April 17, 2007 (Computerworld) -- Security researchers late yesterday spotted botworms exploiting a zero-day bug in Microsoft Corp.'s Windows DNS Server Service, confirming suspicions earlier in the day that hackers were sniffing out vulnerable systems.
McAfee Inc.'s Avert Labs was the first to report that a new Nirbot variant -- the worm also goes by the name Rinbot -- was trying to exploit the DNS vulnerability in the wild. In a blog entry yesterday afternoon, virus research manager Craig Schmugar said the botworm was an "internet relay chat [IRC] controlled backdoor, which provides an attacker with unauthorized remote access to the compromised computer." Later Monday, McAfee announced it had found a second Nirbot/Rinbot variant exploiting the bug.
According to McAfee's analysis, the new Nirbot botworms scan for vulnerable servers, then use multiple exploits -- including the unpatched DNS flaw -- in an attempt to hijack the machine.
Earlier yesterday, Symantec Corp. warned of an extraordinary spike in scans for TCP and UDP Port 1025, the first available port used by Windows's RPC (Remote Procedure Call) protocol. The bug in Windows 2000 Server and Windows Server 2003 that Microsoft disclosed last week can be exploited by sending a malicious RPC packet via Port 1025 or higher. Yesterday evening, Symantec confirmed that the source of the increased Port 1025 activity was the Nirbot/Rinbot, and like McAfee, posted an initial analysis of the worm.
The SANS Institute's Internet Storm Center added its voice to the chorus. "We are currently tracking a new version of the Rinbot worm that in addition to its regular scans, is also scanning for port 1025/tcp," said analyst Maarten Van Horenbeeck. "Once connected, it attempts to do a Windows 2000 DnsservQuery, attempting to exploit the recent Microsoft DNS RPC vulnerability."
----------------------------------
I can only assume that Microsoft would do everything in its power to get a patch out as soon as possible, given the current internet threats. Forget about patch cycles... test, test, test and release.
No comments:
Post a Comment