Symantec's latest internet security report, based on
data gathered from its Deepsite sensor technology, has found that
hackers are targeting back doors such as those created by the
MyDoom virus.
MyDoom wreaked havoc in February when it was used to launch denial
of service attacks against Microsoft and SCO and create back doors
into users' PCs. This allows hackers to revisit infected computers
and cause further damage.
Symantec said that during the first quarter of 2004 attackers and
new "blended threats" have been scanning networks to find the back
doors contained in MyDoom.
The blended threats, such as Blaster, Welchiaa and Sobig.F - which
combine the characteristics of viruses, worms, Trojan horses and
malicious code with existing vulnerabilities to spread an attack -
have already appeared in 54% of the top 10 submissions for the last
six months of 2003, the research revealed.
The top TCP port target for hackers is not surprisingly port 80,
which handles web traffic. Attacks on this port were reported by
59.6% of Symantec's sensors. But 59% of sensors reported that
TCP/17,300 was targeted - a port Symantec said had previously seen
little hacking activity.
Symantec said TCP/17,300 "hosted an old, out-of-date back door
Trojan named Kuang2", and hackers were targeting it to find systems
running this back door.
Threats to privacy and confidentiality showed the most rapid
increase during the last six months of 2003, the report said, with
a 148% growth in volume of malicious code submissions.
Almost 33% of all attacking systems targeted the vulnerability
exploited by the Blaster worm and its successors, Symantec said.
Although many worms appeared in August, enough unpatched systems
remained to sustain them.
An average of 220 security vulnerabilities every month were
identified between July and December 2003, of which an average of
99 were "high severity" and 70% of which were easy to exploit,
according to Symantec.
The findings of the report highlighted growing concern among IT
users that implementing every software patch released is becoming
an impossible task.
Richard Archdeacon, technical services director at Symantec, said,
"As the time between disclosure and exploitation of vulnerabilities
continues to shrink, 'zero-day threats' that target vulnerabilities
before they are known are imminent.
"Patch management continues to be critical, but companies are
struggling to manage it themselves."
The problem is likely to get worse before it gets better,
Archdeacon warned. "Attackers require no specialised knowledge to
gain unauthorised access to a network when vulnerabilities are easy
to exploit," he said.
Backdoor access for hackers
| Port
number | What it
attacks | % of Symantec
sensors reporting attacks |
| TCP 80 | Web traffic | 59.6% |
| TCP 17,300 | Kuang2 back door | 59.0% |
| TCP 445 | Microsoft Cifs file
sharing | 57.7% |
| TCP 27,374 | Sunseven back door | 51.7% |
| TCP 1,433 | Microsoft SQL Server | 51.3% |
| TCP 21 | FTP |
50.4% |
Key findings
Blended threats increasingly target back doors left by other
attackers and worms
Financial services, healthcare and energy sectors were the
hardest hit by severe attacks
2,636 new vulnerabilities were identified by Symantec last
year
70% of new vulnerabilities are easily exploited, requiring no
code and providing an opportunity for attackers to gain access to
critical systems more easily.