Hackers still exploiting MyDoom as users find patching increasingly unmanageable

Symantec's latest internet security report, based on data gathered from its Deepsite sensor technology, has found that hackers...

Symantec's latest internet security report, based on data gathered from its Deepsite sensor technology, has found that hackers are targeting back doors such as those created by the MyDoom virus.

MyDoom wreaked havoc in February when it was used to launch denial of service attacks against Microsoft and SCO and create back doors into users' PCs. This allows hackers to revisit infected computers and cause further damage.

Symantec said that during the first quarter of 2004 attackers and new "blended threats" have been scanning networks to find the back doors contained in MyDoom.

The blended threats, such as Blaster, Welchiaa and Sobig.F - which combine the characteristics of viruses, worms, Trojan horses and malicious code with existing vulnerabilities to spread an attack - have already appeared in 54% of the top 10 submissions for the last six months of 2003, the research revealed.

The top TCP port target for hackers is not surprisingly port 80, which handles web traffic. Attacks on this port were reported by 59.6% of Symantec's sensors. But 59% of sensors reported that TCP/17,300 was targeted - a port Symantec said had previously seen little hacking activity.

Symantec said TCP/17,300 "hosted an old, out-of-date back door Trojan named Kuang2", and hackers were targeting it to find systems running this back door.

Threats to privacy and confidentiality showed the most rapid increase during the last six months of 2003, the report said, with a 148% growth in volume of malicious code submissions.

Almost 33% of all attacking systems targeted the vulnerability exploited by the Blaster worm and its successors, Symantec said. Although many worms appeared in August, enough unpatched systems remained to sustain them.

An average of 220 security vulnerabilities every month were identified between July and December 2003, of which an average of 99 were "high severity" and 70% of which were easy to exploit, according to Symantec.

The findings of the report highlighted growing concern among IT users that implementing every software patch released is becoming an impossible task.

Richard Archdeacon, technical services director at Symantec, said, "As the time between disclosure and exploitation of vulnerabilities continues to shrink, 'zero-day threats' that target vulnerabilities before they are known are imminent.

"Patch management continues to be critical, but companies are struggling to manage it themselves."

The problem is likely to get worse before it gets better, Archdeacon warned. "Attackers require no specialised knowledge to gain unauthorised access to a network when vulnerabilities are easy to exploit," he said.

Backdoor access for hackers       

 Port number  What it attacks  % of Symantec
 sensors reporting attacks
 TCP 80  Web traffic  59.6%
 TCP 17,300  Kuang2 back door  59.0% 
 TCP 445  Microsoft Cifs file sharing  57.7% 
 TCP 27,374  Sunseven back door  51.7% 
 TCP 1,433  Microsoft SQL Server  51.3% 
 TCP 21  FTP  50.4%

Key findings   

Blended threats increasingly target back doors left by other attackers and worms  

Financial services, healthcare and energy sectors were the hardest hit by severe attacks  

2,636 new vulnerabilities were identified by Symantec last year  

70% of new vulnerabilities are easily exploited, requiring no code and providing an opportunity for attackers to gain access to critical systems more easily.

Read more on IT strategy