CERT: New Rinbot Variant Attempting to Exploit Microsoft Windows DNS RPC Vulnerability
US-CERT is aware of a new variant of the Rinbot worm that is currently scanning for port 1025/tcp and attempting to exploit the recent buffer overflow vulnerability in the Microsoft Windows DNS service RPC management interface. Like other variants of Rinbot, this variant is an Internet Relay Chat controlled backdoor that may provide an attacker unauthorized remote access to a compromised machine
W32/Nirbot.worm!RpcDns is an internet relay chat controlled backdoor, which provides an attacker with unauthorized remote access to the compromised computer. An attacker can gain control over the compromised computer and use it to send spam, install adware, distribute illegal content or launch a DDos attack on internet systems. This variant of the W32/Nirbot.worm.gen will also try to exploit the Microsoft DNS Server Service RPC vulnerability on DNS Server.
This worm may be dropped on a system by other malware or downloaded unknowingly by a user when visiting malicious Web sites. It may also arrive via network shares. This worm also spreads by taking advantage of the Vulnerability in RPC on Windows DNS Server to propagate across networks.
The worm opens a random port and waits for a connection from shell code. The worm scans network for computers vulnerable to the following vulnerabilities and exploits them:
* The Microsoft DNS Server Service Could Allow Remote Code Execution (BID 23470) on TCP port 1025
* The Microsoft Windows Server Service Remote Buffer Overflow Vulnerability (BID 19409) on TCP port 139
* Symantec Client Security and Symantec AntiVirus Elevation of Privilege (BID 18107) on TCP port 2967
MORE INFORMATION: Microsoft Security Advisory (935964)
Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution