Worms exploiting Windows DNS flaw

Posted by   Virus Bulletin on   Apr 18, 2007

Zero-day vulnerability quickly used to transmit attacks.

The zero-day vulnerability in Microsoft's DNS server service, reported last week just after the release of the monthly 'Patch Tuesday' security updates, has been rapidly implemented into at least two variants of a worm which is spreading in the wild via the flaw.

Exploits began to emerge, and were made publicly available, within days of the vulnerability being unveiled, amid suggestions that the vulnerability had been 'saved up' until after the Patch Tuesday release to give attackers the maximum possible window of opportunity to make use of the flaw before a fix is likely to be released.

The worms, variants of Rinbot/Nirbot/Dolebot, use maliciously-crafted RPC packets to exploit the vulnerability and gain access to vulnerable machines, adding them to a network of zombies used for spreading infection further and other nefarious purposes. Several sources have reported increased activity on port 1025, used by the worm, as infected machines probe for more vulnerable victims, and server admins are advised to block access to this port if possible, or to try one of several other workarounds recommended by Microsoft in the original advisory, here.

'As this vulnerability only affects server platforms, usually managed by more experienced administrators, one would hope that these worms will only have limited impact,' said John Hawes, Technical Consultant at Virus Bulletin. 'However, it is a clear demonstration of the speed with which malware writers can take advantage of new attack vectors, and a reminder of the need to keep a close eye on security news and to maintain a tight approach to security, combining quality security software with a rigorous system of patching and blocking new vulnerabilities.'

A blog entry from Microsoft is here, with further commentary available from McAfee, Sophos and Symantec.

Posted on 18 April 2007 by Virus Bulletin

 Tags

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest posts:

VBSpam tests to be executed under the AMTSO framework

VB is excited to announce that, starting from the Q3 test, all VBSpam tests of email security products will be executed under the AMTSO framework.

In memoriam: Prof. Ross Anderson

We were very sorry to learn of the passing of Professor Ross Anderson a few days ago.

In memoriam: Dr Alan Solomon

We were very sorry to learn of the passing of industry pioneer Dr Alan Solomon earlier this week.

New paper: Nexus Android banking botnet – compromising C&C panels and dissecting mobile AppInjects

In a new paper, researchers Aditya K Sood and Rohit Bansal provide details of a security vulnerability in the Nexus Android botnet C&C panel that was exploited in order to gather threat intelligence, and present a model of mobile AppInjects.

New paper: Collector-stealer: a Russian origin credential and information extractor

In a new paper, F5 researchers Aditya K Sood and Rohit Chaturvedi present a 360 analysis of Collector-stealer, a Russian-origin credential and information extractor.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.