New Rinbot variant - IRC worm exploits unpatched DSN RPC vulnerability - Security Protection

Common Tasks

Community

Email Notifications

Personal Links

Security Protection - Harry Waldron (CS)

Security Best Practices, Breaking News, & Updates

New Rinbot variant - IRC worm exploits unpatched DSN RPC vulnerability

While this new variant is not widespread, it is important to be careful with website visitation and stay up-to-date with AV signatures, as this can help with protection until this new vulnerability is patched.

CERT: New Rinbot Variant Attempting to Exploit Microsoft Windows DNS RPC Vulnerability
http://www.us-cert.gov/current/current_activity.html#rinbot

QUOTE: US-CERT is aware of a new variant of the Rinbot worm that is currently scanning for port 1025/tcp and attempting to exploit the recent buffer overflow vulnerability in the Microsoft Windows DNS service RPC management interface. Like other variants of Rinbot, this variant is an Internet Relay Chat controlled backdoor that may provide an attacker unauthorized remote access to a compromised machine

McAfeeW32/Nirbot.worm!RpcDns
http://vil.mcafeesecurity.com/vil/content/v_142027.htm

QUOTE: W32/Nirbot.worm!RpcDns is an internet relay chat controlled backdoor, which provides an attacker with unauthorized remote access to the compromised computer. An attacker can gain control over the compromised computer and use it to send spam, install adware, distribute illegal content or launch a DDos attack on internet systems. This variant of the W32/Nirbot.worm.gen will also try to exploit the Microsoft DNS Server Service RPC vulnerability on DNS Server.

Trend: VANBOT.GC
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FVANBOT%2EGC

QUOTE: This worm may be dropped on a system by other malware or downloaded unknowingly by a user when visiting malicious Web sites. It may also arrive via network shares. This worm also spreads by taking advantage of the Vulnerability in RPC on Windows DNS Server to propagate across networks.

Symantec: W32.Rinbot.BC
http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2007-041701-3720-99

QUOTE: The worm opens a random port and waits for a connection from shell code. The worm scans network for computers vulnerable to the following vulnerabilities and exploits them:

* The Microsoft DNS Server Service Could Allow Remote Code Execution (BID 23470) on TCP port 1025
* The Microsoft Windows Server Service Remote Buffer Overflow Vulnerability (BID 19409) on TCP port 139
* Symantec Client Security and Symantec AntiVirus Elevation of Privilege (BID 18107) on TCP port 2967

MORE INFORMATION: Microsoft Security Advisory (935964)
Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/advisory/935964.mspx

Posted: Apr 17 2007, 09:00 PM by Harry Waldron | with no comments

Questions? Contact Susan at Susan-at-msmvps.com. Each post's copyright held by the original author. All rights reserved. Blog site is an independent site not sponsored by Microsoft.
Our servers would like to thank www.ownwebnow.com and www.exchangedefender.com. We wouldn't be here without the generosity of Vlad Mazek and his companies.

Powered by Community Server (Commercial Edition), by Telligent Systems

Theme based on the Paperclip Blog Theme included in Community Server.
Enhanced to a Site-Wide Theme by Interscape Technologies.