DNS worm strikes at Microsoft flaw

By Dennis Fisher, Executive Editor 17 Apr 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

The DNS worm appeared on the Internet Monday, a few days after several different exploits for the vulnerability began circulating.

Microsoft issued an advisory about the isolated attacks Monday, but the appearance of the worm ups the ante and may put more pressure on Microsoft to release a patch for the flaw, which is in the server's Remote Procedure Call (RPC) implementation, outside of its monthly cycle. Company officials said they are monitoring the attacks and working "around the clock" on a patch for the problem.

The new worm, which Symantec Corp. is calling Rinbot.BC, scans for servers listening on TCP port 1025. When it finds a partner, it attempts to execute a specific kind of DNS query on the machine and exploit the DNS RPC flaw. If it's successful, Rinbot.BC then installs a copy of itself on the compromised machine and contacts a remote IRC server and joins a chat channel and awaits further instructions. The bot then begins scanning for other servers listening on port 1025 and begins the process all over again.

The DNS worm also can spread by exploiting two other vulnerabilities, one in Symantec's Client Security and another in the Windows Server Service, Symantec officials said.

The flaw in the Windows DNS Server Service first cam to light last week, and although Microsoft, of Redmond, Wash., has issued a security advisory about the problem and said it is working on a patch, it's unclear whether the company would release the fix before its next scheduled patch date, which is May 8.

The vulnerability is particularly troublesome because it affects DNS servers, which do the work of resolving domain names to the actual IP addresses of the Web servers hosting the requested sites. DNS servers have proved to be popular targets for attackers in the past, but security experts are cautioning that the Rinbot.BC worm appears to be a low-level threat at this point.

Microsoft has advised customers to implement one of the workarounds it suggests in its advisory on the DNS RPC vulnerability.

Tags: Malware, Viruses, Trojans and Spyware,  Web Server Threats and Countermeasures,  Web Application and Web 2.0 Threats,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Malware, Viruses, Trojans and Spyware How to get rid of malware, botnets on a hospital IT network Should a national cybersecurity strategy include offensive botnets? How to prevent mobile phone spying How can search results lead to malware? How to defend against rogue DHCP server malware New Trojan stealing FTP credentials, attacking FTP websites Cybercriminals exploit Michael Jackson, Farrah Fawcett deaths When BIOS updates become malware attacks Antispyware buying guide for Indian enterprises PCI compliance requirement 5: Antivirus Web Server Threats and Countermeasures Stolen FTP credentials likely in massive website attacks Microsoft warns of IIS zero-day vulnerability How to find and stop automated SQL injection attacks How to spot attacks through Apache Web server log analysis Symantec acquires Mi5 Networks, bolsters Web security How to harden Linux operating systems How to clear out anonymous Web proxy servers in the workplace Information security book excerpts and reviews Is it more secure to have a mainframe or a collection of servers? How does a Web server model differ from an application server model? Web Application and Web 2.0 Threats nCircle statistics show rising Web application vulnerabilities Twitter risks, Facebook threats trouble security pros Twitter bugs, DNSSEC and broswer security Twitter vulnerability project highlights Bit.ly flaws Security researchers develop browser-based darknet Month of Twitter Bugs project to document Twitter flaws Microsoft cracks down on click fraud ring Cloud security begins with infrastructure assessment RSA council addresses growing security risks in the cloud IT pros can detect, prevent website vulnerabilities, thwart attacks

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) directory traversal  (SearchSecurity.com) government Trojan  (SearchSecurity.com) Kraken  (SearchSecurity.com) man in the browser  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com) RavMonE virus  (SearchSecurity.com) RFID virus  (SearchSecurity.com) Rock Phish  (SearchSecurity.com) Zotob  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary