A back door to computer systems opened by the Mydoom e-mail worm is turning into a bonanza for thousands of hackers, who are scanning the Internet furiously for systems infected by Mydoom, antivirus experts say.
The opening in the defenses of infected computers could allow malicious hackers to secretly install a Trojan horse program or keystroke-logging software, or simply to peruse files on infected systems. It may make cleaning up after Mydoom difficult, say the experts.
Mydoom, which first appeared Monday, is still spreading online and is believed to have infected between 100,000 and 300,000 systems worldwide, according to Craig Schmugar, virus research manager at the McAfee antivirus division of Network Associates.
"Mydoom is still going strong; we're not seeing any signs of it slowing down," Schmugar says.
One large corporate customer reported receiving 160,000 Mydoom-infected e-mail messages in an hour, he says.
McAfee researchers and those at other antivirus companies have also spotted another Mydoom trend: thousands of computers scanning for a range of Transmission Control Protocol (TCP) ports opened by the worm.
Those open ports, which range between number 3127 and 3198, are open doors for malicious hackers, says Oliver Friedrichs, senior manager of Symantec Security Response at Symantec.
Attackers just have to connect to the open port and upload spyware or other malicious programs, he says.
"This could mean there are a bunch of attackers out there looking for machines to compromise," NAI's Schmugar says.
Symantec counted 2100 unique systems scanning for the Mydoom back door Wednesday, Friedrichs says.
Network Associates puts the number at 2500 systems and says that as many as 7500 infected systems may have been targeted since late Tuesday, when researchers first noticed the behavior, Schmugar says.
Protecting Your PC
Removing Mydoom will close the back door, removing the threat, Friedrichs says. All the major antivirus vendors have updated their virus definitions to identify and protect against the fast-moving worm, which is also called Novarg and Mimail.R.
However, if a malicious hacker gets to an infected system first, cleanup is more complicated.
Many antivirus programs can spot common Trojan horse and keystroke-logging software, but they might not detect every program, Friedrichs says.
Owners of infected systems would need specialized software that looks just for such programs, he adds. "This could turn into a big mess," he says.
Most Internet users will be well served with an up-to-date antivirus package and an Internet firewall, which can spot Trojan activity on an infected system, says Richard Smith, an independent computer security consultant in Boston.
Also, some of the scanning may be by system administrators trying to spot infected machines so they can disinfect them, Schmugar notes.
Next: Mass Attack?
The Internet community should be more worried about the hundreds of thousands of Mydoom-infected computers that are now at the beck and call of the Mydoom author, Smith says.
Mydoom apparently plants information on a system so it can be recruited into an organized distributed denial-of-service attack on one or more servers. Apparently some of them are being rallied for an attack on corporate servers of SCO, a software company that has angered the open-source community with recent lawsuits.
"Anything more than 50,000 systems is scary," Smith says. "The author knows where the systems are and he can easily upload software to them."
The Mydoom-B variant that has appeared includes features to cut off access to antivirus Web sites and may be an effort to further groom the population of infected machines, Smith adds. It may be targeting Microsoft.
A zombie network that large could be used to distribute spam, viruses, or Internet scams, he says.
"Whoever is behind [Mydoom] could cause a lot of mischief," he says.