Worm Circulating For Windows DNS Vulnerability
Microsoft issued an advisory last week for the Windows DNS flaw, which exists in the Remote Procedure Call (RPC) interface of the Windows Domain Name System (DNS) Server Service.
The Rinbot worm, also known as Nirbot, opens an Internet relay chat (IRC) controlled backdoor that attackers can use to remotely access a compromised PC and commandeer it to send spam, distribute malicious code or launch denial-of-service attacks.
Attackers have added the Windows DNS exploit code into a botnet of about 5,000 machines, said Jose Nazario, senior software and security engineer at Arbor Networks, Lexington, Mass.
"These machines are scanning the Internet pretty broadly, which gives them a sizable launch base to conduct their attacks from. Many of the IRC servers they are using are well-known and have been tracked for a while," Nazario said.
Arbor Networks has been observing "a huge uptick in activity" on TCP port 1025, but the fact that the traffic is limited to a single port suggests that the attackers are carrying out their efforts in a less-than-ideal way, Nazario said.
"They took the public exploit code, but instead of attacking the service where it actually lives, they're attacking a single port," Nazario said.
Shunichi Imano, an engineer with Symantec's Security Response team, has also been seeing a spike in activity over TCP port 1025 as a result of the worm scanning for vulnerable PCs. The worm, which Symantec calls W32.Rinbot.BC, opens a backdoor that connects to the x.rofflewaffles.us domain and appears to be designed for building a botnet, according to a Tuesday blog post by Imano.
"We have observed that the time taken from exploit code being made public to being integrated into malware that appears in the wild is becoming shorter and shorter," Imano wrote.
The DNS exploit doesn't appear to be getting much traction at the moment, but it has the potential to grow more severe, according to Nazario. For example, DNS systems can sometimes straddle internal and external networks, which could provide a vector for an attack to jump past the firewall into the enterprise, he noted.
DNS also provides a "very clean and efficient way" for an attacker to target a large number of clients all at once, Nazario said.
"If the [Rinbot/Nirbot] guys recognize that they have a number of DNS servers under their control, they could alter the records on their machines to create fake Web sites that could distribute the exploit to visitors through Web browsers," he said. "This could be a very easy way to affect a lot of machines."