While crackers continue to attack the unpatched vulnerability in
Microsoft Corp.'s DNS Server Service, a new worm also is
exploiting the flaw. The new DNS worm is a variant of the Rinbot
worm, which installs an IRC bot on infected machines and goes about
the business of scanning for other vulnerable servers.
The DNS worm appeared on the Internet Monday, a few days after
several different exploits for the vulnerability began
circulating.
Microsoft issued an advisory about the isolated attacks Monday,
but the appearance of the worm ups the ante and may put more
pressure on Microsoft to release a patch for the flaw, which is in
the server's Remote Procedure Call (RPC) implementation, outside of
its monthly cycle. Company officials said they are monitoring the
attacks and working "around the clock" on a patch for the
problem.
The new worm, which Symantec Corp. is calling Rinbot.BC, scans
for servers listening on TCP port 1025. When it finds a partner, it
attempts to execute a specific kind of DNS query on the machine and
exploit the DNS RPC flaw. If it's successful, Rinbot.BC then
installs a copy of itself on the compromised machine and contacts a
remote IRC server and joins a chat channel and awaits further
instructions. The bot then begins scanning for other servers
listening on port 1025 and begins the process all over again.
The DNS worm also can spread by exploiting two other
vulnerabilities, one in Symantec's Client Security and another in
the Windows Server Service, Symantec officials said.
The flaw in the Windows DNS Server Service first cam to light
last week, and although Microsoft, of Redmond, Wash., has issued a
security advisory about the problem and said it is working on a
patch, it's unclear whether the company would release the fix
before its next scheduled patch date, which is May 8.
The vulnerability is particularly troublesome because it affects
DNS servers, which do the work of resolving domain names to the
actual IP addresses of the Web servers hosting the requested sites.
DNS servers have proved to be popular targets for attackers in the
past, but security experts are cautioning that the Rinbot.BC worm
appears to be a low-level threat at this point.
Microsoft has advised customers to implement one of the
workarounds it suggests in its advisory on the
DNS RPC vulnerability.