On CBS MoneyWatch: 10 Most Expensive U.S. Colleges
BNET Business Network:
BNET
TechRepublic
ZDNet

April 17th, 2007

Botnet herders pounce on Windows DNS RPC flaw

Posted by Ryan Naraine @ 7:54 pm

Categories: Botnets, Browsers, Data theft, Exploit code, Hackers, Metasploit, Microsoft, Patch Watch, Pen testing, Responsible disclosure, Rootkits, Spam and Phishing, Spyware and Adware, Symantec, Uncategorized, Viruses and Worms, Vulnerability research, Zero-day attacks

Tags: Attacker, IRC, Flaw, Microsoft Windows, RPC, Attack, Ryan Naraine

Online criminals have pounced on the unpatched Windows DNS Server service vulnerability, using the security hole to seed and replenish for-profit botnets.

The latest twist in the ongoing attacks comes less than a week after Microsoft's pre-patch advisory provided clues for hackers to write and release detailed exploit code.

Anti-virus researchers have detected signs of a variant of the talkative Nirbot Trojan squirming through the worm hole created by the vulnerability.

McAfee's analysis describes the latest Nirbot mutant as an IRC (internet relay chat) controlled backdoor, which provides an attacker with unauthorized remote access to the compromised computer.

An attacker can gain control over the compromised computer and use it to send spam, install adware, distribute illegal content or launch a DDos attack on internet systems.

Microsoft has confirmed the worm-centric bot attack, noting that the Trojan opens and listens on TCP port 57660 to receive  commands from remote attackers.

These commands could include instructions to initiate network scanning in search of other vulnerable computers.

According to data from Arbor's ATLAS threat monitoring portal, the bulk of the attacks are coming from the U.S., China, India and Korea.

Ryan NaraineRyan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.


Email Ryan Naraine

For daily updates on Ryan's activities, follow him on Twitter.

Subscribe to Zero Day via Email alerts or RSS.

