DNS worm strikes at Microsoft flaw

By Dennis Fisher, Executive Editor 17 Apr 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

The DNS worm appeared on the Internet Monday, a few days after several different exploits for the vulnerability began circulating.

Microsoft issued an advisory about the isolated attacks Monday, but the appearance of the worm ups the ante and may put more pressure on Microsoft to release a patch for the flaw, which is in the server's Remote Procedure Call (RPC) implementation, outside of its monthly cycle. Company officials said they are monitoring the attacks and working "around the clock" on a patch for the problem.

The new worm, which Symantec Corp. is calling Rinbot.BC, scans for servers listening on TCP port 1025. When it finds a partner, it attempts to execute a specific kind of DNS query on the machine and exploit the DNS RPC flaw. If it's successful, Rinbot.BC then installs a copy of itself on the compromised machine and contacts a remote IRC server and joins a chat channel and awaits further instructions. The bot then begins scanning for other servers listening on port 1025 and begins the process all over again.

The DNS worm also can spread by exploiting two other vulnerabilities, one in Symantec's Client Security and another in the Windows Server Service, Symantec officials said.

The flaw in the Windows DNS Server Service first cam to light last week, and although Microsoft, of Redmond, Wash., has issued a security advisory about the problem and said it is working on a patch, it's unclear whether the company would release the fix before its next scheduled patch date, which is May 8.

The vulnerability is particularly troublesome because it affects DNS servers, which do the work of resolving domain names to the actual IP addresses of the Web servers hosting the requested sites. DNS servers have proved to be popular targets for attackers in the past, but security experts are cautioning that the Rinbot.BC worm appears to be a low-level threat at this point.

Microsoft has advised customers to implement one of the workarounds it suggests in its advisory on the DNS RPC vulnerability.

Tags: Malware, Viruses, Trojans and Spyware,  Web Server Threats and Countermeasures,  Web Application and Web 2.0 Threats,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Malware, Viruses, Trojans and Spyware New Zeus spam poses as Social Security statements Increase in Gumblar backdoors poses FTP credential problems Hackers to sharpen malware, malicious software in 2010 iPhone worm Rickrolls jailbroken phones Israeli Mossad add Trojan Horse to Syrian laptop Schneier-Ranum Face-Off: Is antivirus dead? Modern malware, stealthy botnets, adapt quickly, expert says Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say Mini guide: How to remove and prevent Trojans, malware and spyware Web Server Threats and Countermeasures Increase in Gumblar backdoors poses FTP credential problems VeriSign extends DDoS attack protection service Microsoft issues IIS FTP advisory, exploit code circulates Panda reports fast-spreading rogueware antivirus fraud rakes in millions Oracle issues quarterly patches, fixes database flaws Latest DDoS attacks extremely unsophisticated, experts say Stolen FTP credentials likely in massive website attacks Microsoft warns of IIS zero-day vulnerability How to find and stop automated SQL injection attacks How to spot attacks through Apache Web server log analysis Web Application and Web 2.0 Threats Bit.ly boosts malware protection Hackers use Tiger Woods saga to conduct search attacks New Facebook worm propagates using sexy model Web security firm ranks Firefox, Safari browsers as flaw prone Web application vulnerability assessment shows patching progress Layoffs prompt insider threat fears, cybersecurity survey finds Botnet masters turn to Google, social networks to avoid detection Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say Kaspersky system analyzes malicious URLs on Twitter for malware

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) directory traversal  (SearchSecurity.com) government Trojan  (SearchSecurity.com) Kraken  (SearchSecurity.com) man in the browser  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com) RAT (remote access Trojan)  (SearchSecurity.com) RavMonE virus  (SearchSecurity.com) RFID virus  (SearchSecurity.com) Rock Phish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary