Hackers still exploiting MyDoom as users find patching increasingly unmanageable

Symantec's latest internet security report, based on data gathered from its Deepsite sensor technology, has found that hackers...

Daniel Thomas

Symantec's latest internet security report, based on data gathered from its Deepsite sensor technology, has found that hackers are targeting back doors such as those created by the MyDoom virus.

MyDoom wreaked havoc in February when it was used to launch denial of service attacks against Microsoft and SCO and create back doors into users' PCs. This allows hackers to revisit infected computers and cause further damage.

Symantec said that during the first quarter of 2004 attackers and new "blended threats" have been scanning networks to find the back doors contained in MyDoom.

The blended threats, such as Blaster, Welchiaa and Sobig.F - which combine the characteristics of viruses, worms, Trojan horses and malicious code with existing vulnerabilities to spread an attack - have already appeared in 54% of the top 10 submissions for the last six months of 2003, the research revealed.

The top TCP port target for hackers is not surprisingly port 80, which handles web traffic. Attacks on this port were reported by 59.6% of Symantec's sensors. But 59% of sensors reported that TCP/17,300 was targeted - a port Symantec said had previously seen little hacking activity.

Symantec said TCP/17,300 "hosted an old, out-of-date back door Trojan named Kuang2", and hackers were targeting it to find systems running this back door.

Threats to privacy and confidentiality showed the most rapid increase during the last six months of 2003, the report said, with a 148% growth in volume of malicious code submissions.

Almost 33% of all attacking systems targeted the vulnerability exploited by the Blaster worm and its successors, Symantec said. Although many worms appeared in August, enough unpatched systems remained to sustain them.

An average of 220 security vulnerabilities every month were identified between July and December 2003, of which an average of 99 were "high severity" and 70% of which were easy to exploit, according to Symantec.

The findings of the report highlighted growing concern among IT users that implementing every software patch released is becoming an impossible task.

Richard Archdeacon, technical services director at Symantec, said, "As the time between disclosure and exploitation of vulnerabilities continues to shrink, 'zero-day threats' that target vulnerabilities before they are known are imminent.

"Patch management continues to be critical, but companies are struggling to manage it themselves."

The problem is likely to get worse before it gets better, Archdeacon warned. "Attackers require no specialised knowledge to gain unauthorised access to a network when vulnerabilities are easy to exploit," he said.

Download this free guide

Infographic: Future-proofing UK technology

The current potential of the UK technology industry is restricted by the lack of tech and digital talent available. Read through this challenge for the future of UK business and our economy.

Backdoor access for hackers

Port number	What it attacks	% of Symantec sensors reporting attacks
TCP 80	Web traffic	59.6%
TCP 17,300	Kuang2 back door	59.0%
TCP 445	Microsoft Cifs file sharing	57.7%
TCP 27,374	Sunseven back door	51.7%
TCP 1,433	Microsoft SQL Server	51.3%
TCP 21	FTP	50.4%

Key findings

Blended threats increasingly target back doors left by other attackers and worms

Financial services, healthcare and energy sectors were the hardest hit by severe attacks

2,636 new vulnerabilities were identified by Symantec last year

70% of new vulnerabilities are easily exploited, requiring no code and providing an opportunity for attackers to gain access to critical systems more easily.

This was last published in March 2004

Read more on IT strategy

Start the conversation

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

Please create a username to comment.