Botnet herders pounce on Windows DNS RPC flaw
Summary: Online criminals have pounced on the unpatched Windows DNS Server service vulnerability, using the security hole to seed and replenish for-profit botnets. The latest twist in the ongoing attacks comes less than a week after Microsoft's pre-patch advisory provided clues for hackers to write and release detailed exploit code.
Online criminals have pounced on the unpatched Windows DNS Server service vulnerability, using the security hole to seed and replenish for-profit botnets.
The latest twist in the ongoing attacks comes less than a week after Microsoft's pre-patch advisory provided clues for hackers to write and release detailed exploit code.
Anti-virus researchers have detected signs of a variant of the talkative Nirbot Trojan squirming through the worm hole created by the vulnerability.
McAfee's analysis describes the latest Nirbot mutant as an IRC (internet relay chat) controlled backdoor, which provides an attacker with unauthorized remote access to the compromised computer.
An attacker can gain control over the compromised computer and use it to send spam, install adware, distribute illegal content or launch a DDos attack on internet systems.
Microsoft has confirmed the worm-centric bot attack, noting that the Trojan opens and listens on TCP port 57660 to receive commands from remote attackers.
These commands could include instructions to initiate network scanning in search of other vulnerable computers.
According to data from Arbor's ATLAS threat monitoring portal, the bulk of the attacks are coming from the U.S., China, India and Korea.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
You keep incorrectly blaming the advisories for the attacks
You keep incorrectly blaming the advisories for the attacks when in fact the attacks were happening before the advisory even went out. The advisories were in response to the attacks and NOT the other way around! The advisory at least gave people a chance to stop the attacks if they wanted to.
Blame
user, infighting between security experts looks dysfunctional. If you folks are trying
to allay the fear that the security gig is codependent, you're failing. Users live with
consequences, not blame. The last straw for users won't require blame to be
assigned, it won't even require the much maligned switch of platforms. It will be a
return to pencil and paper. A retreat from what has been accomplished with these
networks, will be a huge shame.
typical harry bardal
Oh, I suppose I should add "incisive and accurate."
Everything *good* IT Analysis *should* be [and most everything ZD Net usually is *not*].
I agree completely! (NT)
Sigh
_r
Ummm...
I'm assuming this is yours? If so, it seems pretty clear cut that George's opinion is on solid ground (for once).
Read it in context, Ryan is correct...
[i][b]The latest twist in the ongoing attacks comes less than a week after[/b] Microsoft's pre-patch advisory provided clues for hackers to write and release detailed exploit code.[/i]
Hence, this is taking place [i]after[/i] the release of the pre-patch advisory as also discussed in the links provided to McAfee.
Nirbot attackers are using the public exploit code
Now, the obvious question: Did Winny Thomas use info from Microsoft's advisory to write his exploit?
_r
Ryan he's just jealous because you took his limelight .
Be careful Zeal...um Leapord
Doesn't make what he said less true (or what you said) ;) [nt]
Try keeping all your fingers on the keyboard .
Too bad this site didn't have
George should mind his own faults
http://blogs.zdnet.com/Ou/?p=472
Referring to the registry file that you linked to.
Shouldn't that be?
You will need to stop and restart your DNS service using this option
I did read it and that's the problem
Clues, George, clues
_ryan
Exploits came BEFORE advisory
Sorry George I disagree
""Errata Security researcher David Maynor said he was able to pinpoint the source of the vulnerability without much trouble."
That proves Ryan's point. Now, even Microsoft themselves don't argue like you. Check out what they say
MSRC director Mark Miller said the company's priority is to provide a solid workaround that could help protect Windows users from exploitation.
"Whenever we publish an advisory or bulletin, we run into the reverse-engineering factor. When we release the information, people start to look at defective code, components and surrounding areas."
Even they acknowledge that some of their actions may aid the enemy. Which in this case may well have been.
Windows is a plague on us all
Even when not running Windows you're still subject to the network scans, junk traffic, spam, and DoS attacks stemming from legions of infected Windows machines. And not from some third world country where they're probably running bootleg copies. No, no. The leading source of this junk traffic is right here in the good 'ol USA.
It reminds me of the early days of the internet when the largely polite and professional atmosphere of the internet was suddenly deluged with thousands of ill-mannered AOL users. What a horror that was...still is.
And then along comes Windows and the horror turns into an ongoing nightmare. And you think this is going to be all better with Vista? At least people have wised up enough that I don't hear anyone making that noise this time, like when XP was released. All those problems are over now, switch to XP. ROFL! SP2 will address the security issues. Riiiiiight. :)
Yawn. Move along
:)