Hackers Exploit Windows DNS Vulnerability

According to I.T. security Relevant Products/Services firm Sophos, a worm is exploiting an unpatched zero-day vulnerability in the DNS services of several Windows operating systems.

Also known as Nirbot or Rinbot, the W32/Delbot-AI worm is taking advantage of a vulnerability in the way the Windows DNS Server's Remote Procedure Call (RPC) interface has been implemented. The hackers' worm has been able to exploit the flaw by sending a specially crafted RPC packet to vulnerable servers.

If the worm successfully infects a server, it allows hackers to gain control over the computer, giving them the ability to determine what it does and steal information from unsuspecting users. The worm also can exploit an old vulnerability present in Symantec's antivirus product line, which was patched a year ago.

Laying in Wait

Several security vendors have issued a workaround patch, but word from Microsoft Relevant Products/Services on an official patch is sketchy.

"While we don't have a firm estimate on when we'll complete our development and testing of updates for this issue, we have teams around the world working on it 24 hours a day, and hope to have updates no later than May 8, 2007, for the May monthly bulletin release," Chris Budd, of the Microsoft Security Response Center, wrote in the corporate blog.

This flaw in Microsoft's code has only been known for a handful of days, and already there is a worm that is taking advantage of the problem in its attempt to infect as many computers as possible, noted Graham Cluley, senior technology consultant for Sophos.

"Time and time again hackers are forcing companies like Microsoft to scramble around to develop, test, and roll out a software patch," Cluley said in a statement. "Businesses should ensure that their computers are properly configured, and protected with up-to-date antivirus software, hardened firewalls, and patches."

A Watching Eye

The computer underground appears to be reveling in waiting until Microsoft has released its monthly batch of patches before unleashing its latest attacks, continued Cluley. "Microsoft will not be enjoying having the security of their software brought into question again," he concluded.

While the current worm exploits are unsophisticated, there is considerable danger that more sophisticated attacks could be in the works, according Paul Zimski, PatchLink's director of product and market strategy. PatchLink, whose customers include KPMG, Wells Fargo, and Yahoo, has issued an emergency patch ahead of the official Microsoft fix.

"The DNS servers are a particularly high-value target because a hacker that 'owns' DNS servers can do a 'man in the middle' attack," Zimski said. "While this attack isn't going to hit every desktop, it is very serious."