Hackers capitalizing on Mydoom's success

A back door to computer systems opened by the Mydoom e-mail worm is turning into a bonanza for thousands of hackers, who are scanning the Internet furiously for systems infected by Mydoom, antivirus experts said Wednesday.

The opening in the defenses of infected computers could allow malicious hackers to secretly install a Trojan horse program, keylogging software or simply peruse files on infected systems, and may make cleanup after Mydoom difficult, according to interviews with the experts.

Mydoom, which first appeared on Monday, is still spreading on the Internet and is believed to have infected between 100,000 and 300,000 systems worldwide, according to Craig Schmugar, virus research manager at the McAfee antivirus division of Network Associates, Inc. (NAI).

"Mydoom is still going strong, we're not seeing any signs of it slowing down," he said Wednesday.

One large corporate customer reported receiving 160,000 Mydoom-infected e-mails an hour Wednesday, he said.

McAfee researchers and those at other antivirus companies have also spotted another Mydoom trend: thousands of computers scanning for a range of TCP (Transmission Control Protocol) ports opened by the worm.

Those open ports, which range between number 3127 and 3198, are open doors for malicious hackers, said Oliver Friedrichs, senior manager of Symantec Security Response at Symantec Corp.

Attackers just have to connect to the open port and upload spyware or other malicious programs, he said.

"This could mean there are a bunch of attackers out there looking for machines to compromise," NAI's Schmugar said.

Symantec counted 2,100 unique systems scanning for the Mydoom back door Wednesday, Friedrichs said.

NAI puts the number at 2,500 systems and says that as many as 7,500 infected systems may have been targeted since late Tuesday, when researchers first noticed the behavior, Schmugar said.

Removing Mydoom will close the backdoor, removing the threat, Friedrichs said.

However, if a malicious hacker gets to an infected system first, cleanup is more complicated, according to experts.

Many antivirus programs can spot common Trojan horse and keylogging software, but might not detect every program, Friedrichs said.

Owners of infected systems would need specialized software that just looks for such programs, he said.

"This could turn into a big mess," he said.

While that is possible, most Internet users will be well-served with an up-to-date antivirus package and an Internet firewall, which can spot Trojan activity on an infected system, said Richard Smith, an independent computer security consultant in Boston.

Also, some of the scanning may come from system administrators who are trying to spot infected machines so they can disinfect them, Schmugar said.

The Internet community should be more worried about the hundreds of thousands of Mydoom-infected computers that are now at the beck and call of the Mydoom author, Smith said.

"Anything more than 50,000 systems is scary," he said. "The author knows where the systems are and he can easily upload software to them."

The Mydoom-B variant that appeared Wednesday included features for cutting off access to antivirus Web sites and may be an effort to further groom the population of infected machines, he said

A zombie network that large could be used to distribute spam, viruses or Internet scams, he said.

"Whoever is behind (Mydoom) could cause a lot of mischief," he said.