There is a new worm circulating that attempts to exploit the recently identified vulnerability in Microsoft’s DNS Server Service. The worm is a variant of Rinbot and scans for machines listening on TCP port 1025, according to the SANS Internet Storm Center. Once the worm makes a connection, it attempts to make a DNSServQuery to exploit the DNS RPC flaw. The ISC staff reports that few of the antivirus vendors are having any luck detecting the worm right now, but McAfee has a short analysis of the new worm. Most other AV vendors are identifying it as a backdoor or simply as a suspicious file. Microsoft Security Response Center officials said on Monday that they were seeing some limited attacks against the vulnerability as well, but it’s not clear whether those are attributable to this new worm.
Security experts have said that the DNS RPC vulnerability is quite serious, and one of the reasons for that assessment is the possibility of a worm being written to exploit it. SANS is recommending that IT staffs implement one of the workarounds for the DNS RPC flaw in Microsoft’s advisory.