Botnet herders pounce on Windows DNS RPC flaw

Botnet herders pounce on Windows DNS RPC flaw

Summary: Online criminals have pounced on the unpatched Windows DNS Server service vulnerability, using the security hole to seed and replenish for-profit botnets. The latest twist in the ongoing attacks comes less than a week after Microsoft's pre-patch advisory provided clues for hackers to write and release detailed exploit code.

SHARE:
TOPICS: Windows, Security
129

Online criminals have pounced on the unpatched Windows DNS Server service vulnerability, using the security hole to seed and replenish for-profit botnets.

The latest twist in the ongoing attacks comes less than a week after Microsoft's pre-patch advisory provided clues for hackers to write and release detailed exploit code.

Anti-virus researchers have detected signs of a variant of the talkative Nirbot Trojan squirming through the worm hole created by the vulnerability.

McAfee's analysis describes the latest Nirbot mutant as an IRC (internet relay chat) controlled backdoor, which provides an attacker with unauthorized remote access to the compromised computer.

An attacker can gain control over the compromised computer and use it to send spam, install adware, distribute illegal content or launch a DDos attack on internet systems.

Microsoft has confirmed the worm-centric bot attack, noting that the Trojan opens and listens on TCP port 57660 to receive  commands from remote attackers.

These commands could include instructions to initiate network scanning in search of other vulnerable computers.

According to data from Arbor's ATLAS threat monitoring portal, the bulk of the attacks are coming from the U.S., China, India and Korea.

Topics: Windows, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

129 comments
Log in or register to join the discussion
  • You keep incorrectly blaming the advisories for the attacks

    "The latest twist in the ongoing attacks comes less than a week after Microsoft's pre-patch advisory provided clues for hackers to write and release detailed exploit code."

    You keep incorrectly blaming the advisories for the attacks when in fact the attacks were happening before the advisory even went out. The advisories were in response to the attacks and NOT the other way around! The advisory at least gave people a chance to stop the attacks if they wanted to.
    georgeou
    • Blame

      Computer users don't rise to the lofty threshold where blame gets assigned. For the
      user, infighting between security experts looks dysfunctional. If you folks are trying
      to allay the fear that the security gig is codependent, you're failing. Users live with
      consequences, not blame. The last straw for users won't require blame to be
      assigned, it won't even require the much maligned switch of platforms. It will be a
      return to pencil and paper. A retreat from what has been accomplished with these
      networks, will be a huge shame.
      Harry Bardal
      • typical harry bardal

        Tight, coherent, and cogent.

        Oh, I suppose I should add "incisive and accurate."

        Everything *good* IT Analysis *should* be [and most everything ZD Net usually is *not*].
        brian ansorge
        • I agree completely! (NT)

          -
          Mikael_z
    • Sigh

      You keep incorrectly reading what I'm writing.

      _r
      Ryan Naraine
      • Ummm...

        "Microsoft's pre-patch advisory provided clues for hackers to write and release detailed exploit code."

        I'm assuming this is yours? If so, it seems pretty clear cut that George's opinion is on solid ground (for once).
        ejhonda
        • Read it in context, Ryan is correct...

          Read it in context, Ryan is correct in his original statement.

          [i][b]The latest twist in the ongoing attacks comes less than a week after[/b] Microsoft's pre-patch advisory provided clues for hackers to write and release detailed exploit code.[/i]

          Hence, this is taking place [i]after[/i] the release of the pre-patch advisory as also discussed in the links provided to McAfee.
          olePigeon
          • Nirbot attackers are using the public exploit code

            Even more, the Nirbot attackers are using the exploit code written by Winny Thomas (http://www.milw0rm.com/exploits/3737), which was posted to Milw0rm on April 15. Microsoft's advisory was April 12.

            Now, the obvious question: Did Winny Thomas use info from Microsoft's advisory to write his exploit?

            _r
            Ryan Naraine
      • Ryan he's just jealous because you took his limelight .

        If anything I approve your unbiased approach . Whether it be with Windows , Mac or Linux . Enough said . George it's time for you to move out . I guess my complaint was heard by ZDNET , why don't you just move on Zealot , umm I mean George .
        Intellihence
        • Be careful Zeal...um Leapord

          Be careful there oh "...Leopard boy" (and I do mean boy), calling George a zealot and you ahve Leopard in your call...you've got 3 fingers pointing back at yourself.
          ItsTheBottomLine
          • Doesn't make what he said less true (or what you said) ;) [nt]

            [nt]
            olePigeon
          • Try keeping all your fingers on the keyboard .

            That way you can spell better . Hmmm , makes me wonder if that's how the MS coders do it .
            Intellihence
          • Too bad this site didn't have

            an age requirement. Or at least an IQ requirement. Anything below 12 and you'd fail in both cases.
            xuniL_z
      • George should mind his own faults

        [i]You will need to reboot the server using this option[/i]
        http://blogs.zdnet.com/Ou/?p=472

        Referring to the registry file that you linked to.

        Shouldn't that be?
        You will need to stop and restart your DNS service using this option
        dragosani
      • I did read it and that's the problem

        I did read it and that's the problem. You keep saying Microsoft tipped off the bad guys on how to write this exploit and that's just BLATENTLY wrong.
        georgeou
        • Clues, George, clues

          The advisory provided clues to find the flaw. Then came the exploits. Then the Nirbot attacks. 1-2-3, etc.

          _ryan
          Ryan Naraine
          • Exploits came BEFORE advisory

            You're mixing up the time line here and your insinuations that Microsoft's advisories are to blame are just plain wrong. The mere fact that some exploits came after the advisory doesn?t mean that they were a result of the advisory. It was already proven that exploits were in the wild before the advisory was issued. You keep reaching for an outrageous and sensational headline.
            georgeou
          • Sorry George I disagree

            First there was attacks. Then Microsoft provided an advisory. After that we have evidence that hackers may have used this information to pinpoint the vulnerability and exploit it. here is part of the evidence
            ""Errata Security researcher David Maynor said he was able to pinpoint the source of the vulnerability without much trouble."

            That proves Ryan's point. Now, even Microsoft themselves don't argue like you. Check out what they say

            MSRC director Mark Miller said the company's priority is to provide a solid workaround that could help protect Windows users from exploitation.

            "Whenever we publish an advisory or bulletin, we run into the reverse-engineering factor. When we release the information, people start to look at defective code, components and surrounding areas."

            Even they acknowledge that some of their actions may aid the enemy. Which in this case may well have been.
            goxk@...
  • Windows is a plague on us all

    [b]the bulk of the attacks are coming from the U.S., China, India and Korea.[/b]

    Even when not running Windows you're still subject to the network scans, junk traffic, spam, and DoS attacks stemming from legions of infected Windows machines. And not from some third world country where they're probably running bootleg copies. No, no. The leading source of this junk traffic is right here in the good 'ol USA.

    It reminds me of the early days of the internet when the largely polite and professional atmosphere of the internet was suddenly deluged with thousands of ill-mannered AOL users. What a horror that was...still is.

    And then along comes Windows and the horror turns into an ongoing nightmare. And you think this is going to be all better with Vista? At least people have wised up enough that I don't hear anyone making that noise this time, like when XP was released. All those problems are over now, switch to XP. ROFL! SP2 will address the security issues. Riiiiiight. :)
    Chad_z
    • Yawn. Move along

      nothing to see here...

      :)
      John Zern