Posted by Virus Bulletin on Apr 18, 2007
Zero-day vulnerability quickly used to transmit attacks.
The zero-day vulnerability in Microsoft's DNS server service, reported last week just after the release of the monthly 'Patch Tuesday' security updates, has been rapidly implemented into at least two variants of a worm which is spreading in the wild via the flaw.
Exploits began to emerge, and were made publicly available, within days of the vulnerability being unveiled, amid suggestions that the vulnerability had been 'saved up' until after the Patch Tuesday release to give attackers the maximum possible window of opportunity to make use of the flaw before a fix is likely to be released.
The worms, variants of Rinbot/Nirbot/Dolebot, use maliciously-crafted RPC packets to exploit the vulnerability and gain access to vulnerable machines, adding them to a network of zombies used for spreading infection further and other nefarious purposes. Several sources have reported increased activity on port 1025, used by the worm, as infected machines probe for more vulnerable victims, and server admins are advised to block access to this port if possible, or to try one of several other workarounds recommended by Microsoft in the original advisory, here.
'As this vulnerability only affects server platforms, usually managed by more experienced administrators, one would hope that these worms will only have limited impact,' said John Hawes, Technical Consultant at Virus Bulletin. 'However, it is a clear demonstration of the speed with which malware writers can take advantage of new attack vectors, and a reminder of the need to keep a close eye on security news and to maintain a tight approach to security, combining quality security software with a rigorous system of patching and blocking new vulnerabilities.'
A blog entry from Microsoft is here, with further commentary available from McAfee, Sophos and Symantec.
Posted on 18 April 2007 by Virus Bulletin