Home > Security News > DNS worm strikes at Microsoft flaw
Security News:
EMAIL THIS LICENSING & REPRINTS

DNS worm strikes at Microsoft flaw

By Dennis Fisher, Executive Editor
17 Apr 2007 | SearchSecurity.com

Security Wire Daily News
Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google

While crackers continue to attack the unpatched vulnerability in Microsoft Corp.'s DNS Server Service, a new worm also is exploiting the flaw. The new DNS worm is a variant of the Rinbot worm, which installs an IRC bot on infected machines and goes about the business of scanning for other vulnerable servers.

The DNS worm appeared on the Internet Monday, a few days after several different exploits for the vulnerability began circulating.

Microsoft issued an advisory about the isolated attacks Monday, but the appearance of the worm ups the ante and may put more pressure on Microsoft to release a patch for the flaw, which is in the server's Remote Procedure Call (RPC) implementation, outside of its monthly cycle. Company officials said they are monitoring the attacks and working "around the clock" on a patch for the problem.

The new worm, which Symantec Corp. is calling Rinbot.BC, scans for servers listening on TCP port 1025. When it finds a partner, it attempts to execute a specific kind of DNS query on the machine and exploit the DNS RPC flaw. If it's successful, Rinbot.BC then installs a copy of itself on the compromised machine and contacts a remote IRC server and joins a chat channel and awaits further instructions. The bot then begins scanning for other servers listening on port 1025 and begins the process all over again.

The DNS worm also can spread by exploiting two other vulnerabilities, one in Symantec's Client Security and another in the Windows Server Service, Symantec officials said.

The flaw in the Windows DNS Server Service first cam to light last week, and although Microsoft, of Redmond, Wash., has issued a security advisory about the problem and said it is working on a patch, it's unclear whether the company would release the fix before its next scheduled patch date, which is May 8.

The vulnerability is particularly troublesome because it affects DNS servers, which do the work of resolving domain names to the actual IP addresses of the Web servers hosting the requested sites. DNS servers have proved to be popular targets for attackers in the past, but security experts are cautioning that the Rinbot.BC worm appears to be a low-level threat at this point.

Microsoft has advised customers to implement one of the workarounds it suggests in its advisory on the DNS RPC vulnerability.

Sound Off! -   Be the first to post a message to Sound Off!


Tags: Viruses, Worms and Other MalwareIIS SecurityApache SecurityVIEW ALL TAGS

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google


TechTarget Security Media
Information Security View this month\\'s issue and subscribe today.
Information Security Decisions Apply online for free conference admission.
SearchSecurity.com
HomeNewsMagazineWebcastsWhite PapersLearningAdviceTopicsEventsAbout Us
SEARCH :     Advanced Search | Site Index Powered by: Search Powered by Google

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Reprints  |  Site Map




All Rights Reserved, Copyright 2003 - 2008, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts