Worms exploiting Windows DNS flaw

Posted by   Virus Bulletin on   Apr 18, 2007

Zero-day vulnerability quickly used to transmit attacks.

The zero-day vulnerability in Microsoft's DNS server service, reported last week just after the release of the monthly 'Patch Tuesday' security updates, has been rapidly implemented into at least two variants of a worm which is spreading in the wild via the flaw.

Exploits began to emerge, and were made publicly available, within days of the vulnerability being unveiled, amid suggestions that the vulnerability had been 'saved up' until after the Patch Tuesday release to give attackers the maximum possible window of opportunity to make use of the flaw before a fix is likely to be released.

The worms, variants of Rinbot/Nirbot/Dolebot, use maliciously-crafted RPC packets to exploit the vulnerability and gain access to vulnerable machines, adding them to a network of zombies used for spreading infection further and other nefarious purposes. Several sources have reported increased activity on port 1025, used by the worm, as infected machines probe for more vulnerable victims, and server admins are advised to block access to this port if possible, or to try one of several other workarounds recommended by Microsoft in the original advisory, here.

'As this vulnerability only affects server platforms, usually managed by more experienced administrators, one would hope that these worms will only have limited impact,' said John Hawes, Technical Consultant at Virus Bulletin. 'However, it is a clear demonstration of the speed with which malware writers can take advantage of new attack vectors, and a reminder of the need to keep a close eye on security news and to maintain a tight approach to security, combining quality security software with a rigorous system of patching and blocking new vulnerabilities.'

A blog entry from Microsoft is here, with further commentary available from McAfee, Sophos and Symantec.

Posted on 18 April 2007 by Virus Bulletin




Latest posts:

New paper: Collector-stealer: a Russian origin credential and information extractor

In a new paper, F5 researchers Aditya K Sood and Rohit Chaturvedi present a 360 analysis of Collector-stealer, a Russian-origin credential and information extractor.

VB2021 localhost videos available on YouTube

VB has made all VB2021 localhost presentations available on the VB YouTube channel, so you can now watch - and share - any part of the conference freely and without registration.

VB2021 localhost is over, but the content is still available to view!

VB2021 localhost - VB's second virtual conference - took place last week, but you can still watch all the presentations.

VB2021 localhost call for last-minute papers

The call for last-minute papers for VB2021 localhost is now open. Submit before 20 August to have your paper considered for one of the slots reserved for 'hot' research!

New article: Run your malicious VBA macros anywhere!

Kurt Natvig explains how he recompiled malicious VBA macro code to valid harmless Python 3.x code.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.