  • Talkback
  • Most Recent of 129 Talkback(s)
no way to block port
In Linux there is a utility that is called iptables. It can be used to block ports. I do not know of a similar feature in windows If windows has such a feature I could block the port.... (Read the rest)
Posted by: clareJ Posted on: 05/03/07 You are currently: a Guest | | Terms of Use
You keep incorrectly blaming the advisories for the attacks  georgeou | 04/17/07
Blame  Harry Bardal | 04/18/07
typical harry bardal  brian ansorge | 04/18/07
I agree completely! (NT)  Mikael_z | 04/29/07
Sigh  Ryan NaraineZDNet Moderator | 04/18/07
Ummm...  ejhonda | 04/18/07
Read it in context, Ryan is correct...  olePigeon | 04/18/07
Nirbot attackers are using the public exploit code  Ryan NaraineZDNet Moderator | 04/18/07
Ryan he's just jealous because you took his limelight .  Intellihence | 04/18/07
Be careful Zeal...um Leapord  socialism=nowhere | 04/18/07
Doesn't make what he said less true (or what you said) wink [nt]  olePigeon | 04/18/07
Try keeping all your fingers on the keyboard .  Intellihence | 04/18/07
Too bad this site didn't have  xuniL_z | 04/18/07
George should mind his own faults  dragosani | 04/18/07
I did read it and that's the problem  georgeou | 04/18/07
Clues, George, clues  Ryan NaraineZDNet Moderator | 04/19/07
Exploits came BEFORE advisory  georgeou | 04/19/07
Sorry George I disagree  goxk@... | 04/23/07
Windows is a plague on us all  Chad_z | 04/18/07
Yawn. Move along  John Zern | 04/18/07
Especially from you...  socialism=nowhere | 04/18/07
Give me a break  notsofast | 04/18/07
Give us a break yes to fast .  Intellihence | 04/18/07
Bloatware?  rkuhn040172@... | 04/18/07
Attacks will always be an issue  lurchajn@... | 04/18/07
Article Lacking Solution  racingmustang | 04/18/07
Solution ......  An_Axe_to_Grind | 04/18/07
And be an island...  socialism=nowhere | 04/18/07
Aww you seem hurt now .  Intellihence | 04/18/07
A firewall would stop this  wolf_z | 04/18/07
Reading skills of all sorely lacking  Confused by religion | 04/18/07
AMEN! - Thank you  socialism=nowhere | 04/18/07
Good work, Milly  fredfarkwater@... | 04/18/07
Reading skills of all sorely lacking  Confused by religion | 04/18/07
Great satirical statements .  Intellihence | 04/18/07
Resistance is futile ...  An_Axe_to_Grind | 04/18/07
Get a DATE!  socialism=nowhere | 04/18/07
Get a Life !  Intellihence | 04/18/07
I actually have one...enjoyng it now.  socialism=nowhere | 04/18/07
Wow you also have a deck , oh my god.  Intellihence | 04/18/07
I still think Microsoft should be held  bjbrock | 04/18/07
Why should they?  John Zern | 04/18/07
Presumably  zkiwi | 04/18/07
the issue here is Windows , could you please stick to the topic .  Intellihence | 04/18/07
*burp*  zkiwi | 04/18/07
No matter how many aliases you use  xuniL_z | 04/18/07
So...  zkiwi | 04/18/07
well  xuniL_z | 04/18/07
A foolish reply from a retard .  Intellihence | 04/18/07
Well Said!  socialism=nowhere | 04/18/07
People like myself have sat back for years ,  Intellihence | 04/18/07
Funny how...  socialism=nowhere | 04/18/07
Pretty much more can be said of the largest market share .  Intellihence | 04/18/07
No one John because Linux is free , and it was a choice the end user made .  Intellihence | 04/18/07
Linix is free  rflanagan@... | 04/18/07
flawed logic  xuniL_z | 04/18/07
Linux provides firewalls and antivirus also .  Intellihence | 04/18/07
 Kid Icarus-21097050858087920245213802267493 | 04/18/07
Perhaps so, therefore  xuniL_z | 04/18/07
Good Call,  Kid Icarus-21097050858087920245213802267493 | 04/18/07
Though now that I think about it a bit more,  Kid Icarus-21097050858087920245213802267493 | 04/18/07
ok  xuniL_z | 04/19/07
"If someone breaks the window in your car"?  Ole Man | 05/01/07
Because  mystiquesyst | 04/18/07
YES!  socialism=nowhere | 04/18/07
A twist of faith huh George ?  Intellihence | 04/18/07
Overblown security issue...  Mike Cox | 04/18/07
9.0  t_mohajir | 04/18/07
I don't think I'd let you risk my money...  deleweye | 04/18/07
Ah, yes. Another helpless victim...  BitTwiddler | 04/18/07
aww  Badgered | 04/18/07
Sorry, I wasn't wearing my lifts...  deleweye | 04/18/07
Mikey has quite a following...  BanjoPaterson | 04/18/07
What A Relief  66MarkM | 04/18/07
That's probably true as well happy  BanjoPaterson | 04/19/07
Very Good  TechnoCritter | 04/18/07
7.0  smartyram | 04/18/07
You have GOT to be kidding?  rjacksix | 04/18/07
Oh, So That Was You And Your Rep I Saw  itanalyst | 04/18/07
10.0!!!  xuniL_z | 04/19/07
Windows is not the problem  dwh_z | 04/18/07
You mean like  dragosani | 04/18/07
maybe  xuniL_z | 04/18/07
The have thrown money  dragosani | 04/18/07
So you are saying that  xuniL_z | 04/18/07
What is this a bad logic twist  dragosani | 04/18/07
What To Do With Hackers  66MarkM | 04/18/07
I think they stand a better chance  xuniL_z | 04/18/07
Windows IS the problem  critic-at-arms | 04/18/07
No  bportlock | 04/18/07
However...  zkiwi | 04/18/07
unconformably  xuniL_z | 04/18/07
No monopoly in the server market  PB_z | 04/18/07
I can help you out here  xuniL_z | 04/18/07
Which just goes to show  zkiwi | 04/18/07
*burp*  xuniL_z | 04/19/07
Your condition seems to be deteriorating  Ole Man | 05/01/07
So's that logic  socialism=nowhere | 04/18/07
What's your logic , besides hit and run on every person who thinks  Intellihence | 04/18/07
Perhaps you should explain to the insurance industry ...  bportlock | 04/18/07
You are soooooooo right  mlindl | 04/18/07
IP Bomb  socialism=nowhere | 04/18/07
Whoaaa dude , take it easy .  Intellihence | 04/18/07
That is great to know.....  xuniL_z | 04/18/07
I'll bet you'd never consider...  jasonp@... | 04/18/07
Microsoft not liable  KrazyGuy | 04/18/07
For security, you can?t beat Mac OS X  mlindl | 04/18/07
Well, you can...  olePigeon | 04/18/07
I Can  socialism=nowhere | 04/18/07
The implication  fde101 | 04/18/07
Correct Implication ....  An_Axe_to_Grind | 04/18/07
Coordination  trm1945 | 04/18/07
What is taking admins so long to apply the workaround?  PB_z | 04/18/07
re:What is taking admins so long to apply the workaround?  Intellihence | 04/18/07
If that admin is afraid of setting one value in the registry, fire him/her  PB_z | 04/18/07
EVERY ANNOUNCEMENT OF NEW MALWARE NEEDS THIS: _____  archetuthus | 04/18/07
ZDNET knows as much as MS on the issue .  Intellihence | 04/18/07
Any system that doesn't  xuniL_z | 04/18/07
Vista Safe - Yeah, Like Pulling Out!  66MarkM | 04/18/07
And you are speaking from what knowledge?  xuniL_z | 04/18/07
9.125 !  An_Axe_to_Grind | 04/18/07
That's a kewl grade , but I stopped responding to that joker awhile ago .  Intellihence | 04/18/07
 Kid Icarus-21097050858087920245213802267493 | 04/18/07
What are you talking about???  xuniL_z | 04/18/07
Ooops  Kid Icarus-21097050858087920245213802267493 | 04/18/07
YOU'RE ASSUMING THAT HACKERS CAN READ AND WRITE  BALTHOR | 04/18/07
Advisory should be noted not criticized  intrepi@... | 04/18/07
Here, here!  Joe@... | 04/23/07
no way to block port  clareJ | 05/03/07

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement

Recent Entries

advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

Meet Doc