"I would guess that the majority of those systems are already [compromised] or will be shortly, because it is so easy to do. And that will make a nice big botnet," says Chris Wysopal, CTO at Veracode, an application security testing company.
Rapid7 scanned more than 81 million Internet addresses over the weekend -- about 2.3 percent of the addressable space. Of those addresses, more than 176,000 had an open port that matched the port addresses used by pcAnywhere. The vast majority of those hosts, however, did not respond to requests: almost 3,300 responded to a probe using the transmission control protocol (TCP), and another 3,700 responded to similar request using the user datagram protocol (UDP). Combined, 4,547 hosts responded to one of the two probes.
Extrapolating to the entire addressable Internet, the scanned sample set suggests that nearly 200,000 hosts could be contacted by either a TCP or UDP probe, and more than 140,000 hosts could be attacked using TCP. More than 7.6 million systems may be listening on either of the two ports used by pcAnywhere, according to Moore's research.
Rapid7's scanning is a tactic taken from attackers' playbook. Malicious actors frequently scan the Internet to keep track of vulnerable hosts, says Veracode's Wysopal.
"pcAnywhere is known to be a risk and is scanned for constantly, so when a vulnerability comes out, attackers know where to go," he says.
In its advisory last week, Symantec made a similar warning: Attackers could scan for and attack computers running pcAnywhere if they were connected directly to the Internet. Symantec initially recommended that customers disable pcAnywhere until patches arrived, which happened on Monday for the latest version of the software, pcAnywhere 12.5, and Friday for two previous versions.
The company released a white paper with recommendations for securing pcAnywhere installations. Companies need to update to the latest version of the software, pcAnywhere 12.5, and apply the patch. The host computer should not be connected directly to the Internet, but be protected by a firewall set to block the default pcAnywhere ports: 5631 and 5632.
In addition, companies should not use the default pcAnywhere Access server, Symantec stated. Instead, they should use VPNs to connect to the local network and then access the host.
"To limit risk from external sources, customers should disable or remove Access Server and use remote sessions via secure VPN tunnels," the company says.
In many cases, pcAnywhere users are small-business people who outsource support of their systems. A small percentage of systems that responded to Moore's scans included "POS" as part of the system name, suggesting that point-of-sale systems are a common application of pcAnywhere. About 2.6 percent of the approximately 2,000 pcAnywhere hosts whose namse could be obtained had some variant of "POS" in the label.
"The point-of-sale environment is terrible in terms of security," Moore says. "It is surprising that it is a large concentration."
This story, "Many pcAnywhere systems still sitting ducks," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.