NOW READ THIS
("Security Advisory")

Go Back

---

Submitted by: Bill Hickey
NCVA List Master

NRT-0130 Botworms Exploit Windows DNS bug:

Security researches spotted botworms exploiting a zero-day bug in Microsoft Corp's Windows DNS Server Service, confirming suspicions earlier in the day that hackers were sniffing out vulnerable systems. McAfee's Avert Labs was the first to report that a new Nirbot variant - the worm also goes by the name Rinbot - was trying to exploit the DNS vulnerability in the wild. In a blog entry, McAfee's virus research manager said the botworm was an "internet relay chat controlled backdoor, which provides an attacker with unauthorized remote access to the compromised computer." Later, McAfee announced it had found a second Nirbot/Rinbot variant exploiting the bug. According to McAfee's analysis, the new Nirbot botworms scan for vulnerable servers, and then use multiple exploits, including the unpatched DNS flaw, in an attempt to hijack the machine. Symantec Corporation also warned of an extraordinary spike in scans for TCP and UDP Port 1025, the first available port used by Window's RPC (Remote Procedure Call) protocol. The bug in Windows 2000 Server and Windows Server 2003 that Microsoft disclosed last week can be exploited by sending a malicious RPC packet via Port 1025 or higher. Later, Symantec confirmed that the source of the increased Port 1025 activity was the Nirbot/Rinbot, and like McAfee, posted an initial analysis of the worm.

(ComputerWorld 17APR07)

Last Modified: Friday, 20-Apr-2007 19:42:33 EDT