The DNS worm appeared on the Internet Monday, a few days after several different exploits for the vulnerability began circulating.
Microsoft issued an advisory about the isolated attacks Monday, but the appearance of the worm ups the ante and may put more pressure on Microsoft to release a patch for the flaw, which is in the server's Remote Procedure Call (RPC) implementation, outside of its monthly cycle. Company officials said they are monitoring the attacks and working "around the clock" on a patch for the problem.
The new worm, which Symantec Corp. is calling Rinbot.BC, scans for servers listening on TCP port 1025. When it finds a partner, it attempts to execute a specific kind of DNS query on the machine and exploit the DNS RPC flaw. If it's successful, Rinbot.BC then installs a copy of itself on the compromised machine and contacts a remote IRC server and joins a chat channel and awaits further instructions. The bot then begins scanning for other servers listening on port 1025 and begins the process all over again.
The DNS worm also can spread by exploiting two other vulnerabilities, one in Symantec's Client Security and another in the Windows Server Service, Symantec officials said.
The flaw in the Windows DNS Server Service first cam to light last week, and although Microsoft, of Redmond, Wash., has issued a security advisory about the problem and said it is working on a patch, it's unclear whether the company would release the fix before its next scheduled patch date, which is May 8.
The vulnerability is particularly troublesome because it affects DNS servers, which do the work of resolving domain names to the actual IP addresses of the Web servers hosting the requested sites. DNS servers have proved to be popular targets for attackers in the past, but security experts are cautioning that the Rinbot.BC worm appears to be a low-level threat at this point.
Microsoft has advised customers to implement one of the workarounds it suggests in its advisory on the DNS RPC vulnerability.