, Sobig-F, the most virulent worm of last year, topped out at one in every 28 messages.
For the first 24 hours of the outbreak, MessageLabs intercepted more than 1.2 million copies of Mydoom. It has captured 2.2 million copies overall. "When we were first saw the worm, we knew it was going to be big, but not so big," said Paul Wood, MessageLabs' chief information security analyst.
FEEDBACK: Is Mydoom a bigger threat than Slammer? Why or why not?
Send your feedback to the SearchSecurity.com news team.
|
|
|
|
